Enhancing Windows Firewall Security to Prevent Network Abuse Caused by Netscan

Introduction: This tutorial is designed to help you bolster your Windows firewall security to mitigate network abuse. It addresses two crucial aspects:

1. Blocking Teredo ports to prevent outbound connections to external servers.
2. Blocking traffic to private IP address ranges commonly associated with internal networks.

Network abuse can lead to compliance violations with hosting providers' Terms of Service (ToS) or security risks. By following this guide, you'll learn how to configure Windows Firewall effectively.

Prerequisites:

• Administrative access to a Windows server.
• Familiarity with basic Windows Firewall operations.

Step 0: Accessing Windows Firewall Settings Begin by opening the Windows Defender Firewall settings using either of these methods:

Method 1: Press the Windows key + R to open the "Run" dialog. Type wf.msc and press Enter. Method 2: From the Start menu, search for "Windows Defender Firewall with Advanced Security" and select it.

For subsequent steps (Step 1 and Step 2), you will create new outbound rules following these procedures:

• In the "Windows Defender Firewall with Advanced Security" window:
  • Method 1: Click "Outbound Rules" on the left, and in the right Actions pane, select "New Rule..." to create a new outbound rule.
  • Method 2: Right-click "Outbound Rules" and choose "New Rule..."

Step 1 - Blocking Teredo Ports (Port 3544): The objective here is to prevent outbound connections to external servers on port 3544, commonly used by Teredo.

Notes:

• If network scans are attributed to another software, you can adapt this rule to block the relevant port.
• Consider disabling problematic software or services causing issues instead of blocking their firewall ports, especially if the port serves legitimate purposes.

To block port 3544, proceed with the following steps after completing "Step 0":

1. In the "New Outbound Rule" wizard, select the "Port" radio button and click "Next."
2. In the provided log, the connection type is UDP. Under "Does this rule apply to TCP or UDP," select the UDP radio button. In the same step, under "Does this rule apply to all remote ports or specific remote ports," opt for "Specific remote ports" and enter "3544" in the designated field. Click "Next."
3. Ensure the “Block the connection” radio button is selected, and click "Next."
4. Keep the default settings for "When does this rule apply?" and click "Next."
5. Provide a name (mandatory) and an optional description for your rule. Click "Finish" to create the rule.

Now, your firewall will intercept and block any connections attempting to reach external destinations on port 3544 before they exit your server.

Step 2 - Blocking Traffic to Private Networks: In this section, you'll establish firewall rules to obstruct outgoing traffic to specific private network IP address ranges:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• 100.64.0.0/10

These IP ranges are reserved for internal/private use and should not be accessed from a public server to prevent potential issues arising from misconfigured applications.

To block these private IP ranges, follow these steps after completing "Step 0":

1. In the "New Outbound Rule" wizard, select the "Custom" radio button and click "Next."

2. Leave the program selection as "All programs" and click "Next." Retain the default protocol and port settings and click "Next."

3. Under "Which remote IP addresses does this rule apply to?" select the "These IP addresses" radio button.

4. Click "Add..." to specify the IP address ranges to block.

5. In the "This IP address or subnet" field, enter the first IP address range to block (e.g., "10.0.0.0/8") and click "OK."

6. Repeat step 5 for the remaining IP address ranges:

   • 172.16.0.0/12
   • 192.168.0.0/16
   • 100.64.0.0/10

7. After adding all four ranges, your settings should resemble this configuration.

8. Click "Next."

9. Ensure the "Block the connection" radio button is selected, and click "Next."

10. Maintain the default settings for "When does this rule apply?" and click "Next."

11. Provide a name (mandatory) and an optional description for your rule. Click "Finish" to create the rule.

The outbound rule is now active, blocking any outgoing traffic to the specified IP address ranges, which helps prevent abuse and potential issues.

Step 3 - Enabling IPv6 (Optional): If you require IPv6 connectivity, you can enable it while ensuring Teredo is disabled. Hetzner servers typically offer native IPv6 support.

Step 4 - Identifying Culprits (Optional): If your server's log differs from the examples shown, and you suspect other ports or services are causing network abuse, you can identify the culprit using various methods.

Hint 1: Use PowerShell to identify the process responsible for a specific port (e.g., 59244):

1. Open PowerShell as an administrator.

2. Enter the following command, replacing 59244 with the port number from your log:

   Get-Process -Id (Get-NetUDPEndpoint -LocalPort 59244).OwningProcess

Hint 2: Use CMD to find the process ID for a specific port:

1. Open CMD.

2. Enter the following command, replacing XXXX with the port number:

   netstat -ano | findStr "XXXX"

This command will display the process ID in the last column. You can identify the process using tools like Process Explorer.

Conclusion: This tutorial has provided you with insights into configuring Windows Firewall for enhanced security against network abuse. By blocking Teredo ports and preventing access to private IP address ranges, you can ensure compliance with hosting provider policies and protect your server from potential issues. Additionally, you have learned techniques for identifying and addressing network abuse culprits if your server's log presents different scenarios.