Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




685 posts

Ultimate Geek
+1 received by user: 230

Trusted
Spark NZ

Topic # 239630 27-Jul-2018 09:51
6 people support this post
Send private message

Good morning everyone,

 

Just a quick heads up on a change we're making to our Broadband network to increase customer security.  As per industry best practice we're going to start blocking the ports used for SMB and NetBIOS on our Broadband connections.  Those protocols are fairly well documented to be insecure and should never be used outside your own LAN - i.e. never on the internet.

 

The specifics of the ports being blocked are:

 

Incoming TCP ports 135->139

 

Incoming TCP port 445

 

 

 

This was implemented for Wireless Broadband Static IP nationwide from day 1.  It is now being progressively rolled out across ADSL/VDSL and UFB for Spark Broadband starting with Northland.  We expect to complete the rollout within the next month.

 

If you have another application which uses these ports, we'd recommend that if possible you move it to using a different port.

 

If that is not possible you can always opt out of the filtering by following the opt out links at spark.co.nz/port25.  If you get port 25 (SMTP) unblocked it will also unblock the ports above (the same profile blocks all of these ports).

 

 

 

Dave.

 

 

 

 

 

 

 

 

 

 





My views are my own, and may not necessarily represent those of my employer.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
1475 posts

Uber Geek
+1 received by user: 147

Subscriber

  Reply # 2063442 27-Jul-2018 11:01
Send private message

@cbrpilot - does this cover Bigpipe was well?


6370 posts

Uber Geek
+1 received by user: 320

Trusted
Subscriber

  Reply # 2063450 27-Jul-2018 11:03
Send private message

Why would someone expose them self like that.

 

Beggar belief!

 

Cyril


 
 
 
 


'That VDSL Cat'
9082 posts

Uber Geek
+1 received by user: 1994

Trusted
Spark
Subscriber

  Reply # 2063454 27-Jul-2018 11:12
Send private message

cyril7:

 

Why would someone expose them self like that.

 

Beggar belief!

 

Cyril

 

 

This question comes to mind for me too..

 

 

 

I suppose there has been an increase in people doing dumb things as the use of a router infront of the connection starts to drop down..





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


6370 posts

Uber Geek
+1 received by user: 320

Trusted
Subscriber

  Reply # 2063473 27-Jul-2018 11:34
Send private message

hio77:

 

I suppose there has been an increase in people doing dumb things as the use of a router infront of the connection starts to drop down..

 

 

Are you suggesting with the rollout of UFB folk are connecting straight to the ONT.

 

I remember when I was working in the education sector, N4L did a similar clamp down as many "Professional" IT companies that schools employed seemed to do this exact same dumb stunt

 

Cyril


5199 posts

Uber Geek
+1 received by user: 1691


  Reply # 2063475 27-Jul-2018 11:40
4 people support this post
Send private message

cyril7:

 

Why would someone expose them self like that.

 

 

To port forward their CCTV cameras!


6370 posts

Uber Geek
+1 received by user: 320

Trusted
Subscriber

  Reply # 2063477 27-Jul-2018 11:42
Send private message

But the ports in question 445, 135-139 are windows network services, which is far more alarming than pics from the bike sheds

 

Cyril


13908 posts

Uber Geek
+1 received by user: 2530

Trusted

  Reply # 2063478 27-Jul-2018 11:44
2 people support this post
Send private message

RunningMan:

 

cyril7:

 

Why would someone expose them self like that.

 

 

To port forward their CCTV cameras!

 

 

Its good checking other peoples driveways for landscaping ideas!

 

 


'That VDSL Cat'
9082 posts

Uber Geek
+1 received by user: 1994

Trusted
Spark
Subscriber

  Reply # 2063554 27-Jul-2018 12:22
Send private message

cyril7:

 

I remember when I was working in the education sector, N4L did a similar clamp down as many "Professional" IT companies that schools employed seemed to do this exact same dumb stunt

 

 

Are you suggesting there are IT Companies out there that don't know what they are doing!





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


6370 posts

Uber Geek
+1 received by user: 320

Trusted
Subscriber

  Reply # 2063567 27-Jul-2018 12:36
Send private message

hio77:

 

Are you suggesting there are IT Companies out there that don't know what they are doing!

 

 

Moi............never




685 posts

Ultimate Geek
+1 received by user: 230

Trusted
Spark NZ

  Reply # 2063612 27-Jul-2018 12:53
Send private message

timbosan:

 

@cbrpilot - does this cover Bigpipe was well?

 

 

 

 

Yes this will cover Bigpipe as well.  I'm not as worried about Bigpipe because up until a few weeks ago most of them (and Skinny) were using CGNAT and so this would have been blocked.  Those with static IP on Bigpipe we've auto opted out of this.

 

 





My views are my own, and may not necessarily represent those of my employer.

2461 posts

Uber Geek
+1 received by user: 703


  Reply # 2064791 30-Jul-2018 09:15
Send private message

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

 

Wouldn't it be better to have separate opt-out options?


13908 posts

Uber Geek
+1 received by user: 2530

Trusted

  Reply # 2064796 30-Jul-2018 09:21
Send private message

Paul1977:

 

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

 

Wouldn't it be better to have separate opt-out options?

 

 

Insecure Port 25 is legitimate but how long has security via SSL been in vogue? A year? 2 years? More like 18 years. Yet businesses and big ones use Port 25, you'd have to ask why


2480 posts

Uber Geek
+1 received by user: 894

Trusted
Lifetime subscriber

  Reply # 2064808 30-Jul-2018 09:41
One person supports this post
Send private message

Paul1977:

 

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

 

Wouldn't it be better to have separate opt-out options?

 

 

Do you want to rebuild the whole end to end provisioning stack to support tweaking "option x y or z". Since then you would need to have a new option on the online portal, and have that new flag flow across the myriad of systems all the way to the network to set the option on. Plus completely regression testing all of those changes across all systems and how they get provisioned on xDSL and UFB via different stacks.

 

Or just change the network so that not only blocking port 25, and UDP 53 (to prevent DNS amplification attacks on dodgy old routers that for historically stupid reasons listen on port 53 on the WAN side and you can send DNS requests to so you can DDoS people worldwide) you can also block additional stuff like NetBIOS/SMB. Or some reason like that. ;)






6370 posts

Uber Geek
+1 received by user: 320

Trusted
Subscriber

  Reply # 2064813 30-Jul-2018 09:55
Send private message

So I guess the answer is no :)


'That VDSL Cat'
9082 posts

Uber Geek
+1 received by user: 1994

Trusted
Spark
Subscriber

  Reply # 2064839 30-Jul-2018 10:23
Send private message

BarTender:

 

Paul1977:

 

Why have the unblocking tied into port 25 unblocking, which does have a legitimate use?

 

Wouldn't it be better to have separate opt-out options?

 

 

Do you want to rebuild the whole end to end provisioning stack to support tweaking "option x y or z". Since then you would need to have a new option on the online portal, and have that new flag flow across the myriad of systems all the way to the network to set the option on. Plus completely regression testing all of those changes across all systems and how they get provisioned on xDSL and UFB via different stacks.

 

 

pls no, your coming back if that sort of build is required!





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.