I connect to internel through ADSL, i have been reported alot of different computers are trying to connect to my system via the port 135 and 445 by my personal firewall and all the these connection have been blocked. I did some reseach and knowing that the port 135 is used for MS remote procedure call service and port 445 is used for resource sharing on windows.
Is that mean all these computers are trying to hack into my system??
I run the netstat command, and have following output (my computer name is hr)
Proto Local Address Foreign Address State TCP hr:epmap hr:0 Listening TCP hr:microsoft-ds hr:0 Listening TCP hr:1025 hr:0 Listening TCP hr:netbio-ssn hr:0 Listening
No, it doesn't mean that someone is trying to hack into your computer.
Port 135 is the DCOM port and is used by the MS O/S to communicate with other machines on a network including the Internet that's giant network too. However DCOM is used in a closed environment using Component Object Model communication between machines. Yes, if you leave that port open, then something can compromise the machine and the machine can be controlled or COM objects can be controlled via that port using RPC(s).
Yes, 445 is the MS NT based O/S's port for sharing resources between machines in a closed and protected environment.
You have a personal FW/host based packet filter on the machine that's protecting the ports on unsolicited inbound traffic on all ports, which is the traffic the PFW is blocking -- normal everyday traffic out there on the Internet that could lead to the machine being compromised if the machine was not being protected.
If this is a single machine directly connected to the modem, then you should disable/uninstall MS File and Print Sharing and Client for MS Networks off the NIC (Network Interface Card) and it will close the Windows Networking ports 137-139 UDP and 445 TCP and no communication can happen on the ports period. You have no need to be networking.
Port 135 as far as doing anything with the NT O/S to close that port, you should just leave it alone and let the PFW protect it.
Here are some other things you can do to better secure or harden the NT based O/S to attack.
for a coverage of his biggest errors. Wanna choke...
Eh... no? Once the packet filter is down and makes a mistake, you're busted. Disable DCOM network binding and you're safe until someone changes the configuration, which under a restricted account is usually only the case when installing a new Windows patch (and you can easily check if it changes your configuration).
Can't your read? This entry doesn't disable DCOM at all (which would make your system pretty unusable), it only disables offering DCOM as network service for remote invokation. Almost noone needs that.
DCOM uses port 135 and that's how COM and COM+ objects communicate in remote situations on the network using the MS platform.
With .NET solutions, MS uses .NET Remoting where as the developer can chose any port above 1024 as the port to do remote communications between objects. However, .NET objects can be converted to interface with existing COM objects and it's going to do it on port 135 the DCOM port.
You can call that port anything you want but it's the DCOM port to me and nothing else and DCOM uses that port on the MS platform.