Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

blocking a port on a Wintel machine

by mikejones (Scribe)
on Jan 27, 2007 at 15:48 UTC ( #596881=perlquestion: print w/replies, xml ) Need Help??

mikejones has asked for the wisdom of the Perl Monks concerning the following question:

Using Perl, is there a way to block ports or force a password upon accessing a port on a Wintel machines running WinXP?
thank you

Replies are listed 'Best First'.
Re: blocking a port on a Wintel machine
by ikegami (Patriarch) on Jan 27, 2007 at 17:48 UTC
    If you are trying to block an incoming connection, then you shouldn't have to do anything. "Windows Firewall" in WinXP already does that. If you are trying to block an outgoing connection, then you have two options. You could use a application-based (as opposed to port-based) firewall (like Zone Alarm), or you could write a little program that binds to that port.
Re: blocking a port on a Wintel machine
by Joost (Canon) on Jan 27, 2007 at 16:01 UTC
    For blocking ports you probably need access to some kind of firewall. I don't know anything about that on windows.

    As for forcing a password (I assume you mean, requiring password-based authentication), that's completely protocol and application dependent. For instance, HTTP, SSH, and FTP provide login mechanisms in the protocol (but with different ways of configuring them for each implementation), while finger, echo and DNS don't (as far as I know).

    If you have something like PAM you can synchronize your user/password database over supporting server apps, but this is getting way off topic.

Re: blocking a port on a Wintel machine
by jonadab (Parson) on Jan 27, 2007 at 16:16 UTC

    Are you talking about incoming ports, or outgoing? And if incoming, are you talking about password protecting access to the port from outside, or are you talking about password-protecting the ability for a local process to listen on the port?

    Ultimately, Windows is not a very good firewalling platform, and it is really best (both from a security perspective, and in terms of how easy it is to get it to do what you need) to have an external firewall. However, depending on your needs, it may be possible to kludge something together on Windows. The firewall built into Windows XP may be able to accomplish some of what you want, depending on what it is that you want.

    If my answer seems vague, it is because your question seems vague, so I don't really know how to answer in detail.


    Sanity? Oh, yeah, I've got all kinds of sanity. In fact, I've developed whole new kinds of sanity. You can just call me "Mister Sanity". Why, I've got so much sanity it's driving me crazy.
      I desire to block port 5101, incoming. the Yahoo IM backdoor port. see www.datastronghold.com/archive/t12996.html Yes I am talking about if incoming, password protecting access to the port from outside.
        Mike- It sounds like you want to block this port because this vulnerability exists. The real vulnerability here is not that port, but the user who executes 3rd party application sent to them over AIM. If you educate them you will be able to avoid a large number of risky behavior instead of protecting one port. If you protect against one backdoor like application there will be another using a different port.

        If you are really concerned about this and you are on a personal computer I would recommend that you get a nat router. The NAT router will give you firewall protection as default ( as long as you don't open any ports in the router) and it will not impact your computers performance. Also cost is about that of any non-free firewall. There are a number of free firewall apps out there that you can use, the drawbacks just the impact on computer performance, and for the firewall to work correctly it has to integrate into the OS at a low lvl.
        Yes I am talking about if incoming, password protecting access to the port from outside.

        Password protecting access from the outside for a remote user or program to connect to an existing listening process is entirely up to the listening process. For instance, if YIM is listening on port 5101 and you want only authorized users to be able to connect to it, then YIM needs to provide the username/password checking. Some server software (e.g., OpenSSH, Apache) has this functionality, but I don't know anything about YIM. Note too that the protocol that is being used needs to support authentication. Most standard application-layer protocols (http, ftp, smtp, and so on) do, but I don't happen to know what protocol YIM uses or what kinds of authentication mechanisms it does or does not support. (The Gaim people might know. I don't know if they have a public web forum. I think they have an IRC channel, possibly on freeserve...) The client applications that are connecting have to support it as well, obviously, but if the protocol supports it, then most clients probably do as well.

        If you don't need to let authorized users in, then things get easier. In that case there are two options: you can either prevent the service (in this case, YIM) from listening on the port at all (either by configuring it not to do so, if it has that option, or by simply not running the service), or you can drop or reject the packets at the firewall level. The Windows XP built-in firewall is capable of doing this, I believe. You can find the controls for that in your Administrator account's control panel, and there is lots of information about it on the web.

        Neither of these approaches is a Perl solution, but I'm not sure what a Perl solution would look like for this question. Fundamentally, you're not trying to get something done, but to prevent something from happening, so you really need to address it at the level where the thing you want to prevent would otherwise happen, which in your example is either the YIM service or the Windows networking layer (or your external router/gateway/firewall (which you really should have anyway, and which really should be set to block all incoming ports except any that you specifically need open)) and either way Perl isn't really involved.

        -- 
        We're working on a six-year set of freely redistributable Vacation Bible School materials.
Re: blocking a port on a Wintel machine
by logie17 (Friar) on Jan 27, 2007 at 18:39 UTC
    It really depends on what you're trying accomplish. As the other posters mentioned we need to know what ports, incoming, outgoing. A little bit more details would be helpful.

    Thanks
    s;;5776?12321=10609$d=9409:12100$xx;;s;(\d*);push @_,$1;eg;map{print chr(sqrt($_))."\n"} @_;
Re: blocking a port on a Wintel machine
by sgifford (Prior) on Jan 28, 2007 at 18:52 UTC
    If you are running SP2 and using the builtin Windows firewall, you may be able to change the registry or group policy settings to adjust the firewall. You can change the registry with Win32::TieRegistry. Googling for windows firewall registry turns up some useful-looking information, and Managing Windows with CFEngine and Perl looks like it might be useful too.

    Unfortunately I haven't done this myself, so I don't have better advice to offer, but hopefully this points you in the right direction.

    As others have said, doing this at the router may be a better idea if it is possible. Otherwise a savvy user could easily turn this off.

    Good luck!

Re: blocking a port on a Wintel machine (OS dependent)
by rkrieger (Friar) on Jan 28, 2007 at 14:26 UTC

    Granted, my answer has little to do with Perl. You may want to check whether your OS supports functionality similar to the following:

    In OpenBSD, authpf(8) allows altering the firewall configuration for those people who enter the system via a special SSH session. I can heartily recommend reading the entire man page.

    There are several reasons why I suggested the above feature:

    • You can interface it with distributed authentication mechanisms (LDAP, NIS, RADIUS, etc.);
    • It provides a single, secure interface to enter a password (SSH);
    • It does not harrass applications for passwords that they're possibly (likely?) not ready for.

    I'm fairly sure Perl can cater to the list above. But since you have an OS already, you might as well use it. Unless, of course, you can integrate things more easily with Perl code you already have or use.

    Personally, I think the WinXP built-in firewall isn't that bad. It suits most of my needs as an end user while being on the road. At any other location, I place client machines behind a firewall anyway. Just pick the platform you like best (for me, that's OpenBSD).

    Where does Perl come into the picture? Well, it may be useful to generate the various firewall rules you're thinking of. At least, that what I'd use it for in this case.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://596881]
Approved by Joost
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (4)
As of 2022-06-30 13:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My most frequent journeys are powered by:









    Results (98 votes). Check out past polls.

    Notices?