Al
> My firewall continually pops up with a little message saying that an attack
> to some port was detected.
Drop it. Just use the Windows-Firewall.
Yours,
VB.
--
"Life was simple before World War II. After that, we had systems."
Grace Hopper
My firewall continually pops up with a little message saying that an attack
to some port was detected. It gives me some numbers (like that's supposed
to mean something to me) that I don't understand. There's a log with long
lists of these "attacks."
Am I supposed to do something with this stuff? How do I find out who the
attacker is?
As you can see, I'm not very experienced with firewalls (except for
shutting them off).
Al
Al
> My firewall continually pops up with a little message saying that an
> attack to some port was detected. It gives me some numbers (like
> that's supposed to mean something to me) that I don't understand.
> There's a log with long lists of these "attacks."
> Am I supposed to do something with this stuff?
Yes. Ignore it.
> How do I find out who the attacker is?
If those numbers don't mean anything to you, you don't.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Post removed (X-No-Archive: yes)
"Al"
news:cnXhh.1288$X72.515@newsread3.news.pas.earthlink.net...
> My firewall continually pops up with a little message saying that an
> attack to some port was detected. It gives me some numbers (like that's
> supposed to mean something to me) that I don't understand. There's a log
> with long lists of these "attacks."
Yes, even a personal FW running on a computer will log events. Those events
being logged do not mean your machine is being singled out and attacked in
most cases. The events are unsolicited traffic that is reaching the PFW and
are being blocked by the PFW, which most likely are everyday events that
will happen to a computer that's connected to the Internet. This is
particularly true that events are logged by the PFW on a computer that has a
direct connection to the modem, and therefore, the machine has a direct
connection to the Internet. The personal FW will start going off and
alarming you and most of the time. It's really nothing that's happening,
other than, the PFW is blocking the traffic and popping messages that it's
doing that.
> Am I supposed to do something with this stuff? How do I find out who the
> attacker is?
Why even worry about it? The PFW is doing its job of blocking traffic that
it's not suppose to let through. If you want to check who it is, then take
the IP and enter it into the Arin WhoIs Search Box
http://www.arin.net/index.shtml. Most likely, it's someone's machine on some
ISP's or even your own ISP's network network that has been infected by a
virus. The virus running on the machine is trying to reach out and find
other machines that are open to attack and infect them.
You are small, small, small potatoes and no one is really coming after small
potatoes.
> As you can see, I'm not very experienced with firewalls (except for
> shutting them off).
If you don't want to be alarmed by the PFW, then what you should do is put a
cheap NAT router between the modem and the computer, which cost about as
much as that PFW you have running on the machine.
The router is going to block all the traffic/attacks in front of the machine
so that the PFW doesn't start popping messages and events at you, as they
will never reach the computer or the PFW running on it, because the router
is sitting there.
You can even get router that uses Wallwatcher (free). You can watch the
traffic in real time that's not reaching your computer and feel free as a
bird, as you watch the traffic being blocked by the NAT router. You can even
use Arin WhoIs.
http://www.homenethelp.com/web/explain/about-NAT.asp
http://www.sonic.net/wallwatcher/
Duane :)
..
On 12/19/2006 11:49 AM, something possessed Al to write:
> My firewall continually pops up with a little message saying that an attack
> to some port was detected. It gives me some numbers (like that's supposed
> to mean something to me) that I don't understand. There's a log with long
> lists of these "attacks."
> Am I supposed to do something with this stuff? How do I find out who the
> attacker is?
> As you can see, I'm not very experienced with firewalls (except for
> shutting them off).
> Al
>
>
They're just portscans, nothing really to be concerned about. The long
numbers are IP addresses that belong to the computer that's "attacking"
you. There should be a way to config your Personal Firewall so that you
don't see these alerts (I'm assuming you're probably using ZA or
NIS/NPF, since they tend to call portscans attacks), while still keeping
the FW protection. Anyway, it's nothing on your computer, if that's
what you're wondering, and nothing really to worry about as far as
taking action is concerned.
Regards,
Will
Post removed (X-No-Archive: yes)
On 12/25/2006 11:59 AM, something possessed Leythos to write:
> In article
> starrwarz@g_~-clothes-~_m~more_clothes~ail.com says...
>> On 12/19/2006 11:49 AM, something possessed Al to write:
>>> My firewall continually pops up with a little message saying that an attack
>>> to some port was detected. It gives me some numbers (like that's supposed
>>> to mean something to me) that I don't understand. There's a log with long
>>> lists of these "attacks."
>>> Am I supposed to do something with this stuff? How do I find out who the
>>> attacker is?
>>> As you can see, I'm not very experienced with firewalls (except for
>>> shutting them off).
>>> Al
>>>
>>>
>> They're just portscans, nothing really to be concerned about. The long
>> numbers are IP addresses that belong to the computer that's "attacking"
>> you. There should be a way to config your Personal Firewall so that you
>> don't see these alerts (I'm assuming you're probably using ZA or
>> NIS/NPF, since they tend to call portscans attacks), while still keeping
>> the FW protection. Anyway, it's nothing on your computer, if that's
>> what you're wondering, and nothing really to worry about as far as
>> taking action is concerned.
>
> That's not really true - while port scans don't mean much, if they show
> the scanner that you have an exposed port of interest, they will come
> back and take a closer look.
>
> If you can determine that your IP is being scanned for open ports you
> should take action to block the IP of the scanning host - for at least
> 30 days.
>
30 days? Why even have it unblocked if there's no needed service. The
point I was making is that some of the FWs tend to overdramatize
portscans to make their userbase think that someone is trying to
"attack" their system (which isn't so far off from the truth sometimes,
but usually is). Of course, all inbound connections (including
portscans) should be, at all times, blocked unless you're running a
service that requires that inbound connection (like some messenger or
P2P (legit use only) programs).
Post removed (X-No-Archive: yes)
On Wed, 27 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
>starrwarz@g_~-clothes-~_m~more_clothes~ail.com says...
>>> That's not really true - while port scans don't mean much, if they show
>>> the scanner that you have an exposed port of interest, they will come
>>> back and take a closer look.
Agreed, but
>>> If you can determine that your IP is being scanned for open ports you
>>> should take action to block the IP of the scanning host - for at least
>>> 30 days.
I know we're talking about windoze users, but rather than wait until
some zombie scans your systems and finds you have open ports, one should
fix the d4mn box so that the port is not open in the first place. If
that skill is beyond their capabilities, then configure the firewall to
block the ports itself, and then learn how to fix the computer. If they
can't do that, then maybe they shouldn't be using a computer.
>> 30 days? Why even have it unblocked if there's no needed service.
Why is it open on the computer? Free clue: if you don't run the
unwanted service, and don't run some wonky "personal firewall" to block
that service, your computer won't be wasting those CPU cycles, and will
be able to run faster.
>> The point I was making is that some of the FWs tend to overdramatize
>> portscans to make their userbase think that someone is trying to
>> "attack" their system (which isn't so far off from the truth
>> sometimes, but usually is).
The over dramatization is needed to get the attention of the user who
automatically clicks OK on _any_ and _all_ messages displayed to them.
>> Of course, all inbound connections (including portscans) should be, at
>> all times, blocked unless you're running a service that requires that
>> inbound connection (like some messenger or P2P (legit use only)
>> programs).
We'll come back to this point below.
>And the point is that port scans are not really harmless - they are a
>clear indication that someone or something is looking for a way in or an
>exploit that is exposed on your system/network.
Port scans are not targeting "you" or "your system/network". They're
looking at all/everyone. If someone were actually targeting you, the
average user (and probably the average network administrator) wouldn't
notice, because they are going to be a heck of a lot more subtle.
>If you don't take to blocking the subnet/ip in a permanent ban, a 30 day
>ban will often get them to move on to someone else instead of comming
>back to you later.
30 minutes is usually adequate.
>As for not offering services - well, if only it were that simple.
Congratulations. You've just figured out that they lied to you
when they told you even an untrained monkey on crack can use a
computer. Yes, there's a lot to learn
>As we've all seen/know, even Windows firewall allows apps to create
>exceptions without the user knowing,
Running additional firewall or anti-malware stuff on "this" computer
is just as easy to circumvent. Using a separate box as a firewall will
usually be _able_ to prevent this, but only if the user doesn't react
by logging into the firewall to "allow" some unknown service in the
same way as clicking on the "OK" icon in the warning box to get the
thing out of the way.
It's well known that the most important attack vector into a computer
is the stupid user who lacks the skill set to be using a digital watch,
much less something as complicated as a computer. There is no Mal-ware
Fairy who comes around and waves a magic wand to install malware when
the user isn't looking. The stuff gets installed by the user, either
because the user thinks it might be a good idea, or because they have
no concept of what it might be, and this warning box is in the way -
make it go away by clicking "OK". Go ahead - install more anti-malware
software, and then wonder why you need a 3 Gigahertz Pentium VI to read
a text based newsgroup.
>so, unless the user has some form of monitoring going on, there is
>really know way to know what is happening for the non-technical/ignorant
>user.
but who is going to watch the watchers? And why would the average
non-technical (and totally ignorant) user know that a message that says
"this is important" and "you have a problem" should be responded to any
differently than clicking "OK" and let me get on with surfing this very
interesting pr0n/warez/gaming site.
Old guy
Post removed (X-No-Archive: yes)
William
> On 12/25/2006 11:59 AM, something possessed Leythos to write:
>> If you can determine that your IP is being scanned for open ports you
>> should take action to block the IP of the scanning host - for at
>> least 30 days.
>
> 30 days? Why even have it unblocked if there's no needed service.
*sigh*
nmap -sS -e eth0 -P0 -T5 -S 198.41.0.4 $YOUR_IP
Go ahead and block the IP of that "scanning" host ...
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
On Wed, 27 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in
article <4592d426$0$4859$4c368faf@roadrunner.com>, Leythos wrote:
>ibuprofin@painkiller.example.tld says...
>> Port scans are not targeting "you" or "your system/network". They're
>> looking at all/everyone.
>
>Lets stop here, and I snipped everything else before/after.
>
>Port scans ARE targeting YOU as they are scanning YOUR network - just
>because they are scanning everyone else doesn't mean they are not
>scanning you.
That's semantics.
>Once you accept that if they scan YOU and find something interesting,
>they WILL be back, you will start to better understand security.
They do scan - my home network gets the broadband service from a very
popular provider, who wants to be looked at as a "Common Carrier" and
thus not responsible for the traffic that is using their wires. As a
result, every idiot is infected with the windoze zombie de heure. Not a
problem for me - I don't accept incoming from this /1 or 128.0.0.0 if
you like your network masks that way. In fact, the only server I am
running (SSH) is even further restricted.
>As for not offering services - it's just not that simple for non-
>technical types to get it right, to have their systems continue to
>perform as expected when fully locked down, etc...
Unfortunately, microsoft _DID_ get it right originally. They used a
broken by design protocol called NETBEUI. To bad they didn't keep that
as the default. Network to big for that? Fine - it's also big enough
that you can afford someone who can spell clue.
>Oh, and just because you don't offer service X doesn't mean that an
>exploit can't find some other path into the system - read that as
>undocumented exploits.
My network accepts SSH connection ONLY. It accepts them from a /24
and a /22 ONLY. Mail viruses? I accept mail from white-listed
addresses only. I also only accept ASCII text - the poor old
Berkeley 'mail' program never learned about MIME, never mind HTML.
Bad websites? 'man lynx', and it's being run as user "noone" rather
than "ibuprofin". The only other way in is going to be to trojan
my O/S updates - and which of the 350+ Linux distributions am I using?
Actually, I cheat there, because I use the download server at work.
Some people think I'm missing this whole Internet experience. No, I'm
not _missing_ anything worth-while.
Old guy
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
On Thu, 28 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
<4593ea1d$0$17135$4c368faf@roadrunner.com>, Leythos wrote:
>ibuprofin@painkiller.example.tld says...
>> Leythos wrote:
>>> Port scans ARE targeting YOU as they are scanning YOUR network - just
>>> because they are scanning everyone else doesn't mean they are not
>>> scanning you.
>>
>> That's semantics.
>
>Yes, it was, it was "semantics" to say that the scans were not targeting
>individuals and to think that they don't really mean anything.
The comment is more for those individuals who, on seeing numerous
"attack" warnings from their personal firewall believes that all the
attacks are targeting them specifically. I didn't say that the port scans
are meaningless - merely that they are a fact of life.
>And your method may not work for the OP or others - as some people may
>have a web server or other running on their LAN that provides services
>to family and friends also on the same ISP.
It's been mentioned countless times - know why OpenBSD has never had a
root exploit out-of-box (or so they claim)? Simple - _no_ network
services are enabled by default. You have to learn how to enable it, and
while doing so you hopefully will learn some of the really obvious bad
techniques to avoid. On the other hand, microsoft enables a _LOT_ of
stuff by default, on the off-chance that someone may find it useful.
The user therefore has no need (or incentive) to learn anything, with
the inevitable results.
>I don't think you're missing anything that you don't want.
Bingo
>(notice I said ignorant and nix, because there are a LOT of new
>ignorant NIX users with exposed systems and more are added every day).
Isn't _that_ the truth. Still, the "popular" *nix tend more towards
the 'not running by default' mode, and stress separation of the root
verses normal users. "Ubuntu Linux" (a Debian clone) goes so far as to
not enable the root account. You can't log in as root. If you need to
do administrative things, you use 'su' or 'sudo'. That of course raises
other problems, but they are much less important than using the system
as root.
Old guy
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Leythos
news:45948034$0$16971$4c368faf@roadrunner.com:
> In article
> ibuprofin@painkiller.example.tld says...
>> >Yes, it was, it was "semantics" to say that the scans were not
>> >targeting individuals and to think that they don't really mean
>> >anything.
>>
>> The comment is more for those individuals who, on seeing numerous
>> "attack" warnings from their personal firewall believes that all the
>> attacks are targeting them specifically. I didn't say that the port
>> scans are meaningless - merely that they are a fact of life.
> [snip]
>
> Yes, but, they are also a clear sign that someone/something is looking
> for exposed systems - which means they will come back and target the
> individual.
Or that your ISP is scanning for unauthorized servers (or if its in an
office setting, than a sysadmin). I guess that much would depend on the
originating IP number than, ya?
>
> I take port scans very seriously, as do most security professionals -
> sure, they happen all day long, but that doesn't mean we should
> dismiss them and just background chatter.
>
Well, they are just background chatter for a properly configured
router/firewall.
Post removed (X-No-Archive: yes)
You can test the inbound protection of your firewall by doing port
scans with the following website:
https://www.grc.com/x/ne.dll?bh0bkyd2
If your firewall passed the test, then no need to worry.
greenandwhitefr@gmail.com
> You can test the inbound protection of your firewall by doing port
> scans with the following website:
> https://www.grc.com/x/ne.dll?bh0bkyd2
http://grcsucks.com
> If your firewall passed the test, then no need to worry.
This is not true.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz