Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


676 posts

Ultimate Geek
+1 received by user: 222

Trusted
Spark NZ

Topic # 239630 27-Jul-2018 09:51
6 people support this post
Send private message quote this post

Good morning everyone,

 

Just a quick heads up on a change we're making to our Broadband network to increase customer security.  As per industry best practice we're going to start blocking the ports used for SMB and NetBIOS on our Broadband connections.  Those protocols are fairly well documented to be insecure and should never be used outside your own LAN - i.e. never on the internet.

 

The specifics of the ports being blocked are:

 

Incoming TCP ports 135->139

 

Incoming TCP port 445

 

 

 

This was implemented for Wireless Broadband Static IP nationwide from day 1.  It is now being progressively rolled out across ADSL/VDSL and UFB for Spark Broadband starting with Northland.  We expect to complete the rollout within the next month.

 

If you have another application which uses these ports, we'd recommend that if possible you move it to using a different port.

 

If that is not possible you can always opt out of the filtering by following the opt out links at spark.co.nz/port25.  If you get port 25 (SMTP) unblocked it will also unblock the ports above (the same profile blocks all of these ports).

 

 

 

Dave.

 

 

 

 

 

 

 

 

 

 





My views are my own, and may not necessarily represent those of my employer.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
1434 posts

Uber Geek
+1 received by user: 138

Subscriber

  Reply # 2063442 27-Jul-2018 11:01
Send private message quote this post

@cbrpilot - does this cover Bigpipe was well?


6276 posts

Uber Geek
+1 received by user: 283

Trusted
Subscriber

  Reply # 2063450 27-Jul-2018 11:03
Send private message quote this post

Why would someone expose them self like that.

 

Beggar belief!

 

Cyril


'That VDSL Cat'
8259 posts

Uber Geek
+1 received by user: 1748

Trusted
Spark
Subscriber

  Reply # 2063454 27-Jul-2018 11:12
Send private message quote this post

cyril7:

 

Why would someone expose them self like that.

 

Beggar belief!

 

Cyril

 

 

This question comes to mind for me too..

 

 

 

I suppose there has been an increase in people doing dumb things as the use of a router infront of the connection starts to drop down..





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


6276 posts

Uber Geek
+1 received by user: 283

Trusted
Subscriber

  Reply # 2063473 27-Jul-2018 11:34
Send private message quote this post

hio77:

 

I suppose there has been an increase in people doing dumb things as the use of a router infront of the connection starts to drop down..

 

 

Are you suggesting with the rollout of UFB folk are connecting straight to the ONT.

 

I remember when I was working in the education sector, N4L did a similar clamp down as many "Professional" IT companies that schools employed seemed to do this exact same dumb stunt

 

Cyril


4975 posts

Uber Geek
+1 received by user: 1587


  Reply # 2063475 27-Jul-2018 11:40
4 people support this post
Send private message quote this post

cyril7:

 

Why would someone expose them self like that.

 

 

To port forward their CCTV cameras!


6276 posts

Uber Geek
+1 received by user: 283

Trusted
Subscriber

  Reply # 2063477 27-Jul-2018 11:42
Send private message quote this post

But the ports in question 445, 135-139 are windows network services, which is far more alarming than pics from the bike sheds

 

Cyril


12798 posts

Uber Geek
+1 received by user: 2294

Trusted

  Reply # 2063478 27-Jul-2018 11:44
2 people support this post
Send private message quote this post

RunningMan:

 

cyril7:

 

Why would someone expose them self like that.

 

 

To port forward their CCTV cameras!

 

 

Its good checking other peoples driveways for landscaping ideas!

 

 


'That VDSL Cat'
8259 posts

Uber Geek
+1 received by user: 1748

Trusted
Spark
Subscriber

  Reply # 2063554 27-Jul-2018 12:22
Send private message quote this post

cyril7:

 

I remember when I was working in the education sector, N4L did a similar clamp down as many "Professional" IT companies that schools employed seemed to do this exact same dumb stunt

 

 

Are you suggesting there are IT Companies out there that don't know what they are doing!





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


6276 posts

Uber Geek
+1 received by user: 283

Trusted
Subscriber

  Reply # 2063567 27-Jul-2018 12:36
Send private message quote this post

hio77:

 

Are you suggesting there are IT Companies out there that don't know what they are doing!

 

 

Moi............never




676 posts

Ultimate Geek
+1 received by user: 222

Trusted
Spark NZ

  Reply # 2063612 27-Jul-2018 12:53
Send private message quote this post

timbosan:

 

@cbrpilot - does this cover Bigpipe was well?

 

 

 

 

Yes this will cover Bigpipe as well.  I'm not as worried about Bigpipe because up until a few weeks ago most of them (and Skinny) were using CGNAT and so this would have been blocked.  Those with static IP on Bigpipe we've auto opted out of this.

 

 





My views are my own, and may not necessarily represent those of my employer.

2284 posts

Uber Geek
+1 received by user: 648


  Reply # 2064791 30-Jul-2018 09:15
Send private message quote this post

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

 

Wouldn't it be better to have separate opt-out options?


12798 posts

Uber Geek
+1 received by user: 2294

Trusted

  Reply # 2064796 30-Jul-2018 09:21
Send private message quote this post

Paul1977:

 

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

 

Wouldn't it be better to have separate opt-out options?

 

 

Insecure Port 25 is legitimate but how long has security via SSL been in vogue? A year? 2 years? More like 18 years. Yet businesses and big ones use Port 25, you'd have to ask why


2387 posts

Uber Geek
+1 received by user: 801

Trusted
Lifetime subscriber

  Reply # 2064808 30-Jul-2018 09:41
One person supports this post
Send private message quote this post

Paul1977:

 

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

 

Wouldn't it be better to have separate opt-out options?

 

 

Do you want to rebuild the whole end to end provisioning stack to support tweaking "option x y or z". Since then you would need to have a new option on the online portal, and have that new flag flow across the myriad of systems all the way to the network to set the option on. Plus completely regression testing all of those changes across all systems and how they get provisioned on xDSL and UFB via different stacks.

 

Or just change the network so that not only blocking port 25, and UDP 53 (to prevent DNS amplification attacks on dodgy old routers that for historically stupid reasons listen on port 53 on the WAN side and you can send DNS requests to so you can DDoS people worldwide) you can also block additional stuff like NetBIOS/SMB. Or some reason like that. ;)






6276 posts

Uber Geek
+1 received by user: 283

Trusted
Subscriber

  Reply # 2064813 30-Jul-2018 09:55
Send private message quote this post

So I guess the answer is no :)


'That VDSL Cat'
8259 posts

Uber Geek
+1 received by user: 1748

Trusted
Spark
Subscriber

  Reply # 2064839 30-Jul-2018 10:23
Send private message quote this post

BarTender:

 

Paul1977:

 

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

 

Wouldn't it be better to have separate opt-out options?

 

 

Do you want to rebuild the whole end to end provisioning stack to support tweaking "option x y or z". Since then you would need to have a new option on the online portal, and have that new flag flow across the myriad of systems all the way to the network to set the option on. Plus completely regression testing all of those changes across all systems and how they get provisioned on xDSL and UFB via different stacks.

 

 

pls no, your coming back if that sort of build is required!





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.