If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
firewalls - what to block and why - your security at risk
PCR and Gram Pappy [among others] have been discussing firewall settings and
what they can or should be used for. In the spirit of those discussions, I thought I would post some blocked activity from a SINGLE session/contact through my ISP and ONLY to this news server and my email accounts [via OE6]. This is from the firewall log [several of my normal settings/restrictions were specifically reset for this presentation]. No other Internet activity occurred [e.g., no external IE or browser usage or other activity]. All *allowed activity* has been removed, so that the addresses and activities blocked might be addressed for perhaps a greater understanding of the function of firewalls, what they can and are used for, and other aspects related thereto. For those who do not understand firewalls, these activities would or may have been allowed as they followed either programs IN USE [allowed activity], or through addressing [broadcast or otherwise] had a firewall not been used. NOTE: this is contact through a dial-up connection[phone]/ISP [which is indicated via some of these addresses], ALWAYS ON connections are even more of a security risk. Hopefully, this discussion will be useful to those interested and provide theory and answers to various issues. Rule sets or other settings for various firewalls would naturally be of interest. 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened port received': Blocked: In UDP, 189.153.168.143:32737-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner: no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened port received': Blocked: In UDP, 189.128.113.251:16491-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027, Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened port received': Blocked: In UDP, 200.117.180.230:22925-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port received': Blocked: In UDP, host230.200-117-180.telecom.net.ar [200.117.180.230:22925]-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened port received': Blocked: In UDP, 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081, Owner: no owner -- MEB http://peoplescounsel.orgfree.com ________ |
#2
|
|||
|
|||
firewalls - what to block and why - your security at risk
MEB wrote:
| PCR and Gram Pappy [among others] have been discussing firewall | settings and what they can or should be used for. That's right. I installed... http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW ....Kerio Personal Firewall v2.1.5 about 4 years ago & several months later began a 17 year study of what to do with it. But I should have spoke up sooner! | In the spirit of those discussions, I thought I would post some | blocked activity from a SINGLE session/contact through my ISP and | ONLY to this news server and my email accounts [via OE6]. This is | from the firewall log [several of my normal settings/restrictions | were specifically reset for this presentation]. Thanks for jumping in. So, you wanted to see what would happen just by connecting to the NET & using OE for mail & NG activity. | No other Internet activity occurred [e.g., no external IE or browser | usage or other activity]. All *allowed activity* has been removed, so | that the addresses and activities blocked might be addressed for | perhaps a greater understanding of the function of firewalls, what | they can and are used for, and other aspects related thereto. Really, it's important to see what was allowed too. Where I thought my Primary DNS Server rule would be used only by NetZero (they are NetZero addresses in there)... really a whole bunch of apps were using it! But that's in the other thread! | For those who do not understand firewalls, these activities would or | may have been allowed as they followed either programs IN USE [allowed | activity], or through addressing [broadcast or otherwise] had a | firewall not been used. That is right. Without a firewall with a good set of denial rules, all activity is allowed. Hopefully, if a virus or a trojan or a spy can sneak in that way, a good virus detector will prevent it from executing. Also, there may have been an MS fix or two to prevent some forms of abuse along these lines (I don't know). | NOTE: this is contact through a dial-up connection[phone]/ISP [which | is indicated via some of these addresses], ALWAYS ON connections are | even more of a security risk. Uhuh. I am Dial-Up too. That way, you get a new IP address each connect. | Hopefully, this discussion will be useful to those interested and | provide theory and answers to various issues. | Rule sets or other settings for various firewalls would naturally be | of interest. | | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner I find I have to guess as to the meaning of that. Looks like someone at 67.170.2.174, who is Comcast... http://www.networksolutions.com/whoi...p=67.170.2.174 ......Quote........... 67.170.2.174 Record Type: IP Address Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) 67.160.0.0 - 67.191.255.255 Comcast Cable Communications, IP Services WASHINGTON-6 (NET-67-170-0-0-1) 67.170.0.0 - 67.170.127.255 ......EOQ............. ....sent a UDP datagram to port 29081 on your machine. But I don't know... (1) did the port exist without an owner, & would it have received the datagram (except the rule blocked it)? (The name of that rule suggests the answer is no.) (2) did the the port once exist & at that time have an owner, but somehow was closed before the datagram arrived? Therefore, it couldn't get it, anyhow, even if not blocked? (3) did the port 29081 never exist? Do any earlier log entries mention that port? You'd have to log all activity of each "permit" rule to know for sure. But, if there is no rule permitting the activity, then you would have received a Kerio requestor mentioning the port. Here is a Kerio help page to study... .......Quote............ Filter.log file The filter.log file is used for logging Kerio Personal Firewall actions on a local computer. It is created in a directory where Personal Firewall is installed (typically C:\Program Files\Kerio\Personal Firewall). It is created upon the first record. Filter.log is a text file where each record is placed on a new line. It has the following format: 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner: G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE How to read this line: 1 — rule type (1 = denying, 2 = permitting) [08/Jun/2001 16:52:09] — date and time that the packet was detected (we recommend checking the correct setting of the system time on your computer) Rule 'Internet Information Services' — name of a rule that was applied (from the Description field) Blocked: / Permittted: — indicates whether the packet was blocked or permitted (corresponds with the number at the beginning of the line) In / Out — indicates an incoming or outgoing packet IP / TCP / UDP / ICMP, etc. — communication protocol (for which the rule was defined) richard.kerio.com [192.168.2.38:3772] — DNS name of the computer, from which the packet was sent, in square brackets is the IP address with the source port after a colon locahost:25 — destination IP address (or DNS name) and port (localhost = this computer) Owner: — name of the local application to which the packet is addressed (including its full path). If the application is a system service the name displayed is SYSTEM. ..........EOQ................. | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner That one seems to be coming from... NetRange: 200.0.0.0 - 200.255.255.255 NetName: LACNIC-200 | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no owner | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no owner | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port | received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened | port received': Blocked: In UDP, | 189.153.168.143:32737-localhost:29081, Owner: no owner | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': | Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': | Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner: | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port | received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened | port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened | port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened | port received': Blocked: In UDP, | 189.128.113.251:16491-localhost:29081, Owner: no owner | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027, | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened | port received': Blocked: In UDP, | 200.117.180.230:22925-localhost:29081, Owner: no owner | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar | [200.117.180.230:22925]-localhost:29081, Owner: no owner | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port | received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened | port received': Blocked: In UDP, | 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007 | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, | 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007 | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, | 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007 | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, | 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007 | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, | 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007 | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, | 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007 | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, | msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port | received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081, | Owner: no owner | | | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR |
#3
|
|||
|
|||
firewalls - what to block and why - your security at risk
"PCR" wrote in message ... | MEB wrote: | | PCR and Gram Pappy [among others] have been discussing firewall | | settings and what they can or should be used for. | | That's right. I installed... | http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW | | ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months | later began a 17 year study of what to do with it. But I should have | spoke up sooner! | | | In the spirit of those discussions, I thought I would post some | | blocked activity from a SINGLE session/contact through my ISP and | | ONLY to this news server and my email accounts [via OE6]. This is | | from the firewall log [several of my normal settings/restrictions | | were specifically reset for this presentation]. | | Thanks for jumping in. So, you wanted to see what would happen just by | connecting to the NET & using OE for mail & NG activity. Well, ah no, actually I wanted to let other users who may not have investigated or understand firewalls. | | | No other Internet activity occurred [e.g., no external IE or browser | | usage or other activity]. All *allowed activity* has been removed, so | | that the addresses and activities blocked might be addressed for | | perhaps a greater understanding of the function of firewalls, what | | they can and are used for, and other aspects related thereto. | | Really, it's important to see what was allowed too. Where I thought my | Primary DNS Server rule would be used only by NetZero (they are NetZero | addresses in there)... really a whole bunch of apps were using it! But | that's in the other thread! DNS is used by any program requiring addressing information. The key is to limit to the EXACT DNS server(s) NOT within your system [unless for local network traffic] and the port [53] used by that (those) server(s) with limited [chosen by previous monitoring] local ports and applications. I will NOT post all my rules or what exactly I have configured locally [that would supply the exact way to circumvent my protection], however I will post this contact to retreive the email/news messages [your posting], with a few more inclusions [again, slightly modified rules and rule logging]. This was ONLY to retreive mail and the newsgroups on Microsoft. Nothing else occurred BUT the logon to the ISP. 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip Kernel Driver 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip Kernel Driver 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898-localhost:1026, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898-localhost:1027, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898-localhost:1028, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP, 207.46.248.16:119-localhost:1072, Owner: no owner at which point I disconnected having retrieved mail and the news messages. NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel requests. | | | For those who do not understand firewalls, these activities would or | | may have been allowed as they followed either programs IN USE [allowed | | activity], or through addressing [broadcast or otherwise] had a | | firewall not been used. | | That is right. Without a firewall with a good set of denial rules, all | activity is allowed. Hopefully, if a virus or a trojan or a spy can | sneak in that way, a good virus detector will prevent it from executing. | Also, there may have been an MS fix or two to prevent some forms of | abuse along these lines (I don't know). What would make you think any anti-spyware or anti-virus programs would check or correct these types of activities? Anti-spyware programs MAY block certain addresses and perhaps some ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to infect something, or emails or files which contain hacks or other. Host or lmhost files catch what they have been configured to catch via addressing/name. These, however, are *network use* activities WITHIN the TCP/IP and other aspects of Internet/network usage. Firewalls, proxies, packet sniffers, client servers, the TCP/IP kernel, and the like, are what handle these activities. Of course the above is an overly simplified explanation. | | | NOTE: this is contact through a dial-up connection[phone]/ISP [which | | is indicated via some of these addresses], ALWAYS ON connections are | | even more of a security risk. | | Uhuh. I am Dial-Up too. That way, you get a new IP address each connect. Only if that is what the ISP requires or desires. | | | Hopefully, this discussion will be useful to those interested and | | provide theory and answers to various issues. | | Rule sets or other settings for various firewalls would naturally be | | of interest. | | | | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': | | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner | | I find I have to guess as to the meaning of that. Looks like someone at | 67.170.2.174, who is Comcast... | | http://www.networksolutions.com/whoi...p=67.170.2.174 | .....Quote........... | 67.170.2.174 | Record Type: IP Address | | Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) | 67.160.0.0 - 67.191.255.255 | Comcast Cable Communications, IP Services WASHINGTON-6 | (NET-67-170-0-0-1) | 67.170.0.0 - 67.170.127.255 | .....EOQ............. | | ...sent a UDP datagram to port 29081 on your machine. But I don't | know... | | (1) did the port exist without an owner, & would it have received | the datagram (except the rule blocked it)? | (The name of that rule suggests the answer is no.) The data request would have been received and likely honored. The port would have been opened/created to allow this activity. | | (2) did the the port once exist & at that time have an owner, | but somehow was closed before the datagram arrived? | Therefore, it couldn't get it, anyhow, even if not blocked? If it would have been ALLOWED activity [e.g., without proxy or firewall monitoring or exculsion, or within a hosts or lmhosts, or other]], then a search would have been made for an available port, and then created/opened. Look again at this: 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898-localhost:1026, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898-localhost:1027, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898-localhost:1028, Owner: no owner See the attempt to find or create an open port? Now, should I have stayed online, there would have been continued attempts [see your prior discussion where I was online longer], though with different Shaw addressing and OUT ports, again stepping through IN [local] ports in attempt to find or create.one. | | (3) did the port 29081 never exist? | | Do any earlier log entries mention that port? You'd have to log all | activity of each "permit" rule to know for sure. But, if there is no | rule permitting the activity, then you would have received a Kerio | requestor mentioning the port. No we don't need that. Were an ALLOWED program or address using that aspect, then it would NOT have created the denial. Either would have cascaded to find an open port for use [as long as it was in the defined rule range]. AND you mention Kerio, which MUST have that turned on {requestor]. Other firewalls, particularly those that automatically configure themselves, MAY not pop-up anything unless it has been configured that way. They also MAY pass through such requests if piggy-backed from or on allowed activities/programs. Think "but all I want to know is the user address". Think Microsoft's firewalls, imagine what they are configured by default to allow. | | Here is a Kerio help page to study... | | ......Quote............ | Filter.log file | | The filter.log file is used for logging Kerio Personal Firewall actions | on a local computer. It is created in a directory where Personal | Firewall is installed (typically C:\Program Files\Kerio\Personal | Firewall). It is created upon the first record. | | Filter.log is a text file where each record is placed on a new line. It | has the following format: | | 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: | In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner: | G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE | | How to read this line: | | 1 rule type (1 = denying, 2 = permitting) | | [08/Jun/2001 16:52:09] date and time that the packet was detected (we | recommend checking the correct setting of the system time on your | computer) | | Rule 'Internet Information Services' name of a rule that was applied | (from the Description field) | | Blocked: / Permittted: indicates whether the packet was blocked or | permitted (corresponds with the number at the beginning of the line) | | In / Out indicates an incoming or outgoing packet | | IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule | was defined) | | richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from | which the packet was sent, in square brackets is the IP address with the | source port after a colon | | locahost:25 destination IP address (or DNS name) and port (localhost = | this computer) | | Owner: name of the local application to which the packet is addressed | (including its full path). If the application is a system service the | name displayed is SYSTEM. | .........EOQ................. | | | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': | | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner | | That one seems to be coming from... | | NetRange: 200.0.0.0 - 200.255.255.255 | NetName: LACNIC-200 Yes, that is the key to your Firewall security. Tracking each suspect activity to the originator, if possible. Actually were I to post prior complete TRACKING logs [which I collect(ed) for specific use], say for one day's normal usage, vast numbers of potentially dangerous attacks/attempts would be shown. The Internet is a cesspool of users, unless you protect yourself from them. NO-ONE is completely invisible or invulnerable. There is always a starting [requesting/receiving] address [yours]. If you were ACTUALLY invisible then nothing would reach you; you couldn't receive a web page; you couldn't receive email; you couldn't do any networking. Whatever is requested MUST have a destination [You]. [Okay, I know of ways but we're not educating hackers here.] FOR THE GENERAL DOUBTER [not you PCR]: Try it. Block all network and Internet traffic in your firewall. That closes all ports, hence no requesting/receiving address [yours]. It doesn't matter that you may have obtained an IP address or have one hard set, there is no way to use it {don't try this for long or you will lose access to the net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if applicable}...] No ports or no address and there is no network. Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to ANY web address. Notice the addresses? Notice the routing? NOW, exactly how did YOU receive that information? Certainly it wasn't broadcast to the world and you just happened to have ended up with it. Or was it? -- Now what could a hacker, or someone wishing to track you for whatever reason, do with that information? All that is originally needed by that party is the requesting/receiving address; e.g. your address, your activity, something you did or allowed. Once this is known then anythng that party wishes to do can be done. Now think about ALWAYS ON connections. For instance, you did go through Sponge's other pages [used because it was previously referenced] which address advertising and other inoccent [cough] inclusions on web pages, or which you may find on the Internet, correct? Such as: http://www.geocities.com/yosponge/othrstuf.html Did you look at his host file, etc.. Or perhaps look at ports, packets, formation, and other aspects over on: http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives 9X users? Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide some nice tools for network/Internet use/diagnostics. Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be careful using it, many servers do NOT like to be scanned, you may be logged and your ISP or other agency may be contacted.. Another nifty test tool is called *tooleaky*. A little 3k tool to test your supposed security [created to test/expose GRC suggestions]. Read about what it does and how. You might think twice about what you think you know. If your using 2000 or above, might want to check these older tools: http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee Attacker 3.00 http://www.foundstone.com/knowledge/proddesc/fport.html fport - find out what is using what port - 2000 - XP/NT Identify unknown open ports and their associated applications Copyright 2002 (c) by Foundstone, Inc. http://www.foundstone.com fport supports Windows NT4, Windows 2000 and Windows XP fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. Trout Version 2.0 (formerly SuboTronic) New in this release Parallel pinging, resulting in a huge speed improvment. Selectable background and text colors. Improved interface. Save trace to file. Improved HTML output. Optional continuous ping mode. Traceroute and Whois program. Copyright 2000 (c) by Foundstone, Inc. A visual (i.e. GUI as opposed to command-line) traceroute and Whois program. Pinging can be set at a controllable rate as can the frequency of repeatedly scanning the selected host. The built-in simple Whois lookup can be used to identify hosts discovered along the route to the destination computer. Parallel pinging and hostname lookup techniques make this traceroute program perhaps the fastest currently available. Of course SYSINTERNALS/WINTERNALS has some nice tools - look on Microsoft's TechNet | | | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no owner | | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | | Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no owner | | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no | | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port | | received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened | | port received': Blocked: In UDP, | | 189.153.168.143:32737-localhost:29081, Owner: no owner | | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': | | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner | | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': | | Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner | | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': | | Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner | | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In | | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner: | | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port | | received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened | | port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened | | port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened | | port received': Blocked: In UDP, | | 189.128.113.251:16491-localhost:29081, Owner: no owner | | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': | | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no | | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port | | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027, | | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened | | port received': Blocked: In UDP, | | 200.117.180.230:22925-localhost:29081, Owner: no owner | | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': | | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no | | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port | | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar | | [200.117.180.230:22925]-localhost:29081, Owner: no owner | | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': | | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no | | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port | | received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened | | port received': Blocked: In UDP, | | 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007 | | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, | | 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007 | | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, | | 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007 | | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, | | 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007 | | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, | | 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007 | | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, | | 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007 | | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, | | msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no | | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port | | received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081, | | Owner: no owner | | | | | | -- | | MEB | | http://peoplescounsel.orgfree.com | | ________ | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | | | -- MEB http://peoplescounsel.orgfree.com ________ |
#4
|
|||
|
|||
firewalls - what to block and why - your security at risk
Some real food for thought gentlemen. Thank you.
P.S. I've been using ZA since 2000. -- HTH, Curt Windows Support Center www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "MEB" meb@not wrote in message ... | | | | "PCR" wrote in message | ... || MEB wrote: || | PCR and Gram Pappy [among others] have been discussing firewall || | settings and what they can or should be used for. || || That's right. I installed... || http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW || || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months || later began a 17 year study of what to do with it. But I should have || spoke up sooner! || || | In the spirit of those discussions, I thought I would post some || | blocked activity from a SINGLE session/contact through my ISP and || | ONLY to this news server and my email accounts [via OE6]. This is || | from the firewall log [several of my normal settings/restrictions || | were specifically reset for this presentation]. || || Thanks for jumping in. So, you wanted to see what would happen just by || connecting to the NET & using OE for mail & NG activity. | | Well, ah no, actually I wanted to let other users who may not have | investigated or understand firewalls. | || || | No other Internet activity occurred [e.g., no external IE or browser || | usage or other activity]. All *allowed activity* has been removed, so || | that the addresses and activities blocked might be addressed for || | perhaps a greater understanding of the function of firewalls, what || | they can and are used for, and other aspects related thereto. || || Really, it's important to see what was allowed too. Where I thought my || Primary DNS Server rule would be used only by NetZero (they are NetZero || addresses in there)... really a whole bunch of apps were using it! But || that's in the other thread! | | DNS is used by any program requiring addressing information. The key is to | limit to the EXACT DNS server(s) NOT within your system [unless for local | network traffic] and the port [53] used by that (those) server(s) with | limited [chosen by previous monitoring] local ports and applications. | | I will NOT post all my rules or what exactly I have configured locally | [that would supply the exact way to circumvent my protection], however I | will post this contact to retreive the email/news messages [your posting], | with a few more inclusions [again, slightly modified rules and rule | logging]. This was ONLY to retreive mail and the newsgroups on Microsoft. | Nothing else occurred BUT the logon to the ISP. | | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, | localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE | 7.0\WAOL.EXE | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, | XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE | 7.0\WAOL.EXE | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip | Kernel Driver | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip | Kernel Driver | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo | Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo | Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1026, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1027, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1028, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP, | 207.46.248.16:119-localhost:1072, Owner: no owner | at which point I disconnected having retrieved mail and the news messages. | | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel | requests. | || || | For those who do not understand firewalls, these activities would or || | may have been allowed as they followed either programs IN USE [allowed || | activity], or through addressing [broadcast or otherwise] had a || | firewall not been used. || || That is right. Without a firewall with a good set of denial rules, all || activity is allowed. Hopefully, if a virus or a trojan or a spy can || sneak in that way, a good virus detector will prevent it from executing. || Also, there may have been an MS fix or two to prevent some forms of || abuse along these lines (I don't know). | | What would make you think any anti-spyware or anti-virus programs would | check or correct these types of activities? | | Anti-spyware programs MAY block certain addresses and perhaps some ActiveX, | or other. Anti-virus MIGHT catch scripting or attempts to infect something, | or emails or files which contain hacks or other. Host or lmhost files catch | what they have been configured to catch via addressing/name. | These, however, are *network use* activities WITHIN the TCP/IP and other | aspects of Internet/network usage. Firewalls, proxies, packet sniffers, | client servers, the TCP/IP kernel, and the like, are what handle these | activities. | Of course the above is an overly simplified explanation. | || || | NOTE: this is contact through a dial-up connection[phone]/ISP [which || | is indicated via some of these addresses], ALWAYS ON connections are || | even more of a security risk. || || Uhuh. I am Dial-Up too. That way, you get a new IP address each connect. | | Only if that is what the ISP requires or desires. | || || | Hopefully, this discussion will be useful to those interested and || | provide theory and answers to various issues. || | Rule sets or other settings for various firewalls would naturally be || | of interest. || | || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': || | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner || || I find I have to guess as to the meaning of that. Looks like someone at || 67.170.2.174, who is Comcast... || || http://www.networksolutions.com/whoi...p=67.170.2.174 || .....Quote........... || 67.170.2.174 || Record Type: IP Address || || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) || 67.160.0.0 - 67.191.255.255 || Comcast Cable Communications, IP Services WASHINGTON-6 || (NET-67-170-0-0-1) || 67.170.0.0 - 67.170.127.255 || .....EOQ............. || || ...sent a UDP datagram to port 29081 on your machine. But I don't || know... || || (1) did the port exist without an owner, & would it have received || the datagram (except the rule blocked it)? || (The name of that rule suggests the answer is no.) | | The data request would have been received and likely honored. | The port would have been opened/created to allow this activity. | || || (2) did the the port once exist & at that time have an owner, || but somehow was closed before the datagram arrived? || Therefore, it couldn't get it, anyhow, even if not blocked? | | If it would have been ALLOWED activity [e.g., without proxy or firewall | monitoring or exculsion, or within a hosts or lmhosts, or other]], then a | search would have been made for an available port, and then created/opened. | Look again at this: | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1026, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1027, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1028, Owner: no owner | | See the attempt to find or create an open port? | Now, should I have stayed online, there would have been continued attempts | [see your prior discussion where I was online longer], though with different | Shaw addressing and OUT ports, again stepping through IN [local] ports in | attempt to find or create.one. | | || || (3) did the port 29081 never exist? || || Do any earlier log entries mention that port? You'd have to log all || activity of each "permit" rule to know for sure. But, if there is no || rule permitting the activity, then you would have received a Kerio || requestor mentioning the port. | | No we don't need that. | Were an ALLOWED program or address using that aspect, then it would NOT | have created the denial. Either would have cascaded to find an open port for | use [as long as it was in the defined rule range]. | AND you mention Kerio, which MUST have that turned on {requestor]. | Other firewalls, particularly those that automatically configure | themselves, MAY not pop-up anything unless it has been configured that way. | They also MAY pass through such requests if piggy-backed from or on allowed | activities/programs. Think "but all I want to know is the user address". | Think Microsoft's firewalls, imagine what they are configured by default to | allow. | || || Here is a Kerio help page to study... || || ......Quote............ || Filter.log file || || The filter.log file is used for logging Kerio Personal Firewall actions || on a local computer. It is created in a directory where Personal || Firewall is installed (typically C:\Program Files\Kerio\Personal || Firewall). It is created upon the first record. || || Filter.log is a text file where each record is placed on a new line. It || has the following format: || || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: || In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner: || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE || || How to read this line: || || 1 rule type (1 = denying, 2 = permitting) || || [08/Jun/2001 16:52:09] date and time that the packet was detected (we || recommend checking the correct setting of the system time on your || computer) || || Rule 'Internet Information Services' name of a rule that was applied || (from the Description field) || || Blocked: / Permittted: indicates whether the packet was blocked or || permitted (corresponds with the number at the beginning of the line) || || In / Out indicates an incoming or outgoing packet || || IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule || was defined) || || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from || which the packet was sent, in square brackets is the IP address with the || source port after a colon || || locahost:25 destination IP address (or DNS name) and port (localhost = || this computer) || || Owner: name of the local application to which the packet is addressed || (including its full path). If the application is a system service the || name displayed is SYSTEM. || .........EOQ................. || || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': || | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner || || That one seems to be coming from... || || NetRange: 200.0.0.0 - 200.255.255.255 || NetName: LACNIC-200 | | Yes, that is the key to your Firewall security. | Tracking each suspect activity to the originator, if possible. | | Actually were I to post prior complete TRACKING logs [which I collect(ed) | for specific use], say for one day's normal usage, vast numbers of | potentially dangerous attacks/attempts would be shown. | The Internet is a cesspool of users, unless you protect yourself from them. | NO-ONE is completely invisible or invulnerable. There is always a starting | [requesting/receiving] address [yours]. | If you were ACTUALLY invisible then nothing would reach you; you couldn't | receive a web page; you couldn't receive email; you couldn't do any | networking. Whatever is requested MUST have a destination [You]. [Okay, I | know of ways but we're not educating hackers here.] | | FOR THE GENERAL DOUBTER [not you PCR]: | Try it. Block all network and Internet traffic in your firewall. That | closes all ports, hence no requesting/receiving address [yours]. It doesn't | matter that you may have obtained an IP address or have one hard set, there | is no way to use it {don't try this for long or you will lose access to the | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if | applicable}...] No ports or no address and there is no network. | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to | ANY web address. Notice the addresses? Notice the routing? | NOW, exactly how did YOU receive that information? Certainly it wasn't | broadcast to the world and you just happened to have ended up with it. Or | was it? | -- | | Now what could a hacker, or someone wishing to track you for whatever | reason, do with that information? | All that is originally needed by that party is the requesting/receiving | address; e.g. your address, your activity, something you did or allowed. | Once this is known then anythng that party wishes to do can be done. Now | think about ALWAYS ON connections. | | For instance, you did go through Sponge's other pages [used because it was | previously referenced] which address advertising and other inoccent [cough] | inclusions on web pages, or which you may find on the Internet, correct? | Such as: http://www.geocities.com/yosponge/othrstuf.html | Did you look at his host file, etc.. | Or perhaps look at ports, packets, formation, and other aspects over on: | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives | | 9X users? | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide some | nice tools for network/Internet use/diagnostics. | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be careful | using it, many servers do NOT like to be scanned, you may be logged and your | ISP or other agency may be contacted.. | | Another nifty test tool is called *tooleaky*. A little 3k tool to test your | supposed security [created to test/expose GRC suggestions]. Read about what | it does and how. You might think twice about what you think you know. | | If your using 2000 or above, might want to check these older tools: | | http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee | | Attacker 3.00 | | http://www.foundstone.com/knowledge/proddesc/fport.html | fport - find out what is using what port - 2000 - XP/NT | Identify unknown open ports and their associated applications | Copyright 2002 (c) by Foundstone, Inc. | http://www.foundstone.com | fport supports Windows NT4, Windows 2000 and Windows XP | fport reports all open TCP/IP and UDP ports and maps them to the owning | application. This is the same information you would see using the | 'netstat -an' command, but it also maps those ports to running processes | with the PID, process name and path. Fport can be used to quickly identify | unknown open ports and their associated applications. | | | Trout Version 2.0 (formerly SuboTronic) | New in this release | Parallel pinging, resulting in a huge speed improvment. | Selectable background and text colors. | Improved interface. | Save trace to file. | Improved HTML output. | Optional continuous ping mode. | Traceroute and Whois program. | Copyright 2000 (c) by Foundstone, Inc. | A visual (i.e. GUI as opposed to command-line) traceroute and Whois program. | Pinging can be set at a controllable rate as can the frequency of repeatedly | scanning the selected host. The built-in simple Whois lookup can be used to | identify hosts discovered along the route to the destination computer. | Parallel pinging and hostname lookup techniques make this traceroute program | perhaps the fastest currently available. | | | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on Microsoft's | TechNet | || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no owner || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || | Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no owner || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port || | received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened || | port received': Blocked: In UDP, || | 189.153.168.143:32737-localhost:29081, Owner: no owner || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': || | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': || | Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': || | Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In || | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner: || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port || | received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened || | port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened || | port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened || | port received': Blocked: In UDP, || | 189.128.113.251:16491-localhost:29081, Owner: no owner || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': || | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port || | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027, || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened || | port received': Blocked: In UDP, || | 200.117.180.230:22925-localhost:29081, Owner: no owner || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': || | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar || | [200.117.180.230:22925]-localhost:29081, Owner: no owner || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': || | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port || | received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened || | port received': Blocked: In UDP, || | 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007 || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, || | 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007 || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, || | 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007 || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, || | 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007 || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, || | 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007 || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, || | 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007 || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, || | msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port || | received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081, || | Owner: no owner || | || | || | -- || | MEB || | http://peoplescounsel.orgfree.com || | ________ || || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || || || | | | -- | MEB | http://peoplescounsel.orgfree.com | ________ | | | | |
#5
|
|||
|
|||
firewalls - what to block and why - your security at risk
Curt Christianson wrote:
| Some real food for thought gentlemen. Thank you. You are welcome. I have only begun & will not rest until I get these Kerio rules right-- even if I have to complete the rest of my 17 year study! I'm moving it to the top of my to-do list! My master plan is to discover just what my legit apps want to or must do to function properly. Then, I will code rules that permit JUST those apps to do it. Only my denial rules will apply to "any application", is my plan. And I have begun with my Primary DNS Server rule, which now I have split into FIVE... (1) DNS Server-- EXEC.exe (NetZero) (2) DNS Server-- ASHWEBSV (avast! Web Scanner) (3) DNS Server-- AVAST.SETUP (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service) (5) DNS Server-- IExplore I may attempt again to narrow it down. But, currently, each of those gets to do UDP, both directions, local ports 1024-5000, any NetZero address, port 53. Lots of other apps were using it before. But that's in another thread! | P.S. I've been using ZA since 2000. | | -- | HTH, | Curt | | Windows Support Center | www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "MEB" meb@not wrote in message | ... || || || || "PCR" wrote in message || ... ||| MEB wrote: ||| | PCR and Gram Pappy [among others] have been discussing firewall ||| | settings and what they can or should be used for. ||| ||| That's right. I installed... ||| http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW ||| ||| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months ||| later began a 17 year study of what to do with it. But I should have ||| spoke up sooner! ||| ||| | In the spirit of those discussions, I thought I would post some ||| | blocked activity from a SINGLE session/contact through my ISP and ||| | ONLY to this news server and my email accounts [via OE6]. This is ||| | from the firewall log [several of my normal settings/restrictions ||| | were specifically reset for this presentation]. ||| ||| Thanks for jumping in. So, you wanted to see what would happen just ||| by connecting to the NET & using OE for mail & NG activity. || || Well, ah no, actually I wanted to let other users who may not have || investigated or understand firewalls. || ||| ||| | No other Internet activity occurred [e.g., no external IE or ||| | browser usage or other activity]. All *allowed activity* has been ||| | removed, so that the addresses and activities blocked might be ||| | addressed for perhaps a greater understanding of the function of ||| | firewalls, what they can and are used for, and other aspects ||| | related thereto. ||| ||| Really, it's important to see what was allowed too. Where I thought ||| my Primary DNS Server rule would be used only by NetZero (they are ||| NetZero addresses in there)... really a whole bunch of apps were ||| using it! But that's in the other thread! || || DNS is used by any program requiring addressing information. The key || is to limit to the EXACT DNS server(s) NOT within your system || [unless for local network traffic] and the port [53] used by that || (those) server(s) with limited [chosen by previous monitoring] local || ports and applications. || || I will NOT post all my rules or what exactly I have configured || locally [that would supply the exact way to circumvent my || protection], however I will post this contact to retreive the || email/news messages [your posting], with a few more inclusions || [again, slightly modified rules and rule logging]. This was ONLY to || retreive mail and the newsgroups on Microsoft. Nothing else occurred || BUT the logon to the ISP. || || 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, || localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA || ONLINE || 7.0\WAOL.EXE || 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] || Router Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver || 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, || XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA || ONLINE || 7.0\WAOL.EXE || 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] || Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], || Owner: Tcpip Kernel Driver || 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] || Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], || Owner: Tcpip Kernel Driver || 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] || Echo Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver || 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] || Echo Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898-localhost:1026, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898-localhost:1027, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898-localhost:1028, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In || TCP, 207.46.248.16:119-localhost:1072, Owner: no owner || at which point I disconnected having retrieved mail and the news || messages. || || NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip || Kernel requests. || ||| ||| | For those who do not understand firewalls, these activities ||| | would or may have been allowed as they followed either programs ||| | IN USE [allowed activity], or through addressing [broadcast or ||| | otherwise] had a firewall not been used. ||| ||| That is right. Without a firewall with a good set of denial rules, ||| all activity is allowed. Hopefully, if a virus or a trojan or a spy ||| can sneak in that way, a good virus detector will prevent it from ||| executing. Also, there may have been an MS fix or two to prevent ||| some forms of abuse along these lines (I don't know). || || What would make you think any anti-spyware or anti-virus programs || would check or correct these types of activities? || || Anti-spyware programs MAY block certain addresses and perhaps some || ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to || infect something, or emails or files which contain hacks or other. || Host or lmhost files catch what they have been configured to catch || via addressing/name. || These, however, are *network use* activities WITHIN the TCP/IP and || other aspects of Internet/network usage. Firewalls, proxies, packet || sniffers, client servers, the TCP/IP kernel, and the like, are what || handle these activities. || Of course the above is an overly simplified explanation. || ||| ||| | NOTE: this is contact through a dial-up connection[phone]/ISP ||| | [which is indicated via some of these addresses], ALWAYS ON ||| | connections are even more of a security risk. ||| ||| Uhuh. I am Dial-Up too. That way, you get a new IP address each ||| connect. || || Only if that is what the ISP requires or desires. || ||| ||| | Hopefully, this discussion will be useful to those interested and ||| | provide theory and answers to various issues. ||| | Rule sets or other settings for various firewalls would ||| | naturally be of interest. ||| | ||| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no ||| | owner ||| ||| I find I have to guess as to the meaning of that. Looks like ||| someone at ||| 67.170.2.174, who is Comcast... ||| ||| http://www.networksolutions.com/whoi...p=67.170.2.174 ||| .....Quote........... ||| 67.170.2.174 ||| Record Type: IP Address ||| ||| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) ||| 67.160.0.0 - 67.191.255.255 ||| Comcast Cable Communications, IP Services WASHINGTON-6 ||| (NET-67-170-0-0-1) ||| 67.170.0.0 - 67.170.127.255 ||| .....EOQ............. ||| ||| ...sent a UDP datagram to port 29081 on your machine. But I don't ||| know... ||| ||| (1) did the port exist without an owner, & would it have received ||| the datagram (except the rule blocked it)? ||| (The name of that rule suggests the answer is no.) || || The data request would have been received and likely honored. || The port would have been opened/created to allow this activity. || ||| ||| (2) did the the port once exist & at that time have an owner, ||| but somehow was closed before the datagram arrived? ||| Therefore, it couldn't get it, anyhow, even if not blocked? || || If it would have been ALLOWED activity [e.g., without proxy or || firewall monitoring or exculsion, or within a hosts or lmhosts, or || other]], then a search would have been made for an available port, || and then created/opened. Look again at this: || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898-localhost:1026, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898-localhost:1027, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898-localhost:1028, Owner: no owner || || See the attempt to find or create an open port? || Now, should I have stayed online, there would have been continued || attempts [see your prior discussion where I was online longer], || though with different Shaw addressing and OUT ports, again stepping || through IN [local] ports in attempt to find or create.one. || || ||| ||| (3) did the port 29081 never exist? ||| ||| Do any earlier log entries mention that port? You'd have to log all ||| activity of each "permit" rule to know for sure. But, if there is no ||| rule permitting the activity, then you would have received a Kerio ||| requestor mentioning the port. || || No we don't need that. || Were an ALLOWED program or address using that aspect, then it would || NOT have created the denial. Either would have cascaded to find an || open port for use [as long as it was in the defined rule range]. || AND you mention Kerio, which MUST have that turned on {requestor]. || Other firewalls, particularly those that automatically configure || themselves, MAY not pop-up anything unless it has been configured || that way. They also MAY pass through such requests if piggy-backed || from or on allowed activities/programs. Think "but all I want to || know is the user address". Think Microsoft's firewalls, imagine what || they are configured by default to allow. || ||| ||| Here is a Kerio help page to study... ||| ||| ......Quote............ ||| Filter.log file ||| ||| The filter.log file is used for logging Kerio Personal Firewall ||| actions on a local computer. It is created in a directory where ||| Personal Firewall is installed (typically C:\Program ||| Files\Kerio\Personal Firewall). It is created upon the first record. ||| ||| Filter.log is a text file where each record is placed on a new ||| line. It has the following format: ||| ||| 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': ||| Blocked: In TCP, richard.kerio.cz ||| [192.168.2.38:3772]-localhost:25, Owner: ||| G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE ||| ||| How to read this line: ||| ||| 1 rule type (1 = denying, 2 = permitting) ||| ||| [08/Jun/2001 16:52:09] date and time that the packet was detected ||| (we recommend checking the correct setting of the system time on ||| your computer) ||| ||| Rule 'Internet Information Services' name of a rule that was ||| applied (from the Description field) ||| ||| Blocked: / Permittted: indicates whether the packet was blocked or ||| permitted (corresponds with the number at the beginning of the line) ||| ||| In / Out indicates an incoming or outgoing packet ||| ||| IP / TCP / UDP / ICMP, etc. communication protocol (for which the ||| rule was defined) ||| ||| richard.kerio.com [192.168.2.38:3772] DNS name of the computer, ||| from which the packet was sent, in square brackets is the IP ||| address with the source port after a colon ||| ||| locahost:25 destination IP address (or DNS name) and port ||| (localhost = this computer) ||| ||| Owner: name of the local application to which the packet is ||| addressed (including its full path). If the application is a system ||| service the name displayed is SYSTEM. ||| .........EOQ................. ||| ||| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no ||| | owner ||| ||| That one seems to be coming from... ||| ||| NetRange: 200.0.0.0 - 200.255.255.255 ||| NetName: LACNIC-200 || || Yes, that is the key to your Firewall security. || Tracking each suspect activity to the originator, if possible. || || Actually were I to post prior complete TRACKING logs [which I || collect(ed) for specific use], say for one day's normal usage, vast || numbers of potentially dangerous attacks/attempts would be shown. || The Internet is a cesspool of users, unless you protect yourself || from them. NO-ONE is completely invisible or invulnerable. There is || always a starting [requesting/receiving] address [yours]. || If you were ACTUALLY invisible then nothing would reach you; you || couldn't receive a web page; you couldn't receive email; you || couldn't do any networking. Whatever is requested MUST have a || destination [You]. [Okay, I know of ways but we're not educating || hackers here.] || || FOR THE GENERAL DOUBTER [not you PCR]: || Try it. Block all network and Internet traffic in your firewall. That || closes all ports, hence no requesting/receiving address [yours]. It || doesn't matter that you may have obtained an IP address or have one || hard set, there is no way to use it {don't try this for long or you || will lose access to the net on a phoneline}. [Or clear your IP, || DHCP, and DNS entries {WINS if applicable}...] No ports or no || address and there is no network. || Now turn it on again [or re-connect] and do a TRACE [preferred] or || ping to ANY web address. Notice the addresses? Notice the routing? || NOW, exactly how did YOU receive that information? Certainly it || wasn't broadcast to the world and you just happened to have ended up || with it. Or was it? || -- || || Now what could a hacker, or someone wishing to track you for whatever || reason, do with that information? || All that is originally needed by that party is the || requesting/receiving address; e.g. your address, your activity, || something you did or allowed. Once this is known then anythng that || party wishes to do can be done. Now think about ALWAYS ON || connections. || || For instance, you did go through Sponge's other pages [used because || it was previously referenced] which address advertising and other || inoccent [cough] inclusions on web pages, or which you may find on || the Internet, correct? Such as: || http://www.geocities.com/yosponge/othrstuf.html || Did you look at his host file, etc.. || Or perhaps look at ports, packets, formation, and other aspects over || on: http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives || || 9X users? || Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] || provide some nice tools for network/Internet use/diagnostics. || Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be || careful using it, many servers do NOT like to be scanned, you may be || logged and your ISP or other agency may be contacted.. || || Another nifty test tool is called *tooleaky*. A little 3k tool to || test your supposed security [created to test/expose GRC || suggestions]. Read about what it does and how. You might think twice || about what you think you know. || || If your using 2000 or above, might want to check these older tools: || || http://www.foundstone.com/us/resources-free-tools.asp - Division of || McAfee || || Attacker 3.00 || || http://www.foundstone.com/knowledge/proddesc/fport.html || fport - find out what is using what port - 2000 - XP/NT || Identify unknown open ports and their associated applications || Copyright 2002 (c) by Foundstone, Inc. || http://www.foundstone.com || fport supports Windows NT4, Windows 2000 and Windows XP || fport reports all open TCP/IP and UDP ports and maps them to the || owning application. This is the same information you would see using || the 'netstat -an' command, but it also maps those ports to running || processes with the PID, process name and path. Fport can be used to || quickly identify unknown open ports and their associated || applications. || || || Trout Version 2.0 (formerly SuboTronic) || New in this release || Parallel pinging, resulting in a huge speed improvment. || Selectable background and text colors. || Improved interface. || Save trace to file. || Improved HTML output. || Optional continuous ping mode. || Traceroute and Whois program. || Copyright 2000 (c) by Foundstone, Inc. || A visual (i.e. GUI as opposed to command-line) traceroute and Whois || program. Pinging can be set at a controllable rate as can the || frequency of repeatedly scanning the selected host. The built-in || simple Whois lookup can be used to identify hosts discovered along || the route to the destination computer. Parallel pinging and hostname || lookup techniques make this traceroute program perhaps the fastest || currently available. || || || Of course SYSINTERNALS/WINTERNALS has some nice tools - look on || Microsoft's TechNet || ||| ||| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no ||| | owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, 218.10.137.139:55190-localhost:1027, ||| | Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 190.46.171.127:41806-localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, ||| | 189.153.168.143:32737-localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no ||| | owner 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port ||| | received': Blocked: In TCP, 219.148.119.6:12200-localhost:7212, ||| | Owner: no owner 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened ||| | port received': Blocked: In TCP, ||| | 219.148.119.6:12200-localhost:8000, Owner: no owner ||| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: ||| | In TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, ||| | Owner: no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 90.20.19.204:46983-localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 87.235.125.80:8052-localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081, ||| | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 189.128.113.251:16491-localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no ||| | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027, ||| | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 200.117.180.230:22925-localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar ||| | [200.117.180.230:22925]-localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, ||| | 74.107.240.241:48641-localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 221.208.208.95:53699-localhost:1026, Owner: no ||| | owner 1,[28/Jul/2007 01:39:54] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, ||| | 67.81.156.51:20406-localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:40:46] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 200.89.49.207:23085-localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:40:58] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, 221.208.208.90:33490-localhost:1026, ||| | Owner: no owner 1,[28/Jul/2007 01:42:36] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 142.161.209.54:15611-localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:42:52] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 190.60.89.179:47922-localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:43:20] Rule 'TCP ack packet attack': ||| | Blocked: In TCP, msnews.microsoft.com ||| | [207.46.248.16:119]-localhost:1185, Owner: no owner ||| | 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 190.31.24.235:50988-localhost:29081, Owner: no ||| | owner ||| | ||| | ||| | -- ||| | MEB ||| | http://peoplescounsel.orgfree.com ||| | ________ ||| ||| -- ||| Thanks or Good Luck, ||| There may be humor in this post, and, ||| Naturally, you will not sue, ||| Should things get worse after this, ||| PCR ||| ||| ||| || || || -- || MEB || http://peoplescounsel.orgfree.com || ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR |
#6
|
|||
|
|||
firewalls - ZONEALARM - what to block and why - your security at risk
"Curt Christianson" wrote in message ... | Some real food for thought gentlemen. Thank you. | | P.S. I've been using ZA since 2000. | | -- | HTH, | Curt | | Windows Support Center | www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm We aim to please... I also used ZA for a number of years on the various 9X boxes and XP. The rules aspect of other firewalls always drew me [having a Linux, Zenix, NT background] but I thought it wise to use what others might be using [for comparison purposes]. Now however, with the use of highly questionable activities on the Internet, and my personal questions related to ZA, and no support from Microsoft and ZoneLabs, I thought I would return to something which gave considerably more control during my final testing days under 9X. I have an old ZA version [forgot which version though, and have no intention of re-installing it] about 1.4meg which actually seemed to supply MOST of the normal functions required, at least semi-adequately. Sometimes I thought the newer versions were attempting aspects which were not well implimented or implimented in a fashion I thought not user friendly. Of course there is an ability to setup *rules like* activities within ZA, but I would imagine most users do not do so. In the spirit of this discussion, which is to include any firewalls [and I hope it eventually does. Note this has ZONEALARM now in its subject heading]: What version and product are you or others using? Have you or others run monitoring/sniffing programs while using ZA to see if it actual performs as advertised? What settings or other seemed to be the most useful to you or other users? What advise would users give concerning settings, configuration, etc. to other users of ZA, [noting in Curt's case, I think your using it under W2K, so does that offer anything different as far as you know]? Have you or other users created any similar rules within ZA to the below [referencing Kerio PFW rules]? | | "MEB" meb@not wrote in message | ... | | | | | | | | "PCR" wrote in message | | ... | || MEB wrote: | || | PCR and Gram Pappy [among others] have been discussing firewall | || | settings and what they can or should be used for. | || | || That's right. I installed... | || http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW | || | || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months | || later began a 17 year study of what to do with it. But I should have | || spoke up sooner! | || | || | In the spirit of those discussions, I thought I would post some | || | blocked activity from a SINGLE session/contact through my ISP and | || | ONLY to this news server and my email accounts [via OE6]. This is | || | from the firewall log [several of my normal settings/restrictions | || | were specifically reset for this presentation]. | || | || Thanks for jumping in. So, you wanted to see what would happen just by | || connecting to the NET & using OE for mail & NG activity. | | | | Well, ah no, actually I wanted to let other users who may not have | | investigated or understand firewalls. | | | || | || | No other Internet activity occurred [e.g., no external IE or browser | || | usage or other activity]. All *allowed activity* has been removed, so | || | that the addresses and activities blocked might be addressed for | || | perhaps a greater understanding of the function of firewalls, what | || | they can and are used for, and other aspects related thereto. | || | || Really, it's important to see what was allowed too. Where I thought my | || Primary DNS Server rule would be used only by NetZero (they are NetZero | || addresses in there)... really a whole bunch of apps were using it! But | || that's in the other thread! | | | | DNS is used by any program requiring addressing information. The key is to | | limit to the EXACT DNS server(s) NOT within your system [unless for local | | network traffic] and the port [53] used by that (those) server(s) with | | limited [chosen by previous monitoring] local ports and applications. | | | | I will NOT post all my rules or what exactly I have configured locally | | [that would supply the exact way to circumvent my protection], however I | | will post this contact to retreive the email/news messages [your posting], | | with a few more inclusions [again, slightly modified rules and rule | | logging]. This was ONLY to retreive mail and the newsgroups on Microsoft. | | Nothing else occurred BUT the logon to the ISP. | | | | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, | | localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE | | 7.0\WAOL.EXE | | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | | Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver | | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, | | XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE | | 7.0\WAOL.EXE | | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip | | Kernel Driver | | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip | | Kernel Driver | | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo | | Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver | | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo | | Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898-localhost:1026, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898-localhost:1027, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898-localhost:1028, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP, | | 207.46.248.16:119-localhost:1072, Owner: no owner | | at which point I disconnected having retrieved mail and the news messages. | | | | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel | | requests. | | | || | || | For those who do not understand firewalls, these activities would or | || | may have been allowed as they followed either programs IN USE [allowed | || | activity], or through addressing [broadcast or otherwise] had a | || | firewall not been used. | || | || That is right. Without a firewall with a good set of denial rules, all | || activity is allowed. Hopefully, if a virus or a trojan or a spy can | || sneak in that way, a good virus detector will prevent it from executing. | || Also, there may have been an MS fix or two to prevent some forms of | || abuse along these lines (I don't know). | | | | What would make you think any anti-spyware or anti-virus programs would | | check or correct these types of activities? | | | | Anti-spyware programs MAY block certain addresses and perhaps some | ActiveX, | | or other. Anti-virus MIGHT catch scripting or attempts to infect | something, | | or emails or files which contain hacks or other. Host or lmhost files | catch | | what they have been configured to catch via addressing/name. | | These, however, are *network use* activities WITHIN the TCP/IP and other | | aspects of Internet/network usage. Firewalls, proxies, packet sniffers, | | client servers, the TCP/IP kernel, and the like, are what handle these | | activities. | | Of course the above is an overly simplified explanation. | | | || | || | NOTE: this is contact through a dial-up connection[phone]/ISP [which | || | is indicated via some of these addresses], ALWAYS ON connections are | || | even more of a security risk. | || | || Uhuh. I am Dial-Up too. That way, you get a new IP address each connect. | | | | Only if that is what the ISP requires or desires. | | | || | || | Hopefully, this discussion will be useful to those interested and | || | provide theory and answers to various issues. | || | Rule sets or other settings for various firewalls would naturally be | || | of interest. | || | | || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner | || | || I find I have to guess as to the meaning of that. Looks like someone at | || 67.170.2.174, who is Comcast... | || | || http://www.networksolutions.com/whoi...p=67.170.2.174 | || .....Quote........... | || 67.170.2.174 | || Record Type: IP Address | || | || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) | || 67.160.0.0 - 67.191.255.255 | || Comcast Cable Communications, IP Services WASHINGTON-6 | || (NET-67-170-0-0-1) | || 67.170.0.0 - 67.170.127.255 | || .....EOQ............. | || | || ...sent a UDP datagram to port 29081 on your machine. But I don't | || know... | || | || (1) did the port exist without an owner, & would it have received | || the datagram (except the rule blocked it)? | || (The name of that rule suggests the answer is no.) | | | | The data request would have been received and likely honored. | | The port would have been opened/created to allow this activity. | | | || | || (2) did the the port once exist & at that time have an owner, | || but somehow was closed before the datagram arrived? | || Therefore, it couldn't get it, anyhow, even if not blocked? | | | | If it would have been ALLOWED activity [e.g., without proxy or firewall | | monitoring or exculsion, or within a hosts or lmhosts, or other]], then a | | search would have been made for an available port, and then | created/opened. | | Look again at this: | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898-localhost:1026, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898-localhost:1027, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898-localhost:1028, Owner: no owner | | | | See the attempt to find or create an open port? | | Now, should I have stayed online, there would have been continued attempts | | [see your prior discussion where I was online longer], though with | different | | Shaw addressing and OUT ports, again stepping through IN [local] ports in | | attempt to find or create.one. | | | | | || | || (3) did the port 29081 never exist? | || | || Do any earlier log entries mention that port? You'd have to log all | || activity of each "permit" rule to know for sure. But, if there is no | || rule permitting the activity, then you would have received a Kerio | || requestor mentioning the port. | | | | No we don't need that. | | Were an ALLOWED program or address using that aspect, then it would NOT | | have created the denial. Either would have cascaded to find an open port | for | | use [as long as it was in the defined rule range]. | | AND you mention Kerio, which MUST have that turned on {requestor]. | | Other firewalls, particularly those that automatically configure | | themselves, MAY not pop-up anything unless it has been configured that | way. | | They also MAY pass through such requests if piggy-backed from or on | allowed | | activities/programs. Think "but all I want to know is the user address". | | Think Microsoft's firewalls, imagine what they are configured by default | to | | allow. | | | || | || Here is a Kerio help page to study... | || | || ......Quote............ | || Filter.log file | || | || The filter.log file is used for logging Kerio Personal Firewall actions | || on a local computer. It is created in a directory where Personal | || Firewall is installed (typically C:\Program Files\Kerio\Personal | || Firewall). It is created upon the first record. | || | || Filter.log is a text file where each record is placed on a new line. It | || has the following format: | || | || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: | || In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner: | || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE | || | || How to read this line: | || | || 1 rule type (1 = denying, 2 = permitting) | || | || [08/Jun/2001 16:52:09] date and time that the packet was detected (we | || recommend checking the correct setting of the system time on your | || computer) | || | || Rule 'Internet Information Services' name of a rule that was applied | || (from the Description field) | || | || Blocked: / Permittted: indicates whether the packet was blocked or | || permitted (corresponds with the number at the beginning of the line) | || | || In / Out indicates an incoming or outgoing packet | || | || IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule | || was defined) | || | || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from | || which the packet was sent, in square brackets is the IP address with the | || source port after a colon | || | || locahost:25 destination IP address (or DNS name) and port (localhost = | || this computer) | || | || Owner: name of the local application to which the packet is addressed | || (including its full path). If the application is a system service the | || name displayed is SYSTEM. | || .........EOQ................. | || | || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner | || | || That one seems to be coming from... | || | || NetRange: 200.0.0.0 - 200.255.255.255 | || NetName: LACNIC-200 | | | | Yes, that is the key to your Firewall security. | | Tracking each suspect activity to the originator, if possible. | | | | Actually were I to post prior complete TRACKING logs [which I collect(ed) | | for specific use], say for one day's normal usage, vast numbers of | | potentially dangerous attacks/attempts would be shown. | | The Internet is a cesspool of users, unless you protect yourself from | them. | | NO-ONE is completely invisible or invulnerable. There is always a starting | | [requesting/receiving] address [yours]. | | If you were ACTUALLY invisible then nothing would reach you; you couldn't | | receive a web page; you couldn't receive email; you couldn't do any | | networking. Whatever is requested MUST have a destination [You]. [Okay, I | | know of ways but we're not educating hackers here.] | | | | FOR THE GENERAL DOUBTER [not you PCR]: | | Try it. Block all network and Internet traffic in your firewall. That | | closes all ports, hence no requesting/receiving address [yours]. It | doesn't | | matter that you may have obtained an IP address or have one hard set, | there | | is no way to use it {don't try this for long or you will lose access to | the | | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if | | applicable}...] No ports or no address and there is no network. | | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to | | ANY web address. Notice the addresses? Notice the routing? | | NOW, exactly how did YOU receive that information? Certainly it wasn't | | broadcast to the world and you just happened to have ended up with it. Or | | was it? | | -- | | | | Now what could a hacker, or someone wishing to track you for whatever | | reason, do with that information? | | All that is originally needed by that party is the requesting/receiving | | address; e.g. your address, your activity, something you did or allowed. | | Once this is known then anythng that party wishes to do can be done. Now | | think about ALWAYS ON connections. | | | | For instance, you did go through Sponge's other pages [used because it was | | previously referenced] which address advertising and other inoccent | [cough] | | inclusions on web pages, or which you may find on the Internet, correct? | | Such as: http://www.geocities.com/yosponge/othrstuf.html | | Did you look at his host file, etc.. | | Or perhaps look at ports, packets, formation, and other aspects over on: | | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives | | | | 9X users? | | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide | some | | nice tools for network/Internet use/diagnostics. | | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be | careful | | using it, many servers do NOT like to be scanned, you may be logged and | your | | ISP or other agency may be contacted.. | | | | Another nifty test tool is called *tooleaky*. A little 3k tool to test | your | | supposed security [created to test/expose GRC suggestions]. Read about | what | | it does and how. You might think twice about what you think you know. | | | | If your using 2000 or above, might want to check these older tools: | | | | http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee | | | | Attacker 3.00 | | | | http://www.foundstone.com/knowledge/proddesc/fport.html | | fport - find out what is using what port - 2000 - XP/NT | | Identify unknown open ports and their associated applications | | Copyright 2002 (c) by Foundstone, Inc. | | http://www.foundstone.com | | fport supports Windows NT4, Windows 2000 and Windows XP | | fport reports all open TCP/IP and UDP ports and maps them to the owning | | application. This is the same information you would see using the | | 'netstat -an' command, but it also maps those ports to running processes | | with the PID, process name and path. Fport can be used to quickly identify | | unknown open ports and their associated applications. | | | | | | Trout Version 2.0 (formerly SuboTronic) | | New in this release | | Parallel pinging, resulting in a huge speed improvment. | | Selectable background and text colors. | | Improved interface. | | Save trace to file. | | Improved HTML output. | | Optional continuous ping mode. | | Traceroute and Whois program. | | Copyright 2000 (c) by Foundstone, Inc. | | A visual (i.e. GUI as opposed to command-line) traceroute and Whois | program. | | Pinging can be set at a controllable rate as can the frequency of | repeatedly | | scanning the selected host. The built-in simple Whois lookup can be used | to | | identify hosts discovered along the route to the destination computer. | | Parallel pinging and hostname lookup techniques make this traceroute | program | | perhaps the fastest currently available. | | | | | | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on | Microsoft's | | TechNet | | | || | || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no owner | || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no owner | || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no | || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened | || | port received': Blocked: In UDP, | || | 189.153.168.143:32737-localhost:29081, Owner: no owner | || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner | || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': | || | Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner | || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': | || | Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner | || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In | || | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner: | || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened | || | port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened | || | port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened | || | port received': Blocked: In UDP, | || | 189.128.113.251:16491-localhost:29081, Owner: no owner | || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no | || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027, | || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened | || | port received': Blocked: In UDP, | || | 200.117.180.230:22925-localhost:29081, Owner: no owner | || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no | || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port | || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar | || | [200.117.180.230:22925]-localhost:29081, Owner: no owner | || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no | || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened | || | port received': Blocked: In UDP, | || | 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007 | || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007 | || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007 | || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007 | || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007 | || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007 | || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, | || | msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no | || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081, | || | Owner: no owner | || | | || | | || | -- | || | MEB | || | http://peoplescounsel.orgfree.com | || | ________ | || | || -- | || Thanks or Good Luck, | || There may be humor in this post, and, | || Naturally, you will not sue, | || Should things get worse after this, | || PCR | || | || | || | | | | | | -- | | MEB | | http://peoplescounsel.orgfree.com | | ________ | | | | | | | | | | -- MEB http://peoplescounsel.orgfree.com ________ |
#7
|
|||
|
|||
firewalls - ZONEALARM - what to block and why - your security at risk
Hi MEB, and all,
I'm actually running a rather old version of ZA; v. 3.1.291. My philosophy is *unlike* AV apps. etc., there just isn't much to improve IMHO. I don't want or need any additional bells and whistles. And you were close, I'm running XP Pro, but I keep perusing this group, because this is where it all started for me. I still have my copy of W98SE, but it's kind of a pain to install that *after* XP is already there. I was a die-hard 98 fan, and swore I would *never* switch to XP, but the computer I inherited already had it on it. I figured I'd give it a try, and if I didn't like it, well, then back to good ol' 98. The way I have XP set up, you'd almost think it was 98. I turned off *all* the cutesy eye-candy etc., mainly for performance reasons. Besides, I *hate* pastels! This box was built for W98. I have to admit that it is extremely stable, but then again so was my 98 install. It's the "junk" we add later that tends to muck things up. Sorry I digressed. -- HTH, Curt Windows Support Center www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "MEB" meb@not wrote in message ... | | | "Curt Christianson" wrote in message | ... || Some real food for thought gentlemen. Thank you. || || P.S. I've been using ZA since 2000. || || -- || HTH, || Curt || || Windows Support Center || www.aumha.org || Practically Nerded,... || http://dundats.mvps.org/Index.htm | | We aim to please... | | I also used ZA for a number of years on the various 9X boxes and XP. The | rules aspect of other firewalls always drew me [having a Linux, Zenix, NT | background] but I thought it wise to use what others might be using [for | comparison purposes]. | Now however, with the use of highly questionable activities on the | Internet, and my personal questions related to ZA, and no support from | Microsoft and ZoneLabs, I thought I would return to something which gave | considerably more control during my final testing days under 9X. | | I have an old ZA version [forgot which version though, and have no | intention of re-installing it] about 1.4meg which actually seemed to supply | MOST of the normal functions required, at least semi-adequately. Sometimes I | thought the newer versions were attempting aspects which were not well | implimented or implimented in a fashion I thought not user friendly. Of | course there is an ability to setup *rules like* activities within ZA, but I | would imagine most users do not do so. | | In the spirit of this discussion, which is to include any firewalls [and I | hope it eventually does. Note this has ZONEALARM now in its subject | heading]: | | What version and product are you or others using? | | Have you or others run monitoring/sniffing programs while using ZA to see | if it actual performs as advertised? | | What settings or other seemed to be the most useful to you or other users? | | What advise would users give concerning settings, configuration, etc. to | other users of ZA, [noting in Curt's case, I think your using it under W2K, | so does that offer anything different as far as you know]? | | Have you or other users created any similar rules within ZA to the below | [referencing Kerio PFW rules]? | || || "MEB" meb@not wrote in message || ... || | || | || | || | "PCR" wrote in message || | ... || || MEB wrote: || || | PCR and Gram Pappy [among others] have been discussing firewall || || | settings and what they can or should be used for. || || || || That's right. I installed... || || | http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW || || || || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months || || later began a 17 year study of what to do with it. But I should have || || spoke up sooner! || || || || | In the spirit of those discussions, I thought I would post some || || | blocked activity from a SINGLE session/contact through my ISP and || || | ONLY to this news server and my email accounts [via OE6]. This is || || | from the firewall log [several of my normal settings/restrictions || || | were specifically reset for this presentation]. || || || || Thanks for jumping in. So, you wanted to see what would happen just by || || connecting to the NET & using OE for mail & NG activity. || | || | Well, ah no, actually I wanted to let other users who may not have || | investigated or understand firewalls. || | || || || || | No other Internet activity occurred [e.g., no external IE or browser || || | usage or other activity]. All *allowed activity* has been removed, so || || | that the addresses and activities blocked might be addressed for || || | perhaps a greater understanding of the function of firewalls, what || || | they can and are used for, and other aspects related thereto. || || || || Really, it's important to see what was allowed too. Where I thought my || || Primary DNS Server rule would be used only by NetZero (they are NetZero || || addresses in there)... really a whole bunch of apps were using it! But || || that's in the other thread! || | || | DNS is used by any program requiring addressing information. The key is | to || | limit to the EXACT DNS server(s) NOT within your system [unless for | local || | network traffic] and the port [53] used by that (those) server(s) with || | limited [chosen by previous monitoring] local ports and applications. || | || | I will NOT post all my rules or what exactly I have configured locally || | [that would supply the exact way to circumvent my protection], however I || | will post this contact to retreive the email/news messages [your | posting], || | with a few more inclusions [again, slightly modified rules and rule || | logging]. This was ONLY to retreive mail and the newsgroups on | Microsoft. || | Nothing else occurred BUT the logon to the ISP. || | || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, || | localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA | ONLINE || | 7.0\WAOL.EXE || | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router || | Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, || | XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA | ONLINE || | 7.0\WAOL.EXE || | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router || | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip || | Kernel Driver || | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router || | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip || | Kernel Driver || | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo || | Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver || | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo || | Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898-localhost:1026, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898-localhost:1027, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898-localhost:1028, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP, || | 207.46.248.16:119-localhost:1072, Owner: no owner || | at which point I disconnected having retrieved mail and the news | messages. || | || | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel || | requests. || | || || || || | For those who do not understand firewalls, these activities would or || || | may have been allowed as they followed either programs IN USE | [allowed || || | activity], or through addressing [broadcast or otherwise] had a || || | firewall not been used. || || || || That is right. Without a firewall with a good set of denial rules, all || || activity is allowed. Hopefully, if a virus or a trojan or a spy can || || sneak in that way, a good virus detector will prevent it from | executing. || || Also, there may have been an MS fix or two to prevent some forms of || || abuse along these lines (I don't know). || | || | What would make you think any anti-spyware or anti-virus programs would || | check or correct these types of activities? || | || | Anti-spyware programs MAY block certain addresses and perhaps some || ActiveX, || | or other. Anti-virus MIGHT catch scripting or attempts to infect || something, || | or emails or files which contain hacks or other. Host or lmhost files || catch || | what they have been configured to catch via addressing/name. || | These, however, are *network use* activities WITHIN the TCP/IP and other || | aspects of Internet/network usage. Firewalls, proxies, packet sniffers, || | client servers, the TCP/IP kernel, and the like, are what handle these || | activities. || | Of course the above is an overly simplified explanation. || | || || || || | NOTE: this is contact through a dial-up connection[phone]/ISP [which || || | is indicated via some of these addresses], ALWAYS ON connections are || || | even more of a security risk. || || || || Uhuh. I am Dial-Up too. That way, you get a new IP address each | connect. || | || | Only if that is what the ISP requires or desires. || | || || || || | Hopefully, this discussion will be useful to those interested and || || | provide theory and answers to various issues. || || | Rule sets or other settings for various firewalls would naturally be || || | of interest. || || | || || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner || || || || I find I have to guess as to the meaning of that. Looks like someone at || || 67.170.2.174, who is Comcast... || || || || http://www.networksolutions.com/whoi...p=67.170.2.174 || || .....Quote........... || || 67.170.2.174 || || Record Type: IP Address || || || || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) || || 67.160.0.0 - 67.191.255.255 || || Comcast Cable Communications, IP Services WASHINGTON-6 || || (NET-67-170-0-0-1) || || 67.170.0.0 - 67.170.127.255 || || .....EOQ............. || || || || ...sent a UDP datagram to port 29081 on your machine. But I don't || || know... || || || || (1) did the port exist without an owner, & would it have received || || the datagram (except the rule blocked it)? || || (The name of that rule suggests the answer is no.) || | || | The data request would have been received and likely honored. || | The port would have been opened/created to allow this activity. || | || || || || (2) did the the port once exist & at that time have an owner, || || but somehow was closed before the datagram arrived? || || Therefore, it couldn't get it, anyhow, even if not blocked? || | || | If it would have been ALLOWED activity [e.g., without proxy or firewall || | monitoring or exculsion, or within a hosts or lmhosts, or other]], then | a || | search would have been made for an available port, and then || created/opened. || | Look again at this: || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898-localhost:1026, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898-localhost:1027, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898-localhost:1028, Owner: no owner || | || | See the attempt to find or create an open port? || | Now, should I have stayed online, there would have been continued | attempts || | [see your prior discussion where I was online longer], though with || different || | Shaw addressing and OUT ports, again stepping through IN [local] ports | in || | attempt to find or create.one. || | || | || || || || (3) did the port 29081 never exist? || || || || Do any earlier log entries mention that port? You'd have to log all || || activity of each "permit" rule to know for sure. But, if there is no || || rule permitting the activity, then you would have received a Kerio || || requestor mentioning the port. || | || | No we don't need that. || | Were an ALLOWED program or address using that aspect, then it would NOT || | have created the denial. Either would have cascaded to find an open port || for || | use [as long as it was in the defined rule range]. || | AND you mention Kerio, which MUST have that turned on {requestor]. || | Other firewalls, particularly those that automatically configure || | themselves, MAY not pop-up anything unless it has been configured that || way. || | They also MAY pass through such requests if piggy-backed from or on || allowed || | activities/programs. Think "but all I want to know is the user address". || | Think Microsoft's firewalls, imagine what they are configured by default || to || | allow. || | || || || || Here is a Kerio help page to study... || || || || ......Quote............ || || Filter.log file || || || || The filter.log file is used for logging Kerio Personal Firewall actions || || on a local computer. It is created in a directory where Personal || || Firewall is installed (typically C:\Program Files\Kerio\Personal || || Firewall). It is created upon the first record. || || || || Filter.log is a text file where each record is placed on a new line. It || || has the following format: || || || || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: || || In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner: || || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE || || || || How to read this line: || || || || 1 rule type (1 = denying, 2 = permitting) || || || || [08/Jun/2001 16:52:09] date and time that the packet was detected (we || || recommend checking the correct setting of the system time on your || || computer) || || || || Rule 'Internet Information Services' name of a rule that was applied || || (from the Description field) || || || || Blocked: / Permittted: indicates whether the packet was blocked or || || permitted (corresponds with the number at the beginning of the line) || || || || In / Out indicates an incoming or outgoing packet || || || || IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule || || was defined) || || || || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from || || which the packet was sent, in square brackets is the IP address with | the || || source port after a colon || || || || locahost:25 destination IP address (or DNS name) and port (localhost = || || this computer) || || || || Owner: name of the local application to which the packet is addressed || || (including its full path). If the application is a system service the || || name displayed is SYSTEM. || || .........EOQ................. || || || || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner || || || || That one seems to be coming from... || || || || NetRange: 200.0.0.0 - 200.255.255.255 || || NetName: LACNIC-200 || | || | Yes, that is the key to your Firewall security. || | Tracking each suspect activity to the originator, if possible. || | || | Actually were I to post prior complete TRACKING logs [which I | collect(ed) || | for specific use], say for one day's normal usage, vast numbers of || | potentially dangerous attacks/attempts would be shown. || | The Internet is a cesspool of users, unless you protect yourself from || them. || | NO-ONE is completely invisible or invulnerable. There is always a | starting || | [requesting/receiving] address [yours]. || | If you were ACTUALLY invisible then nothing would reach you; you | couldn't || | receive a web page; you couldn't receive email; you couldn't do any || | networking. Whatever is requested MUST have a destination [You]. [Okay, | I || | know of ways but we're not educating hackers here.] || | || | FOR THE GENERAL DOUBTER [not you PCR]: || | Try it. Block all network and Internet traffic in your firewall. That || | closes all ports, hence no requesting/receiving address [yours]. It || doesn't || | matter that you may have obtained an IP address or have one hard set, || there || | is no way to use it {don't try this for long or you will lose access to || the || | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if || | applicable}...] No ports or no address and there is no network. || | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping | to || | ANY web address. Notice the addresses? Notice the routing? || | NOW, exactly how did YOU receive that information? Certainly it wasn't || | broadcast to the world and you just happened to have ended up with it. | Or || | was it? || | -- || | || | Now what could a hacker, or someone wishing to track you for whatever || | reason, do with that information? || | All that is originally needed by that party is the requesting/receiving || | address; e.g. your address, your activity, something you did or allowed. || | Once this is known then anythng that party wishes to do can be done. Now || | think about ALWAYS ON connections. || | || | For instance, you did go through Sponge's other pages [used because it | was || | previously referenced] which address advertising and other inoccent || [cough] || | inclusions on web pages, or which you may find on the Internet, correct? || | Such as: http://www.geocities.com/yosponge/othrstuf.html || | Did you look at his host file, etc.. || | Or perhaps look at ports, packets, formation, and other aspects over on: || | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives || | || | 9X users? || | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide || some || | nice tools for network/Internet use/diagnostics. || | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be || careful || | using it, many servers do NOT like to be scanned, you may be logged and || your || | ISP or other agency may be contacted.. || | || | Another nifty test tool is called *tooleaky*. A little 3k tool to test || your || | supposed security [created to test/expose GRC suggestions]. Read about || what || | it does and how. You might think twice about what you think you know. || | || | If your using 2000 or above, might want to check these older tools: || | || | http://www.foundstone.com/us/resources-free-tools.asp - Division of | McAfee || | || | Attacker 3.00 || | || | http://www.foundstone.com/knowledge/proddesc/fport.html || | fport - find out what is using what port - 2000 - XP/NT || | Identify unknown open ports and their associated applications || | Copyright 2002 (c) by Foundstone, Inc. || | http://www.foundstone.com || | fport supports Windows NT4, Windows 2000 and Windows XP || | fport reports all open TCP/IP and UDP ports and maps them to the owning || | application. This is the same information you would see using the || | 'netstat -an' command, but it also maps those ports to running processes || | with the PID, process name and path. Fport can be used to quickly | identify || | unknown open ports and their associated applications. || | || | || | Trout Version 2.0 (formerly SuboTronic) || | New in this release || | Parallel pinging, resulting in a huge speed improvment. || | Selectable background and text colors. || | Improved interface. || | Save trace to file. || | Improved HTML output. || | Optional continuous ping mode. || | Traceroute and Whois program. || | Copyright 2000 (c) by Foundstone, Inc. || | A visual (i.e. GUI as opposed to command-line) traceroute and Whois || program. || | Pinging can be set at a controllable rate as can the frequency of || repeatedly || | scanning the selected host. The built-in simple Whois lookup can be used || to || | identify hosts discovered along the route to the destination computer. || | Parallel pinging and hostname lookup techniques make this traceroute || program || | perhaps the fastest currently available. || | || | || | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on || Microsoft's || | TechNet || | || || || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no | owner || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no | owner || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no || || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened || || | port received': Blocked: In UDP, || || | 189.153.168.143:32737-localhost:29081, Owner: no owner || || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner || || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': || || | Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner || || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': || || | Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner || || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In || || | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner: || || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened || || | port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened || || | port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened || || | port received': Blocked: In UDP, || || | 189.128.113.251:16491-localhost:29081, Owner: no owner || || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no || || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027, || || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened || || | port received': Blocked: In UDP, || || | 200.117.180.230:22925-localhost:29081, Owner: no owner || || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no || || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port || || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar || || | [200.117.180.230:22925]-localhost:29081, Owner: no owner || || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no || || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened || || | port received': Blocked: In UDP, || || | 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007 || || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007 || || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007 || || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007 || || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007 || || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007 || || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, || || | msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no || || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081, || || | Owner: no owner || || | || || | || || | -- || || | MEB || || | http://peoplescounsel.orgfree.com || || | ________ || || || || -- || || Thanks or Good Luck, || || There may be humor in this post, and, || || Naturally, you will not sue, || || Should things get worse after this, || || PCR || || || || || || || | || | || | -- || | MEB || | http://peoplescounsel.orgfree.com || | ________ || | || | || | || | || || | | -- | MEB | http://peoplescounsel.orgfree.com | ________ | | | |
#8
|
|||
|
|||
firewalls - what to block and why - your security at risk
MEB wrote:
| "PCR" wrote in message | ... || MEB wrote: || | PCR and Gram Pappy [among others] have been discussing firewall || | settings and what they can or should be used for. || || That's right. I installed... || http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW || || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months || later began a 17 year study of what to do with it. But I should have || spoke up sooner! || || | In the spirit of those discussions, I thought I would post some || | blocked activity from a SINGLE session/contact through my ISP and || | ONLY to this news server and my email accounts [via OE6]. This is || | from the firewall log [several of my normal settings/restrictions || | were specifically reset for this presentation]. || || Thanks for jumping in. So, you wanted to see what would happen just || by connecting to the NET & using OE for mail & NG activity. | | Well, ah no, actually I wanted to let other users who may not have | investigated or understand firewalls. Uh-huh. Naturally, you & I have advanced beyond that point. || || | No other Internet activity occurred [e.g., no external IE or || | browser usage or other activity]. All *allowed activity* has been || | removed, so that the addresses and activities blocked might be || | addressed for perhaps a greater understanding of the function of || | firewalls, what they can and are used for, and other aspects || | related thereto. || || Really, it's important to see what was allowed too. Where I thought || my Primary DNS Server rule would be used only by NetZero (they are || NetZero addresses in there)... really a whole bunch of apps were || using it! But that's in the other thread! | | DNS is used by any program requiring addressing information. The sole purpose of my DNS Server rule(s)... Protocol.......... UDP Direction......... Both Local Endpoint Ports........... 1024-5000 Application... Any (but now I've limited it to 5 apps by creating 5 of these rules) Remote Endpoint Addresses.... The entire NetZero range Port............. 53 .... is to resolve NET addresses? Still, am I right to seek to limit it to the five apps I kind of have to trust? Otherwise, can't it be appropriated by some devious app to do ill? | The key | is to limit to the EXACT DNS server(s) NOT within your system [unless | for local network traffic] and the port [53] used by that (those) | server(s) with limited [chosen by previous monitoring] local ports | and applications. Why do I need to bother with ports, if I limit the DNS rule(s) to trusted apps & to trusted NetZero addresses? Unfortunately, Kerio does not permit a list of apps in a rule, the way it does with ports & addresses. So, currently I have coded 5 of them...!... (1) DNS Server-- EXEC.exe (NetZero) (2) DNS Server-- ASHWEBSV (avast! Web Scanner) (3) DNS Server-- AVAST.SETUP (There actually is no program) (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service) (5) DNS Server-- IExplore | I will NOT post all my rules or what exactly I have configured | locally [that would supply the exact way to circumvent my | protection], OK. | however I will post this contact to retreive the | email/news messages [your posting], with a few more inclusions | [again, slightly modified rules and rule logging]. This was ONLY to | retreive mail and the newsgroups on Microsoft. Nothing else occurred | BUT the logon to the ISP. OK, limited to mail & NG activities, right. | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, | localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA | ONLINE | 7.0\WAOL.EXE So... WAOL.exe (which was port 1030 on your computer) needed to resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is that what that says? | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver I get lots of those. Here is the last I recorded... 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8] Echo Request, 4.232.192.209-localhost, Owner: Tcpip Kernel Driver ...., but, beginning yesterday, I have chosen NOT to log those anymore. I have two rules above that blocker. One allows ICMP incoming for... [0] Echo Reply, [3] Destination Unreachable, [11] Time Exceeded The other allows it outgoing for... [3] Destination Unreachable, [8] Echo Request I think that's probably finalized for ICMP. In this case, specific apps & ports are not possible in the rules-- only specific endpoint addresses are. But mine apply to any address. | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, | XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA | ONLINE | 7.0\WAOL.EXE | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], | Owner: Tcpip Kernel Driver I've never seen an ALL-ROUTERS.MCAST.NET. But this would also be blocked in my machine! | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], | Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] | Echo Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] | Echo Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1026, Owner: no owner I used to get these Kerio alert's about Shaw Comm... Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer. ...., but they are prevented now with a rule that specifically blocks RPCSS.exe (which is Distributed COM Services & which establishes the port 1027) from using UDP/TCP. Eventually, I hope to remove that block rule (& 4 others)-- after I have completed my UDP & TCP permit rules for speific, trusted apps/addresses. Then, RPCSS.exe will be blocked along with the others by virtue of not being included in the PERMITs-- & having one single BLOCK after them. | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1027, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1028, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In | TCP, 207.46.248.16:119-localhost:1072, Owner: no owner I haven't begun to finalize my TCP rules yet. That's probably where I go next, once UDP is done! | at which point I disconnected having retrieved mail and the news | messages. Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe, PersFW.exe, & PFWadMin.exe-- which are just some of the ones using it in here before I recently have prevented them! Well, I guess it may require the clicking of an URL for those to kick in. | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip | Kernel requests. What specifically is notable about them? || || | For those who do not understand firewalls, these activities would || | or may have been allowed as they followed either programs IN USE || | [allowed activity], or through addressing [broadcast or otherwise] || | had a firewall not been used. || || That is right. Without a firewall with a good set of denial rules, || all activity is allowed. Hopefully, if a virus or a trojan or a spy || can sneak in that way, a good virus detector will prevent it from || executing. Also, there may have been an MS fix or two to prevent || some forms of abuse along these lines (I don't know). | | What would make you think any anti-spyware or anti-virus programs | would check or correct these types of activities? I do believe an actual executable can be read into a machine through malicious use of these NET packets, although I'm not sure which precise protocols can do it. Once it is read in &/or tries to run, one hopes one's virus/malware scanner WILL catch it, before it delivers its payload! | Anti-spyware programs MAY block certain addresses and perhaps some | ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to | infect something, or emails or files which contain hacks or other. It is still quick enough, in the cases when this bad stuff makes it through the firewall (or the lack of one), for these other apps to catch them trying to do their ill work-- if they can! BUT, I'm sure some ill-conceived packet can possibly do ill without delivering an executable that can be caught in another way. Somewhere in my 12th year of study I will know what these packets are & the protocols they use! But I'm hoping to get my Kerio rules solidified a lot sooner! | Host or lmhost files catch what they have been configured to catch | via addressing/name. These, however, are *network use* activities | WITHIN the TCP/IP and other aspects of Internet/network usage. | Firewalls, proxies, packet sniffers, client servers, the TCP/IP | kernel, and the like, are what handle these activities. | Of course the above is an overly simplified explanation. This isn't the year for me to really want to know every little detail, anyhow. || || | NOTE: this is contact through a dial-up connection[phone]/ISP || | [which is indicated via some of these addresses], ALWAYS ON || | connections are even more of a security risk. || || Uhuh. I am Dial-Up too. That way, you get a new IP address each || connect. | | Only if that is what the ISP requires or desires. OK. For me, it does happen that way, I'm fairly sure. || || | Hopefully, this discussion will be useful to those interested and || | provide theory and answers to various issues. || | Rule sets or other settings for various firewalls would naturally || | be of interest. || | || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': || | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no || | owner || || I find I have to guess as to the meaning of that. Looks like someone || at || 67.170.2.174, who is Comcast... || || http://www.networksolutions.com/whoi...p=67.170.2.174 || .....Quote........... || 67.170.2.174 || Record Type: IP Address || || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) || 67.160.0.0 - 67.191.255.255 || Comcast Cable Communications, IP Services WASHINGTON-6 || (NET-67-170-0-0-1) || 67.170.0.0 - 67.170.127.255 || .....EOQ............. || || ...sent a UDP datagram to port 29081 on your machine. But I don't || know... || || (1) did the port exist without an owner, & would it have received || the datagram (except the rule blocked it)? || (The name of that rule suggests the answer is no.) | | The data request would have been received and likely honored. | The port would have been opened/created to allow this activity. I'm still thinking the port has to already be open to receive a packet. Is there documentation that may say otherwise? || || (2) did the the port once exist & at that time have an owner, || but somehow was closed before the datagram arrived? || Therefore, it couldn't get it, anyhow, even if not blocked? | | If it would have been ALLOWED activity [e.g., without proxy or | firewall monitoring or exculsion, or within a hosts or lmhosts, or | other]], then a search would have been made for an available port, | and then created/opened. Look again at this: | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1026, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1027, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898-localhost:1028, Owner: no owner | | See the attempt to find or create an open port? Looks like Shaw Comm is trying to FIND one. If it could create one, why wouldn't it stop & just create 1026? It might still be worthwhile to block these-- but I wouldn't want to block them on an individual basis per abuser like Shaw Comm. | Now, should I have stayed online, there would have been continued | attempts [see your prior discussion where I was online longer], | though with different Shaw addressing and OUT ports, again stepping | through IN [local] ports in attempt to find or create.one. I'll look. || || (3) did the port 29081 never exist? || || Do any earlier log entries mention that port? You'd have to log all || activity of each "permit" rule to know for sure. But, if there is no || rule permitting the activity, then you would have received a Kerio || requestor mentioning the port. | | No we don't need that. | Were an ALLOWED program or address using that aspect, then it would | NOT have created the denial. No, I wanted to know... did a PERMIT exist that came from port 29081? That would prove the port once existed & possibly initiated a communication with Shaw Comm. But, I'm fairly confident no such thing happened-- but it was Shaw Comm doing a probe. If it found it & activity was permitted-- mayhem such as pop-up ads or at least spying may have ensued, I think! | Either would have cascaded to find an | open port for use [as long as it was in the defined rule range]. That's what I think-- it wants to find one that is already open. | AND you mention Kerio, which MUST have that turned on {requestor]. Oops, that's right. "Kerio, Administration, Firewall tab" has to be set at "Ask me first". Then, when activity occurs that is not covered by a rule, an alert requestor will appear. It offers to create the rule, which later can be fine tuned. Yep, & that's a great feature! | Other firewalls, particularly those that automatically configure | themselves, MAY not pop-up anything unless it has been configured | that way. They also MAY pass through such requests if piggy-backed | from or on allowed activities/programs. Think "but all I want to know | is the user address". Think Microsoft's firewalls, imagine what they | are configured by default to allow. Yep. Kerio seems to have it all. It's highly configurable! ....snip of Kerio help page || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': || | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner || || That one seems to be coming from... || || NetRange: 200.0.0.0 - 200.255.255.255 || NetName: LACNIC-200 | | Yes, that is the key to your Firewall security. | Tracking each suspect activity to the originator, if possible. In the end, I just want to block them. | Actually were I to post prior complete TRACKING logs [which I | collect(ed) for specific use], say for one day's normal usage, vast | numbers of potentially dangerous attacks/attempts would be shown. By the way, how do you empty Kerio's Filter.log, when you think you've seen enough? (I've been deleting it in DOS along with Filter.log.idx.) ....snip of stuff not meant for me, but thanks for the additional URLs to research. And thanks for continuing to contribute to my understanding of it. | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on | Microsoft's TechNet | OK, I see here again are the other "no owner's"... || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no || | owner This is an attempt to send a UDP packet to port 1026. I still doubt it really needs to be blocked, if the port indeed does not exist. For UDP, I favor PERMITs of trusted apps from trusted addresses-- & one single block of UPD afterwards that will cover all others. (But I'm not even totally set up that way, myself, yet.) And I want to do it that way for TCP too. ....snip of other In UDP. 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port || | received': Blocked: In TCP, 219.148.119.6:12200-localhost:7212, || | Owner: no owner Ah-- a TCP! Soon, I must do with TCP what I nearly am finishing with UDP! ....snip || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In || | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, || | Owner: no owner I don't believe I've seen one of those. Could be I'm just not tracking the rule that does it. Looks like msnews.microsoft.com was still trying to communicate after the NET connection was closed. What app controlled localhost:1186? ....snip of a bunch more of In UDPs & possibly In TCPs. |
#9
|
|||
|
|||
firewalls - ZONEALARM - what to block and why - your security at risk
"Curt Christianson" wrote in message ... | Hi MEB, and all, | | | I'm actually running a rather old version of ZA; v. 3.1.291. My philosophy | is *unlike* AV apps. etc., there just isn't much to improve IMHO. I don't | want or need any additional bells and whistles. Well, I certainly can't say otherwise, I now use a Kerio PF version, long ago supposedly left in the dust, yet it seems, so far, to provide what is needed. | | And you were close, I'm running XP Pro, but I keep perusing this group, | because this is where it all started for me. I still have my copy of W98SE, | but it's kind of a pain to install that *after* XP is already there. I was a | die-hard 98 fan, and swore I would *never* switch to XP, but the computer I | inherited already had it on it. I figured I'd give it a try, and if I | didn't like it, well, then back to good ol' 98. The way I have XP set up, | you'd almost think it was 98. I turned off *all* the cutesy eye-candy etc., | mainly for performance reasons. Besides, I *hate* pastels! This box was | built for W98. Hey, I tested a XP PRO box for a few years [using ZA], and yeah, to think that users actually like those glitsy aspects. I turned most of it off as well, cause it seemed to make everything much more difficult [though I suppose I can trace that to all those years of command prompt usage]... and slooooooow.. I felt like I was being dumbed down ... | I have to admit that it is extremely stable, but then again so was my 98 | install. It's the "junk" we add later that tends to muck things up. Yeah, and that junk does accumulate... gees, with this last 98SE testing install I dumped another couple of dozen MORE progs,, I couldn't remember the last time I even thought about using them... then again I had to dig out some old testing programs CDs that I hadn't installed for at least two prior testing installations [old video test stuff]... | | Sorry I digressed. Hey, your still a die hard 98 user at heart, PCR would say that tin foil hat did some good, still got a few bits of brain matter left ;-Q ... So what words of wisdom for ZA could you give to its users? | | -- | HTH, | Curt | | Windows Support Center | www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "MEB" meb@not wrote in message | ... | | | | | | "Curt Christianson" wrote in message | | ... | || Some real food for thought gentlemen. Thank you. | || | || P.S. I've been using ZA since 2000. | || | || -- | || HTH, | || Curt | || | || Windows Support Center | || www.aumha.org | || Practically Nerded,... | || http://dundats.mvps.org/Index.htm | | | | We aim to please... | | | | I also used ZA for a number of years on the various 9X boxes and XP. The | | rules aspect of other firewalls always drew me [having a Linux, Zenix, NT | | background] but I thought it wise to use what others might be using [for | | comparison purposes]. | | Now however, with the use of highly questionable activities on the | | Internet, and my personal questions related to ZA, and no support from | | Microsoft and ZoneLabs, I thought I would return to something which gave | | considerably more control during my final testing days under 9X. | | | | I have an old ZA version [forgot which version though, and have no | | intention of re-installing it] about 1.4meg which actually seemed to | supply | | MOST of the normal functions required, at least semi-adequately. Sometimes | I | | thought the newer versions were attempting aspects which were not well | | implimented or implimented in a fashion I thought not user friendly. Of | | course there is an ability to setup *rules like* activities within ZA, but | I | | would imagine most users do not do so. | | | | In the spirit of this discussion, which is to include any firewalls [and | I | | hope it eventually does. Note this has ZONEALARM now in its subject | | heading]: | | | | What version and product are you or others using? | | | | Have you or others run monitoring/sniffing programs while using ZA to see | | if it actual performs as advertised? | | | | What settings or other seemed to be the most useful to you or other users? | | | | What advise would users give concerning settings, configuration, etc. to | | other users of ZA, [noting in Curt's case, I think your using it under | W2K, | | so does that offer anything different as far as you know]? | | | | Have you or other users created any similar rules within ZA to the below | | [referencing Kerio PFW rules]? | | -- MEB http://peoplescounsel.orgfree.com ________ |
#10
|
|||
|
|||
firewalls - ZONEALARM - what to block and why - your security at risk
|
| So what words of wisdom for ZA could you give to its users? Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR might claim I don't have any words at all, let alone "wise" ones. I can only say that if one is running an older machine as I am, and would like to use a software firewall, you're not stuck with having to use the newest and fanciest (and usually most resource intensive). Old versions of ZA, and I imagine other names can be found all over the Internet. The fist place that comes to mind is http://www.oldversion.com/ . Firewalls and AV apps. are notorious for causing longer boot times, and resource usage--and newer usually means even more overhead. I *need* the latest/greatest, most up-to-date AV, but when it comes to firewalls newer is *not* necessarily better. I also encountered a problem between AOL and ZA back in the days. ZA would block AOL, no matter what kind of permissions etc. I gave unless I dropped the "Internet Security Zone" from "High" to "Medium", then all was well. MEB, I believe you are using AOL or Netscape, am I correct? I finally turned off the "casual" alerts, as they were coming too fast and furious. I just sat back and let ZA do its' job. One final note, if one has logging enabled, be sure to occasionally clean out the old ZA logs--not a whole lot of use for them usually. On old ZA installations, it's not located in the ZA folder, but rather at C:\Windows\Internet Logs. That's more than I've said in the whole time I used to hang out here! -- HTH, Curt Windows Support Center www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "MEB" meb@not wrote in message ... | snipped |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Trust and Risk in the Workplace | [email protected] | General | 1 | August 16th 06 03:00 AM |
O.T. Firewalls | siljaline | General | 14 | October 23rd 05 03:08 AM |
Virus risk assessment | [email protected] | General | 7 | October 22nd 05 01:48 AM |
MS01-028 Bulletin or W97_GOGA.A -- high risk threat | Star | General | 2 | January 29th 05 06:47 AM |
Universal Plug n Play (security risk) | BArun | General | 3 | August 19th 04 04:54 PM |