Help on blocking common trojan ports

sasanet · 29 Apr 2011

hello thans for reading!

first I can't belive I didn't find answer on my question after googling for about 1 hour, I'm crazy allready and need your professional help

here is my problem:
for this example I've downloaded kaspersky WKS which contains antihacker component which contains numerus of other subcomponents like application rules, packetfilter, routing mode etc.

in the packet filter subcomponent are by default already some connection rules which user may aply.
one particular set of those rules descibe common trojan ports which may be blocked.

OK I've aply them and everything work's just fine but I'm wondering about directions (inbound and outbound),
in this set of rules all are set as BLOCK INBOUND only.

I do understand well what blocing inbound and outbound trojan ports mean,
to make thing more complicated I was not sactisfated with those rules and did gogling for more rules and ports.
now I have more than 200 trojan related blocking rules seted in my firewall and here problem ocurs -->
many of them are false positive and I do not understand what to do about
that, all false positive alerts are only outbound related to remote port 80.
and my question is:
shall I block only inbound directions or both?
if I would block only inbound directions than my comp is not
protected against undetectable trojans which are allready on my
comp wright??
that means protection only against outside scaning or hacker
probing.

there is also no way to allow those conections to port 80 only because then firewall woud have so many rules LOL

for example 1000 rules may slow down firewall inspection wright??
also there is no way to make brower rule more inportant than packet filter rule
cos packet filter has higher priority.

please do not sugest my any firewall or AV software or any like that, I just wanna know if blocking inbound packets against trojan ports is enough or shall I block both directions that's all!

any help is wellcome!
sasanet.

damien76 · 29 Apr 2011

I see you have Kaspersky WKS...right? Maybe it would better to post in the Kaspersky forums about it since you are using their product. Firewall settings (rules creation) vary by product as per my experience with Online Armor Premium, Outpost Firewall Pro, Privatefirewall, Avast Firewall and CIS. I am not a techy with firewalls but I do have Stealth Mode and block all outgoing ports 445, 443, 137-139, 5500, 5800 and 5900-5903 and 3389 to name a few. Depending on the firewall, I create an application rule concerning those ports or just a global rule. My settings being stealthed will show some "listening" but having "listening" is not necessarily mean that I am seen. There is no need to block those specific incoming ports as all traffic gets blocked by the Stealth settings.

Now that is based on my experience and having not used Kaspersky firewall I can't say much. Maybe some here who are using KIS may lend a hand here. The Kaspersky forum guys can help you clear out your settings because imho 200 related blocking rules is too much..it may mess up the firewall global/application rules or may overlap.

Good luck :)

Corrine · 29 Apr 2011

Hi, sasanet.

This article may help with Port 80: GRC | Port Authority, for Internet Port 80

if I would block only inbound directions than my comp is not
protected against undetectable trojans which are allready on my
comp wright??

Those trojans would have to have entered your computer first. Granted, you could inadvertently download an infected file that has a new variant that has not yet been added to detection and it could "call home" via Port 80. However, I think that is taking paranoia too the extreme.

You are obviously concerned about security; thus, the caution. Surf safely, keep third-party software updated as well as security updates.

sasanet · 30 Apr 2011

@damien76
yes that's no bad idea, I will post same thread on kaspersky forums after some time.

there is no need to use stealth mode unles u're behind router or other kind of endpoint firewall,
but it is allso not a mistake

yes each firewall has it's own rules configuration and my KAVWKS is so complicated however I will not change it for anything cos it's simply the best IMO.

This article may help with Port 80: GRC | Port Authority, for Internet Port 80

yea that's nice site and I've been test it wright away and here are my results:

Help on blocking common trojan ports-capture.png

regardles of that result I'm 99% shure that noone from outside network can hack my network unless that "someone" has incoming connections from my machine and that is what I wanna solve and that's what I'm asking about

so, because there is allmost no way to hack from outside I wanna make same statefull security shema in my firewall and other components for OUTBOUND connections

we all know, that's not so easy to do as with INCOMING one, cos otherwise we'll be unable to comunicate with the world:
there is over 65000 port available and lot of them are candidates for reverse hacking which is so easy to do if remote client has poor firewall.

Granted, you could inadvertently download an infected file that has a new variant that has not yet been added to detection and it could "call home" via Port 80. However, I think that is taking paranoia too the extreme.

yea that's an interesting example and it may be an example only for extreme paranoia hackers, however I belive that there is a lot of such people and they know how to beat such malware actions

*********
so conclusion and/or question is still the same.
do we have to block outbount and inbount trojan port connections OR is it enough to block incoming only, and how to do that properly to be safe.

regards!