Drop it. Just use the Windows-Firewall.
Drop it. Just use the Windows-Firewall.
My firewall continually pops up with a little message saying that an attack to some port was detected. It gives me some numbers (like that's supposed to mean something to me) that I don't understand. There's a log with long lists of these "attacks." Am I supposed to do something with this stuff? How do I find out who the attacker is? As you can see, I'm not very experienced with firewalls (except for shutting them off). Al
Yes. Ignore it.
If those numbers don't mean anything to you, you don't.
Post the log with the relevant lines.
Yes, even a personal FW running on a computer will log events. Those events being logged do not mean your machine is being singled out and attacked in most cases. The events are unsolicited traffic that is reaching the PFW and are being blocked by the PFW, which most likely are everyday events that will happen to a computer that's connected to the Internet. This is particularly true that events are logged by the PFW on a computer that has a direct connection to the modem, and therefore, the machine has a direct connection to the Internet. The personal FW will start going off and alarming you and most of the time. It's really nothing that's happening, other than, the PFW is blocking the traffic and popping messages that it's doing that.
Why even worry about it? The PFW is doing its job of blocking traffic that it's not suppose to let through. If you want to check who it is, then take the IP and enter it into the Arin WhoIs Search Box
You are small, small, small potatoes and no one is really coming after small potatoes.
If you don't want to be alarmed by the PFW, then what you should do is put a cheap NAT router between the modem and the computer, which cost about as much as that PFW you have running on the machine.
The router is going to block all the traffic/attacks in front of the machine so that the PFW doesn't start popping messages and events at you, as they will never reach the computer or the PFW running on it, because the router is sitting there.
You can even get router that uses Wallwatcher (free). You can watch the traffic in real time that's not reaching your computer and feel free as a bird, as you watch the traffic being blocked by the NAT router. You can even use Arin WhoIs.
On 12/19/2006 11:49 AM, something possessed Al to write:
They're just portscans, nothing really to be concerned about. The long numbers are IP addresses that belong to the computer that's "attacking" you. There should be a way to config your Personal Firewall so that you don't see these alerts (I'm assuming you're probably using ZA or NIS/NPF, since they tend to call portscans attacks), while still keeping the FW protection. Anyway, it's nothing on your computer, if that's what you're wondering, and nothing really to worry about as far as taking action is concerned.
That's not really true - while port scans don't mean much, if they show the scanner that you have an exposed port of interest, they will come back and take a closer look.
If you can determine that your IP is being scanned for open ports you should take action to block the IP of the scanning host - for at least30 days.
On 12/25/2006 11:59 AM, something possessed Leythos to write:30 days? Why even have it unblocked if there's no needed service. The point I was making is that some of the FWs tend to overdramatize portscans to make their userbase think that someone is trying to "attack" their system (which isn't so far off from the truth sometimes, but usually is). Of course, all inbound connections (including portscans) should be, at all times, blocked unless you're running a service that requires that inbound connection (like some messenger or P2P (legit use only) programs).
And the point is that port scans are not really harmless - they are a clear indication that someone or something is looking for a way in or an exploit that is exposed on your system/network.
If you don't take to blocking the subnet/ip in a permanent ban, a 30 day ban will often get them to move on to someone else instead of comming back to you later.
As for not offering services - well, if only it were that simple. As we've all seen/know, even Windows firewall allows apps to create exceptions without the user knowing, so, unless the user has some form of monitoring going on, there is really know way to know what is happening for the non-technical/ignorant user.
I know we're talking about windoze users, but rather than wait until some zombie scans your systems and finds you have open ports, one should fix the d4mn box so that the port is not open in the first place. If that skill is beyond their capabilities, then configure the firewall to block the ports itself, and then learn how to fix the computer. If they can't do that, then maybe they shouldn't be using a computer.
Why is it open on the computer? Free clue: if you don't run the unwanted service, and don't run some wonky "personal firewall" to block that service, your computer won't be wasting those CPU cycles, and will be able to run faster.
The over dramatization is needed to get the attention of the user who automatically clicks OK on _any_ and _all_ messages displayed to them.
We'll come back to this point below.
Port scans are not targeting "you" or "your system/network". They're looking at all/everyone. If someone were actually targeting you, the average user (and probably the average network administrator) wouldn't notice, because they are going to be a heck of a lot more subtle.30 minutes is usually adequate.
Congratulations. You've just figured out that they lied to you when they told you even an untrained monkey on crack can use a computer. Yes, there's a lot to learn
Running additional firewall or anti-malware stuff on "this" computer is just as easy to circumvent. Using a separate box as a firewall will usually be _able_ to prevent this, but only if the user doesn't react by logging into the firewall to "allow" some unknown service in the same way as clicking on the "OK" icon in the warning box to get the thing out of the way.
It's well known that the most important attack vector into a computer is the stupid user who lacks the skill set to be using a digital watch, much less something as complicated as a computer. There is no Mal-ware Fairy who comes around and waves a magic wand to install malware when the user isn't looking. The stuff gets installed by the user, either because the user thinks it might be a good idea, or because they have no concept of what it might be, and this warning box is in the way - make it go away by clicking "OK". Go ahead - install more anti-malware software, and then wonder why you need a 3 Gigahertz Pentium VI to read a text based newsgroup.
but who is going to watch the watchers? And why would the average non-technical (and totally ignorant) user know that a message that says "this is important" and "you have a problem" should be responded to any differently than clicking "OK" and let me get on with surfing this very interesting pr0n/warez/gaming site.
Lets stop here, and I snipped everything else before/after.
Port scans ARE targeting YOU as they are scanning YOUR network - just because they are scanning everyone else doesn't mean they are not scanning you.
Once you accept that if they scan YOU and find something interesting, they WILL be back, you will start to better understand security.
As for not offering services - it's just not that simple for non- technical types to get it right, to have their systems continue to perform as expected when fully locked down, etc... A properly configured firewall, blocking in/out, does a very good job. Oh, and just because you don't offer service X doesn't mean that an exploit can't find some other path into the system - read that as undocumented exploits.
nmap -sS -e eth0 -P0 -T5 -S 184.108.40.206 $YOUR_IP
Go ahead and block the IP of that "scanning" host ...
They do scan - my home network gets the broadband service from a very popular provider, who wants to be looked at as a "Common Carrier" and thus not responsible for the traffic that is using their wires. As a result, every idiot is infected with the windoze zombie de heure. Not a problem for me - I don't accept incoming from this /1 or 220.127.116.11 if you like your network masks that way. In fact, the only server I am running (SSH) is even further restricted.
Unfortunately, microsoft _DID_ get it right originally. They used a broken by design protocol called NETBEUI. To bad they didn't keep that as the default. Network to big for that? Fine - it's also big enough that you can afford someone who can spell clue.
My network accepts SSH connection ONLY. It accepts them from a /24 and a /22 ONLY. Mail viruses? I accept mail from white-listed addresses only. I also only accept ASCII text - the poor old Berkeley 'mail' program never learned about MIME, never mind HTML. Bad websites? 'man lynx', and it's being run as user "noone" rather than "ibuprofin". The only other way in is going to be to trojan my O/S updates - and which of the 350+ Linux distributions am I using? Actually, I cheat there, because I use the download server at work.
Some people think I'm missing this whole Internet experience. No, I'm not _missing_ anything worth-while.
And nonsense. Where exactly is the difference between asking if you offer some services (because *others* told'em) and a port scan? Too many idiots and too many broken protocols have been blurring this line even further.
One can still limit Windows shares to only used NetBIOS-over-TCP/IP (and no SMB), which can be easily bound to network adapters.
OK. Practical considerations aside...
...as well as technical limitations for being old and outdated...
... and desires for usability...
... your arguments are funny.
Yes, it was, it was "semantics" to say that the scans were not targeting individuals and to think that they don't really mean anything.
And your method may not work for the OP or others - as some people may have a web server or other running on their LAN that provides services to family and friends also on the same ISP.
I don't think you're missing anything that you don't want. The internet is there if anyone needs something on it, but your solution doesn't work for most if the ignorant masses of Windows/Nix users (notice I said ignorant and nix, because there are a LOT of new ignorant NIX users with exposed systems and more are added every day).
The comment is more for those individuals who, on seeing numerous "attack" warnings from their personal firewall believes that all the attacks are targeting them specifically. I didn't say that the port scans are meaningless - merely that they are a fact of life.
It's been mentioned countless times - know why OpenBSD has never had a root exploit out-of-box (or so they claim)? Simple - _no_ network services are enabled by default. You have to learn how to enable it, and while doing so you hopefully will learn some of the really obvious bad techniques to avoid. On the other hand, microsoft enables a _LOT_ of stuff by default, on the off-chance that someone may find it useful. The user therefore has no need (or incentive) to learn anything, with the inevitable results.
Isn't _that_ the truth. Still, the "popular" *nix tend more towards the 'not running by default' mode, and stress separation of the root verses normal users. "Ubuntu Linux" (a Debian clone) goes so far as to not enable the root account. You can't log in as root. If you need to do administrative things, you use 'su' or 'sudo'. That of course raises other problems, but they are much less important than using the system as root.
Sadly this change to "Only 1 root exploit in the default configuration in the last 10 years". Damn TCP/IP stack! :-)
OK, then a nice counterexample: Mandriva Linux. Has X11, CUPS and Sun-RPC mapped to every network adapter by default, but as least netfilter/iptables is running. And you'll find no documentation on this issue in their database or support forum. SuSE Linux is even worse, and SlackWare is only slightly better (additionally uses tcpwrapper).
The other distros seem to be OK.
Yes, but, they are also a clear sign that someone/something is looking for exposed systems - which means they will come back and target the individual.
I take port scans very seriously, as do most security professionals - sure, they happen all day long, but that doesn't mean we should dismiss them and just background chatter.
Leythos wrote in news:45948034$0$16971$ email@example.com:
Or that your ISP is scanning for unauthorized servers (or if its in an office setting, than a sysadmin). I guess that much would depend on the originating IP number than, ya?
Well, they are just background chatter for a properly configured router/firewall.
Not really, it doesn't depend, what it means is the same things - even from my own ISP, as I've had compromised users on our ISP's network, that when reported, the device/modem was disconnected by the ISP, and that traffic stopped.
I disagree completely - they are not background chatter "for a properly configured router/firewall". They are a clear sign that the network is being probed for something to exploit, no matter the firewall or router.
Taken as they are, sure, they happen all the time, and on a properly configured network they have little chance for impact, other than reduction of bandwidth, but, they are a clear indication of the daily threats all of our systems are under.
To dismiss them as being "background chatter" is to give a false sense of security to those that actually monitor network intrusions and security.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.