Re: [cobalt-users] Port 137 Question: Revisited

[flash22@xxxxxxx]

On Fri, 27 Apr 2001, Wayne Sagar wrote:

> Or indeed, are we safe telling portsentry to ignore connects at that
> port... I have a feeling I'm harming my traffic to the site by denying all
> those machines... we're at several hundred entries into hosts.deny from
> port 137 connects alone and I'm seeing some reduction in overall traffic....

Yes, not listening on that port, and not monitoring it, is effectively
ignoring it....you *are* probably blocking people you have no reason to...

Also, speaking of misconfiguration, if your own DNS is broken you will
tend to encourage those machines to make netbios-ns requests, windoze will
try to resolve dns via dns, but if it fails, it also tries via netbios,
its kind of it's last resort, hoping the domain name/ip it's trying to
resolve is really something on the local network. There is really no
excuse for this stuff to be leaking out to the net, but that's just lousy
router config on the part of someone else...

Incidently, the very fact these machines are willing to ask makes *them*
vulnerable, you could for example answer, and tell it anything ;)

The only possible bad thing to ignoring the port is someone could flood
you and you wouldn't notice, but that's true for any other port you aren't
watching anyhow....

If you want to get fancy, you could use ipchains to forward those packets
to nowhere, but that's really not all that much of an improvment in this
case...

 > 
> Please.. anyone.. can we safely turn off monitoring port 137 or can we
> totally tell apache to close that port?

apache has nothing to do with it....

gsh