Posted: Tue May 16, 2017 3:11 Post subject: WannaCRY ransomware, does blocking port on ddwrt router help
Hi,I am have minimum knowledge on router. I want to ask about recent ransomware WannaCRY, does blocking port on router helps prevent future possible infection?
I dont use SMB or RDP so I block port 135-139,445,3389 from DD-WRT blocked services.
Does this works? Does these settings right?
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Tue May 16, 2017 7:23 Post subject:
they might be blocked by default but if there is an app that want to open them from inside like WCr they will be opened, but in case if there are IPtables rules those ports will remain close in any case... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
they might be blocked by default but if there is an app that want to open them from inside like WCr they will be opened, but in case if there are IPtables rules those ports will remain close in any case...
so it means it is effective to reduce wannacry spread.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Sat May 20, 2017 11:49 Post subject:
benbrockn wrote:
I hope someone can help me ASAP on this,
I'm running DD-WRT Build 30796 and iptables is v1.3.7.
When I enter this command through Telnet:
Code:
iptables -I FORWARD -p all --dport 135:139 -j DROP
It errors out saying: "unknown arg --dport"
I'm trying to block both TCP/UDP ports (-p all) using the range of 135-139 (--dport 135:139)
I checked:
Code:
iptables --help
But it didn't list "--dport" as an option/argument
Does anyone know how to get this to work?
i guess some commands are stripped off to reduce flash size, use either other build or install iptables on USB....
or just simply use more lines for rules like i do... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
a) the part that's vulnerable is part of Microsoft Windows services on XP/Vista/7/8/10 and the associated Server versions. Microsoft has released patches for all of these operating systems (yes, even the out-of-support ones, even XP!), so apply Windows Update or head over to their download site to download the fix (MS Security Bulletin MS17-010). There's also apparently a detection signature for Windows Defender now, too
b) lock down SMB if you wish, but only if you're sure you're not using it - if you are, but are using eg. a Linux-based server, you're not vulnerable (as of yet) and don't need this extra "protection" (the attack targets specific implementations of SMB on Windows OSes)
c) if you're not exposing SMB to the outside world (not even through VPN links), you're safe from the automated attack method from the outside world, and SMB over WAN is rarely workable enough to be a consideration (requires multiple open ports, some of which are known targets, and generally scales really, really badly with rising latency); it's a consideration if you have VPN (or other network) links set up between a place of possible infection and the place of possible attack, so you can limit forwarding on the node linking the two (it shouldn't be allowed if you're not using it, so verify your security practices)
d) as of right now, the primary infection vector is infected e-mail attachments (I'm not discounting drive-by-downloads but haven't seen reports yet), so as long as you remain vigilant and treat all attachments with due suspicion, you should be fairly safe (unless you have less-than-capable people using the same network)
e) if you want to go the extra mile, there's a Windows XP program called WannaKey that attempts to exploit a different issue with MS' crypto that leaves the prime numbers in RAM w/o explicitly cleaning them up (it attempts to fetch them and calculate the decryption key)
f) if you feel like going two extra miles, there's an experimental bit of code that runs as a .dll and claims to detect a few ransomware executions, incl. WannaCry (available as source, you have to build it yourself)
Security isn't something you deal with using iptables rules as an afterthought. For all of the people spastically scrambling to find out if they're vulnerable - shame on you. Keep your heads cool, take a step back, examine the issue and how it applies to the surfaces you expose. In most cases, if you have Windows Update active and are updating regularly, you're as safe as you're going to be - a single computer might get infected from an e-mail attachment (nothing a router can do about that), but it shouldn't spread.
One of the cornerstones of "good security practices" is "anything you don't use should be disallowed or outright disabled" (the counterpart to the principle of least privilege).
In general, your first order of business is to patch all affected Microsoft services on your network, not kill SMB traffic.
Second, --dport works with a single port. If you want multiple ports, -m multiport --dports is what you want (may not work on all distributions I suppose, but it never failed me, not even on a WRT54GL).
i guess some commands are stripped off to reduce flash size, use either other build or install iptables on USB.... or just simply use more lines for rules like i do...
I figured out that while some people and some documentation says that "-p all" or "-p 0" works, neither does. I figured out by trial and error that only "-p tcp" and "-p udp" works so if you wanted to block both tcp/udp incoming packets on a port or port range you have to copy/paste the code twice, one saying tcp the other saying udp. It's kind of lame as it's double the code, but it works now.
Posted: Mon May 22, 2017 4:57 Post subject: WannaCRY ransomware, does blocking port on ddwrt router help
Well here is my 2 cents, As i have owned my own computer repair shop for 20 plus years i have run into many of these type issues and the one thing that I have noticed and been told by customers is the following:
1) Why do i have antivirus software if this is not going to stop it.
2) I opened a file or Email
3) Don't have antivirus software
This can go on forever as some are educated, non educated or just enough to get by type customers. Education with such things i try to explain and document and give to my customers to try to educate them enough to try to prevent such things. I install a few programs, give them documents to explain how to run these and make it a point how important this is to do on a schedule. Here are a few programs to help with viruses, ransomware and cleanup to keep your computer running smooth. These programs are free and work wonders without any harm to your computer,files and programs.
1) CCleaner ( was known as Crap Cleaner ) cleans up all the junk,cookies and other stuff, registry clean also with backup
2) Malwarebytes - One of the best out there name says it all
3) Ransomware removal programs which pertain to the newest out such as this topic refers to and others.
a) Bitdefender Anti-Ransomware v1.0.12.151
b) Cybereason RansomFree v2.2.7.0
c) Kaspersky Anti-Ransomware Tool v1.1.31.0
d) Malwarebytes Anti-Ransomware v0.9.17.661 Beta 8
The above 4 all work great and run independent and work all with any antivirus software. Currently i am using d - Malwarebytes Anti-Ransomware v0.9.17.661 Beta 8 and works perfectly and does not slow down computer at all
So use those programs on a good schedule and a antivirus scan and you can feel at ease your computer will be safer.
REMEMBER - You need to do the scheduled maintenance as it is your valuable files you are protecting.
This is meant to help not criticize
Hope this helps all who read it. No need to block ports or put 40 different programs on the computer to stop things. Just a little maintenance
