Guest MEB Posted July 28, 2007 Posted July 28, 2007 PCR and Gram Pappy [among others] have been discussing firewall settings and what they can or should be used for. In the spirit of those discussions, I thought I would post some blocked activity from a SINGLE session/contact through my ISP and ONLY to this news server and my email accounts [via OE6]. This is from the firewall log [several of my normal settings/restrictions were specifically reset for this presentation]. No other Internet activity occurred [e.g., no external IE or browser usage or other activity]. All *allowed activity* has been removed, so that the addresses and activities blocked might be addressed for perhaps a greater understanding of the function of firewalls, what they can and are used for, and other aspects related thereto. For those who do not understand firewalls, these activities would or may have been allowed as they followed either programs IN USE [allowed activity], or through addressing [broadcast or otherwise] had a firewall not been used. NOTE: this is contact through a dial-up connection[phone]/ISP [which is indicated via some of these addresses], ALWAYS ON connections are even more of a security risk. Hopefully, this discussion will be useful to those interested and provide theory and answers to various issues. Rule sets or other settings for various firewalls would naturally be of interest. 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened port received': Blocked: In UDP, 189.153.168.143:32737->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner: no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened port received': Blocked: In UDP, 189.128.113.251:16491->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027, Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened port received': Blocked: In UDP, 200.117.180.230:22925->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port received': Blocked: In UDP, host230.200-117-180.telecom.net.ar [200.117.180.230:22925]->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened port received': Blocked: In UDP, 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081, Owner: no owner -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted July 28, 2007 Posted July 28, 2007 Re: firewalls - what to block and why - your security at risk MEB wrote: | PCR and Gram Pappy [among others] have been discussing firewall | settings and what they can or should be used for. That's right. I installed... http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW ....Kerio Personal Firewall v2.1.5 about 4 years ago & several months later began a 17 year study of what to do with it. But I should have spoke up sooner! | In the spirit of those discussions, I thought I would post some | blocked activity from a SINGLE session/contact through my ISP and | ONLY to this news server and my email accounts [via OE6]. This is | from the firewall log [several of my normal settings/restrictions | were specifically reset for this presentation]. Thanks for jumping in. So, you wanted to see what would happen just by connecting to the NET & using OE for mail & NG activity. | No other Internet activity occurred [e.g., no external IE or browser | usage or other activity]. All *allowed activity* has been removed, so | that the addresses and activities blocked might be addressed for | perhaps a greater understanding of the function of firewalls, what | they can and are used for, and other aspects related thereto. Really, it's important to see what was allowed too. Where I thought my Primary DNS Server rule would be used only by NetZero (they are NetZero addresses in there)... really a whole bunch of apps were using it! But that's in the other thread! | For those who do not understand firewalls, these activities would or | may have been allowed as they followed either programs IN USE [allowed | activity], or through addressing [broadcast or otherwise] had a | firewall not been used. That is right. Without a firewall with a good set of denial rules, all activity is allowed. Hopefully, if a virus or a trojan or a spy can sneak in that way, a good virus detector will prevent it from executing. Also, there may have been an MS fix or two to prevent some forms of abuse along these lines (I don't know). | NOTE: this is contact through a dial-up connection[phone]/ISP [which | is indicated via some of these addresses], ALWAYS ON connections are | even more of a security risk. Uhuh. I am Dial-Up too. That way, you get a new IP address each connect. | Hopefully, this discussion will be useful to those interested and | provide theory and answers to various issues. | Rule sets or other settings for various firewalls would naturally be | of interest. | | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner I find I have to guess as to the meaning of that. Looks like someone at 67.170.2.174, who is Comcast... http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174 ......Quote........... 67.170.2.174 Record Type: IP Address Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) 67.160.0.0 - 67.191.255.255 Comcast Cable Communications, IP Services WASHINGTON-6 (NET-67-170-0-0-1) 67.170.0.0 - 67.170.127.255 ......EOQ............. ....sent a UDP datagram to port 29081 on your machine. But I don't know... (1) did the port exist without an owner, & would it have received the datagram (except the rule blocked it)? (The name of that rule suggests the answer is no.) (2) did the the port once exist & at that time have an owner, but somehow was closed before the datagram arrived? Therefore, it couldn't get it, anyhow, even if not blocked? (3) did the port 29081 never exist? Do any earlier log entries mention that port? You'd have to log all activity of each "permit" rule to know for sure. But, if there is no rule permitting the activity, then you would have received a Kerio requestor mentioning the port. Here is a Kerio help page to study... .......Quote............ Filter.log file The filter.log file is used for logging Kerio Personal Firewall actions on a local computer. It is created in a directory where Personal Firewall is installed (typically C:\Program Files\Kerio\Personal Firewall). It is created upon the first record. Filter.log is a text file where each record is placed on a new line. It has the following format: 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner: G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE How to read this line: 1 — rule type (1 = denying, 2 = permitting) [08/Jun/2001 16:52:09] — date and time that the packet was detected (we recommend checking the correct setting of the system time on your computer) Rule 'Internet Information Services' — name of a rule that was applied (from the Description field) Blocked: / Permittted: — indicates whether the packet was blocked or permitted (corresponds with the number at the beginning of the line) In / Out — indicates an incoming or outgoing packet IP / TCP / UDP / ICMP, etc. — communication protocol (for which the rule was defined) richard.kerio.com [192.168.2.38:3772] — DNS name of the computer, from which the packet was sent, in square brackets is the IP address with the source port after a colon locahost:25 — destination IP address (or DNS name) and port (localhost = this computer) Owner: — name of the local application to which the packet is addressed (including its full path). If the application is a system service the name displayed is SYSTEM. ..........EOQ................. | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner That one seems to be coming from... NetRange: 200.0.0.0 - 200.255.255.255 NetName: LACNIC-200 | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no owner | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no owner | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port | received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened | port received': Blocked: In UDP, | 189.153.168.143:32737->localhost:29081, Owner: no owner | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': | Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': | Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner: | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port | received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened | port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened | port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened | port received': Blocked: In UDP, | 189.128.113.251:16491->localhost:29081, Owner: no owner | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027, | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened | port received': Blocked: In UDP, | 200.117.180.230:22925->localhost:29081, Owner: no owner | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar | [200.117.180.230:22925]->localhost:29081, Owner: no owner | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port | received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081, | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened | port received': Blocked: In UDP, | 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007 | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, | 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007 | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, | 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007 | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, | 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007 | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, | 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007 | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, | 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007 | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, | msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port | received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081, | Owner: no owner | | | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest MEB Posted July 29, 2007 Posted July 29, 2007 Re: firewalls - what to block and why - your security at risk "PCR" <pcrrcp@netzero.net> wrote in message news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl... | MEB wrote: | | PCR and Gram Pappy [among others] have been discussing firewall | | settings and what they can or should be used for. | | That's right. I installed... | http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW | | ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months | later began a 17 year study of what to do with it. But I should have | spoke up sooner! | | | In the spirit of those discussions, I thought I would post some | | blocked activity from a SINGLE session/contact through my ISP and | | ONLY to this news server and my email accounts [via OE6]. This is | | from the firewall log [several of my normal settings/restrictions | | were specifically reset for this presentation]. | | Thanks for jumping in. So, you wanted to see what would happen just by | connecting to the NET & using OE for mail & NG activity. Well, ah no, actually I wanted to let other users who may not have investigated or understand firewalls. | | | No other Internet activity occurred [e.g., no external IE or browser | | usage or other activity]. All *allowed activity* has been removed, so | | that the addresses and activities blocked might be addressed for | | perhaps a greater understanding of the function of firewalls, what | | they can and are used for, and other aspects related thereto. | | Really, it's important to see what was allowed too. Where I thought my | Primary DNS Server rule would be used only by NetZero (they are NetZero | addresses in there)... really a whole bunch of apps were using it! But | that's in the other thread! DNS is used by any program requiring addressing information. The key is to limit to the EXACT DNS server(s) NOT within your system [unless for local network traffic] and the port [53] used by that (those) server(s) with limited [chosen by previous monitoring] local ports and applications. I will NOT post all my rules or what exactly I have configured locally [that would supply the exact way to circumvent my protection], however I will post this contact to retreive the email/news messages [your posting], with a few more inclusions [again, slightly modified rules and rule logging]. This was ONLY to retreive mail and the newsgroups on Microsoft. Nothing else occurred BUT the logon to the ISP. 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip Kernel Driver 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip Kernel Driver 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898->localhost:1026, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898->localhost:1027, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898->localhost:1028, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP, 207.46.248.16:119->localhost:1072, Owner: no owner at which point I disconnected having retrieved mail and the news messages. NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel requests. | | | For those who do not understand firewalls, these activities would or | | may have been allowed as they followed either programs IN USE [allowed | | activity], or through addressing [broadcast or otherwise] had a | | firewall not been used. | | That is right. Without a firewall with a good set of denial rules, all | activity is allowed. Hopefully, if a virus or a trojan or a spy can | sneak in that way, a good virus detector will prevent it from executing. | Also, there may have been an MS fix or two to prevent some forms of | abuse along these lines (I don't know). What would make you think any anti-spyware or anti-virus programs would check or correct these types of activities? Anti-spyware programs MAY block certain addresses and perhaps some ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to infect something, or emails or files which contain hacks or other. Host or lmhost files catch what they have been configured to catch via addressing/name. These, however, are *network use* activities WITHIN the TCP/IP and other aspects of Internet/network usage. Firewalls, proxies, packet sniffers, client servers, the TCP/IP kernel, and the like, are what handle these activities. Of course the above is an overly simplified explanation. | | | NOTE: this is contact through a dial-up connection[phone]/ISP [which | | is indicated via some of these addresses], ALWAYS ON connections are | | even more of a security risk. | | Uhuh. I am Dial-Up too. That way, you get a new IP address each connect. Only if that is what the ISP requires or desires. | | | Hopefully, this discussion will be useful to those interested and | | provide theory and answers to various issues. | | Rule sets or other settings for various firewalls would naturally be | | of interest. | | | | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': | | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner | | I find I have to guess as to the meaning of that. Looks like someone at | 67.170.2.174, who is Comcast... | | http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174 | .....Quote........... | 67.170.2.174 | Record Type: IP Address | | Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) | 67.160.0.0 - 67.191.255.255 | Comcast Cable Communications, IP Services WASHINGTON-6 | (NET-67-170-0-0-1) | 67.170.0.0 - 67.170.127.255 | .....EOQ............. | | ...sent a UDP datagram to port 29081 on your machine. But I don't | know... | | (1) did the port exist without an owner, & would it have received | the datagram (except the rule blocked it)? | (The name of that rule suggests the answer is no.) The data request would have been received and likely honored. The port would have been opened/created to allow this activity. | | (2) did the the port once exist & at that time have an owner, | but somehow was closed before the datagram arrived? | Therefore, it couldn't get it, anyhow, even if not blocked? If it would have been ALLOWED activity [e.g., without proxy or firewall monitoring or exculsion, or within a hosts or lmhosts, or other]], then a search would have been made for an available port, and then created/opened. Look again at this: 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898->localhost:1026, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898->localhost:1027, Owner: no owner 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.192.20:17898->localhost:1028, Owner: no owner See the attempt to find or create an open port? Now, should I have stayed online, there would have been continued attempts [see your prior discussion where I was online longer], though with different Shaw addressing and OUT ports, again stepping through IN [local] ports in attempt to find or create.one. | | (3) did the port 29081 never exist? | | Do any earlier log entries mention that port? You'd have to log all | activity of each "permit" rule to know for sure. But, if there is no | rule permitting the activity, then you would have received a Kerio | requestor mentioning the port. No we don't need that. Were an ALLOWED program or address using that aspect, then it would NOT have created the denial. Either would have cascaded to find an open port for use [as long as it was in the defined rule range]. AND you mention Kerio, which MUST have that turned on {requestor]. Other firewalls, particularly those that automatically configure themselves, MAY not pop-up anything unless it has been configured that way. They also MAY pass through such requests if piggy-backed from or on allowed activities/programs. Think "but all I want to know is the user address". Think Microsoft's firewalls, imagine what they are configured by default to allow. | | Here is a Kerio help page to study... | | ......Quote............ | Filter.log file | | The filter.log file is used for logging Kerio Personal Firewall actions | on a local computer. It is created in a directory where Personal | Firewall is installed (typically C:\Program Files\Kerio\Personal | Firewall). It is created upon the first record. | | Filter.log is a text file where each record is placed on a new line. It | has the following format: | | 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: | In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner: | G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE | | How to read this line: | | 1 rule type (1 = denying, 2 = permitting) | | [08/Jun/2001 16:52:09] date and time that the packet was detected (we | recommend checking the correct setting of the system time on your | computer) | | Rule 'Internet Information Services' name of a rule that was applied | (from the Description field) | | Blocked: / Permittted: indicates whether the packet was blocked or | permitted (corresponds with the number at the beginning of the line) | | In / Out indicates an incoming or outgoing packet | | IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule | was defined) | | richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from | which the packet was sent, in square brackets is the IP address with the | source port after a colon | | locahost:25 destination IP address (or DNS name) and port (localhost = | this computer) | | Owner: name of the local application to which the packet is addressed | (including its full path). If the application is a system service the | name displayed is SYSTEM. | .........EOQ................. | | | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': | | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner | | That one seems to be coming from... | | NetRange: 200.0.0.0 - 200.255.255.255 | NetName: LACNIC-200 Yes, that is the key to your Firewall security. Tracking each suspect activity to the originator, if possible. Actually were I to post prior complete TRACKING logs [which I collect(ed) for specific use], say for one day's normal usage, vast numbers of potentially dangerous attacks/attempts would be shown. The Internet is a cesspool of users, unless you protect yourself from them. NO-ONE is completely invisible or invulnerable. There is always a starting [requesting/receiving] address [yours]. If you were ACTUALLY invisible then nothing would reach you; you couldn't receive a web page; you couldn't receive email; you couldn't do any networking. Whatever is requested MUST have a destination [You]. [Okay, I know of ways but we're not educating hackers here.] FOR THE GENERAL DOUBTER [not you PCR]: Try it. Block all network and Internet traffic in your firewall. That closes all ports, hence no requesting/receiving address [yours]. It doesn't matter that you may have obtained an IP address or have one hard set, there is no way to use it {don't try this for long or you will lose access to the net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if applicable}...] No ports or no address and there is no network. Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to ANY web address. Notice the addresses? Notice the routing? NOW, exactly how did YOU receive that information? Certainly it wasn't broadcast to the world and you just happened to have ended up with it. Or was it? -- Now what could a hacker, or someone wishing to track you for whatever reason, do with that information? All that is originally needed by that party is the requesting/receiving address; e.g. your address, your activity, something you did or allowed. Once this is known then anythng that party wishes to do can be done. Now think about ALWAYS ON connections. For instance, you did go through Sponge's other pages [used because it was previously referenced] which address advertising and other inoccent [cough] inclusions on web pages, or which you may find on the Internet, correct? Such as: http://www.geocities.com/yosponge/othrstuf.html Did you look at his host file, etc.. Or perhaps look at ports, packets, formation, and other aspects over on: http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives 9X users? Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide some nice tools for network/Internet use/diagnostics. Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be careful using it, many servers do NOT like to be scanned, you may be logged and your ISP or other agency may be contacted.. Another nifty test tool is called *tooleaky*. A little 3k tool to test your supposed security [created to test/expose GRC suggestions]. Read about what it does and how. You might think twice about what you think you know. If your using 2000 or above, might want to check these older tools: http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee Attacker 3.00 http://www.foundstone.com/knowledge/proddesc/fport.html fport - find out what is using what port - 2000 - XP/NT Identify unknown open ports and their associated applications Copyright 2002 © by Foundstone, Inc. http://www.foundstone.com fport supports Windows NT4, Windows 2000 and Windows XP fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. Trout Version 2.0 (formerly SuboTronic) New in this release Parallel pinging, resulting in a huge speed improvment. Selectable background and text colors. Improved interface. Save trace to file. Improved HTML output. Optional continuous ping mode. Traceroute and Whois program. Copyright 2000 © by Foundstone, Inc. A visual (i.e. GUI as opposed to command-line) traceroute and Whois program. Pinging can be set at a controllable rate as can the frequency of repeatedly scanning the selected host. The built-in simple Whois lookup can be used to identify hosts discovered along the route to the destination computer. Parallel pinging and hostname lookup techniques make this traceroute program perhaps the fastest currently available. Of course SYSINTERNALS/WINTERNALS has some nice tools - look on Microsoft's TechNet | | | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no owner | | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | | Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no owner | | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no | | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port | | received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened | | port received': Blocked: In UDP, | | 189.153.168.143:32737->localhost:29081, Owner: no owner | | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': | | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner | | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': | | Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner | | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': | | Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner | | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In | | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner: | | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port | | received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened | | port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened | | port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened | | port received': Blocked: In UDP, | | 189.128.113.251:16491->localhost:29081, Owner: no owner | | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': | | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no | | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port | | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027, | | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened | | port received': Blocked: In UDP, | | 200.117.180.230:22925->localhost:29081, Owner: no owner | | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': | | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no | | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port | | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar | | [200.117.180.230:22925]->localhost:29081, Owner: no owner | | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': | | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no | | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port | | received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081, | | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened | | port received': Blocked: In UDP, | | 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007 | | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, | | 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007 | | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, | | 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007 | | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, | | 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007 | | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, | | 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007 | | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, | | 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007 | | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, | | msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no | | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port | | received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081, | | Owner: no owner | | | | | | -- | | MEB | | http://peoplescounsel.orgfree.com | | ________ | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net | | -- MEB http://peoplescounsel.orgfree.com ________
Guest Curt Christianson Posted July 29, 2007 Posted July 29, 2007 Re: firewalls - what to block and why - your security at risk Some real food for thought gentlemen. Thank you. P.S. I've been using ZA since 2000. -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "MEB" <meb@not here@hotmail.com> wrote in message news:eq0$HgY0HHA.6072@TK2MSFTNGP03.phx.gbl... | | | | "PCR" <pcrrcp@netzero.net> wrote in message | news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl... || MEB wrote: || | PCR and Gram Pappy [among others] have been discussing firewall || | settings and what they can or should be used for. || || That's right. I installed... || http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW || || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months || later began a 17 year study of what to do with it. But I should have || spoke up sooner! || || | In the spirit of those discussions, I thought I would post some || | blocked activity from a SINGLE session/contact through my ISP and || | ONLY to this news server and my email accounts [via OE6]. This is || | from the firewall log [several of my normal settings/restrictions || | were specifically reset for this presentation]. || || Thanks for jumping in. So, you wanted to see what would happen just by || connecting to the NET & using OE for mail & NG activity. | | Well, ah no, actually I wanted to let other users who may not have | investigated or understand firewalls. | || || | No other Internet activity occurred [e.g., no external IE or browser || | usage or other activity]. All *allowed activity* has been removed, so || | that the addresses and activities blocked might be addressed for || | perhaps a greater understanding of the function of firewalls, what || | they can and are used for, and other aspects related thereto. || || Really, it's important to see what was allowed too. Where I thought my || Primary DNS Server rule would be used only by NetZero (they are NetZero || addresses in there)... really a whole bunch of apps were using it! But || that's in the other thread! | | DNS is used by any program requiring addressing information. The key is to | limit to the EXACT DNS server(s) NOT within your system [unless for local | network traffic] and the port [53] used by that (those) server(s) with | limited [chosen by previous monitoring] local ports and applications. | | I will NOT post all my rules or what exactly I have configured locally | [that would supply the exact way to circumvent my protection], however I | will post this contact to retreive the email/news messages [your posting], | with a few more inclusions [again, slightly modified rules and rule | logging]. This was ONLY to retreive mail and the newsgroups on Microsoft. | Nothing else occurred BUT the logon to the ISP. | | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE | 7.0\WAOL.EXE | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE | 7.0\WAOL.EXE | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip | Kernel Driver | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip | Kernel Driver | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo | Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo | Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1026, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1027, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1028, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP, | 207.46.248.16:119->localhost:1072, Owner: no owner | at which point I disconnected having retrieved mail and the news messages. | | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel | requests. | || || | For those who do not understand firewalls, these activities would or || | may have been allowed as they followed either programs IN USE [allowed || | activity], or through addressing [broadcast or otherwise] had a || | firewall not been used. || || That is right. Without a firewall with a good set of denial rules, all || activity is allowed. Hopefully, if a virus or a trojan or a spy can || sneak in that way, a good virus detector will prevent it from executing. || Also, there may have been an MS fix or two to prevent some forms of || abuse along these lines (I don't know). | | What would make you think any anti-spyware or anti-virus programs would | check or correct these types of activities? | | Anti-spyware programs MAY block certain addresses and perhaps some ActiveX, | or other. Anti-virus MIGHT catch scripting or attempts to infect something, | or emails or files which contain hacks or other. Host or lmhost files catch | what they have been configured to catch via addressing/name. | These, however, are *network use* activities WITHIN the TCP/IP and other | aspects of Internet/network usage. Firewalls, proxies, packet sniffers, | client servers, the TCP/IP kernel, and the like, are what handle these | activities. | Of course the above is an overly simplified explanation. | || || | NOTE: this is contact through a dial-up connection[phone]/ISP [which || | is indicated via some of these addresses], ALWAYS ON connections are || | even more of a security risk. || || Uhuh. I am Dial-Up too. That way, you get a new IP address each connect. | | Only if that is what the ISP requires or desires. | || || | Hopefully, this discussion will be useful to those interested and || | provide theory and answers to various issues. || | Rule sets or other settings for various firewalls would naturally be || | of interest. || | || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': || | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner || || I find I have to guess as to the meaning of that. Looks like someone at || 67.170.2.174, who is Comcast... || || http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174 || .....Quote........... || 67.170.2.174 || Record Type: IP Address || || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) || 67.160.0.0 - 67.191.255.255 || Comcast Cable Communications, IP Services WASHINGTON-6 || (NET-67-170-0-0-1) || 67.170.0.0 - 67.170.127.255 || .....EOQ............. || || ...sent a UDP datagram to port 29081 on your machine. But I don't || know... || || (1) did the port exist without an owner, & would it have received || the datagram (except the rule blocked it)? || (The name of that rule suggests the answer is no.) | | The data request would have been received and likely honored. | The port would have been opened/created to allow this activity. | || || (2) did the the port once exist & at that time have an owner, || but somehow was closed before the datagram arrived? || Therefore, it couldn't get it, anyhow, even if not blocked? | | If it would have been ALLOWED activity [e.g., without proxy or firewall | monitoring or exculsion, or within a hosts or lmhosts, or other]], then a | search would have been made for an available port, and then created/opened. | Look again at this: | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1026, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1027, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1028, Owner: no owner | | See the attempt to find or create an open port? | Now, should I have stayed online, there would have been continued attempts | [see your prior discussion where I was online longer], though with different | Shaw addressing and OUT ports, again stepping through IN [local] ports in | attempt to find or create.one. | | || || (3) did the port 29081 never exist? || || Do any earlier log entries mention that port? You'd have to log all || activity of each "permit" rule to know for sure. But, if there is no || rule permitting the activity, then you would have received a Kerio || requestor mentioning the port. | | No we don't need that. | Were an ALLOWED program or address using that aspect, then it would NOT | have created the denial. Either would have cascaded to find an open port for | use [as long as it was in the defined rule range]. | AND you mention Kerio, which MUST have that turned on {requestor]. | Other firewalls, particularly those that automatically configure | themselves, MAY not pop-up anything unless it has been configured that way. | They also MAY pass through such requests if piggy-backed from or on allowed | activities/programs. Think "but all I want to know is the user address". | Think Microsoft's firewalls, imagine what they are configured by default to | allow. | || || Here is a Kerio help page to study... || || ......Quote............ || Filter.log file || || The filter.log file is used for logging Kerio Personal Firewall actions || on a local computer. It is created in a directory where Personal || Firewall is installed (typically C:\Program Files\Kerio\Personal || Firewall). It is created upon the first record. || || Filter.log is a text file where each record is placed on a new line. It || has the following format: || || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: || In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner: || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE || || How to read this line: || || 1 rule type (1 = denying, 2 = permitting) || || [08/Jun/2001 16:52:09] date and time that the packet was detected (we || recommend checking the correct setting of the system time on your || computer) || || Rule 'Internet Information Services' name of a rule that was applied || (from the Description field) || || Blocked: / Permittted: indicates whether the packet was blocked or || permitted (corresponds with the number at the beginning of the line) || || In / Out indicates an incoming or outgoing packet || || IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule || was defined) || || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from || which the packet was sent, in square brackets is the IP address with the || source port after a colon || || locahost:25 destination IP address (or DNS name) and port (localhost = || this computer) || || Owner: name of the local application to which the packet is addressed || (including its full path). If the application is a system service the || name displayed is SYSTEM. || .........EOQ................. || || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': || | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner || || That one seems to be coming from... || || NetRange: 200.0.0.0 - 200.255.255.255 || NetName: LACNIC-200 | | Yes, that is the key to your Firewall security. | Tracking each suspect activity to the originator, if possible. | | Actually were I to post prior complete TRACKING logs [which I collect(ed) | for specific use], say for one day's normal usage, vast numbers of | potentially dangerous attacks/attempts would be shown. | The Internet is a cesspool of users, unless you protect yourself from them. | NO-ONE is completely invisible or invulnerable. There is always a starting | [requesting/receiving] address [yours]. | If you were ACTUALLY invisible then nothing would reach you; you couldn't | receive a web page; you couldn't receive email; you couldn't do any | networking. Whatever is requested MUST have a destination [You]. [Okay, I | know of ways but we're not educating hackers here.] | | FOR THE GENERAL DOUBTER [not you PCR]: | Try it. Block all network and Internet traffic in your firewall. That | closes all ports, hence no requesting/receiving address [yours]. It doesn't | matter that you may have obtained an IP address or have one hard set, there | is no way to use it {don't try this for long or you will lose access to the | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if | applicable}...] No ports or no address and there is no network. | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to | ANY web address. Notice the addresses? Notice the routing? | NOW, exactly how did YOU receive that information? Certainly it wasn't | broadcast to the world and you just happened to have ended up with it. Or | was it? | -- | | Now what could a hacker, or someone wishing to track you for whatever | reason, do with that information? | All that is originally needed by that party is the requesting/receiving | address; e.g. your address, your activity, something you did or allowed. | Once this is known then anythng that party wishes to do can be done. Now | think about ALWAYS ON connections. | | For instance, you did go through Sponge's other pages [used because it was | previously referenced] which address advertising and other inoccent [cough] | inclusions on web pages, or which you may find on the Internet, correct? | Such as: http://www.geocities.com/yosponge/othrstuf.html | Did you look at his host file, etc.. | Or perhaps look at ports, packets, formation, and other aspects over on: | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives | | 9X users? | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide some | nice tools for network/Internet use/diagnostics. | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be careful | using it, many servers do NOT like to be scanned, you may be logged and your | ISP or other agency may be contacted.. | | Another nifty test tool is called *tooleaky*. A little 3k tool to test your | supposed security [created to test/expose GRC suggestions]. Read about what | it does and how. You might think twice about what you think you know. | | If your using 2000 or above, might want to check these older tools: | | http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee | | Attacker 3.00 | | http://www.foundstone.com/knowledge/proddesc/fport.html | fport - find out what is using what port - 2000 - XP/NT | Identify unknown open ports and their associated applications | Copyright 2002 © by Foundstone, Inc. | http://www.foundstone.com | fport supports Windows NT4, Windows 2000 and Windows XP | fport reports all open TCP/IP and UDP ports and maps them to the owning | application. This is the same information you would see using the | 'netstat -an' command, but it also maps those ports to running processes | with the PID, process name and path. Fport can be used to quickly identify | unknown open ports and their associated applications. | | | Trout Version 2.0 (formerly SuboTronic) | New in this release | Parallel pinging, resulting in a huge speed improvment. | Selectable background and text colors. | Improved interface. | Save trace to file. | Improved HTML output. | Optional continuous ping mode. | Traceroute and Whois program. | Copyright 2000 © by Foundstone, Inc. | A visual (i.e. GUI as opposed to command-line) traceroute and Whois program. | Pinging can be set at a controllable rate as can the frequency of repeatedly | scanning the selected host. The built-in simple Whois lookup can be used to | identify hosts discovered along the route to the destination computer. | Parallel pinging and hostname lookup techniques make this traceroute program | perhaps the fastest currently available. | | | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on Microsoft's | TechNet | || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no owner || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || | Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no owner || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port || | received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened || | port received': Blocked: In UDP, || | 189.153.168.143:32737->localhost:29081, Owner: no owner || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': || | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': || | Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': || | Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In || | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner: || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port || | received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened || | port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened || | port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened || | port received': Blocked: In UDP, || | 189.128.113.251:16491->localhost:29081, Owner: no owner || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': || | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port || | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027, || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened || | port received': Blocked: In UDP, || | 200.117.180.230:22925->localhost:29081, Owner: no owner || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': || | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar || | [200.117.180.230:22925]->localhost:29081, Owner: no owner || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': || | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port || | received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081, || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened || | port received': Blocked: In UDP, || | 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007 || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, || | 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007 || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, || | 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007 || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, || | 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007 || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, || | 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007 || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, || | 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007 || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, || | msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port || | received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081, || | Owner: no owner || | || | || | -- || | MEB || | http://peoplescounsel.orgfree.com || | ________ || || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || pcrrcp@netzero.net || || | | | -- | MEB | http://peoplescounsel.orgfree.com | ________ | | | |
Guest PCR Posted July 29, 2007 Posted July 29, 2007 Re: firewalls - what to block and why - your security at risk Curt Christianson wrote: | Some real food for thought gentlemen. Thank you. You are welcome. I have only begun & will not rest until I get these Kerio rules right-- even if I have to complete the rest of my 17 year study! I'm moving it to the top of my to-do list! My master plan is to discover just what my legit apps want to or must do to function properly. Then, I will code rules that permit JUST those apps to do it. Only my denial rules will apply to "any application", is my plan. And I have begun with my Primary DNS Server rule, which now I have split into FIVE... (1) DNS Server-- EXEC.exe (NetZero) (2) DNS Server-- ASHWEBSV (avast! Web Scanner) (3) DNS Server-- AVAST.SETUP (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service) (5) DNS Server-- IExplore I may attempt again to narrow it down. But, currently, each of those gets to do UDP, both directions, local ports 1024-5000, any NetZero address, port 53. Lots of other apps were using it before. But that's in another thread! | P.S. I've been using ZA since 2000. | | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "MEB" <meb@not here@hotmail.com> wrote in message | news:eq0$HgY0HHA.6072@TK2MSFTNGP03.phx.gbl... || || || || "PCR" <pcrrcp@netzero.net> wrote in message || news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl... ||| MEB wrote: ||| | PCR and Gram Pappy [among others] have been discussing firewall ||| | settings and what they can or should be used for. ||| ||| That's right. I installed... ||| http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW ||| ||| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months ||| later began a 17 year study of what to do with it. But I should have ||| spoke up sooner! ||| ||| | In the spirit of those discussions, I thought I would post some ||| | blocked activity from a SINGLE session/contact through my ISP and ||| | ONLY to this news server and my email accounts [via OE6]. This is ||| | from the firewall log [several of my normal settings/restrictions ||| | were specifically reset for this presentation]. ||| ||| Thanks for jumping in. So, you wanted to see what would happen just ||| by connecting to the NET & using OE for mail & NG activity. || || Well, ah no, actually I wanted to let other users who may not have || investigated or understand firewalls. || ||| ||| | No other Internet activity occurred [e.g., no external IE or ||| | browser usage or other activity]. All *allowed activity* has been ||| | removed, so that the addresses and activities blocked might be ||| | addressed for perhaps a greater understanding of the function of ||| | firewalls, what they can and are used for, and other aspects ||| | related thereto. ||| ||| Really, it's important to see what was allowed too. Where I thought ||| my Primary DNS Server rule would be used only by NetZero (they are ||| NetZero addresses in there)... really a whole bunch of apps were ||| using it! But that's in the other thread! || || DNS is used by any program requiring addressing information. The key || is to limit to the EXACT DNS server(s) NOT within your system || [unless for local network traffic] and the port [53] used by that || (those) server(s) with limited [chosen by previous monitoring] local || ports and applications. || || I will NOT post all my rules or what exactly I have configured || locally [that would supply the exact way to circumvent my || protection], however I will post this contact to retreive the || email/news messages [your posting], with a few more inclusions || [again, slightly modified rules and rule logging]. This was ONLY to || retreive mail and the newsgroups on Microsoft. Nothing else occurred || BUT the logon to the ISP. || || 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, || localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA || ONLINE || 7.0\WAOL.EXE || 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] || Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver || 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, || XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA || ONLINE || 7.0\WAOL.EXE || 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] || Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], || Owner: Tcpip Kernel Driver || 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] || Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], || Owner: Tcpip Kernel Driver || 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] || Echo Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver || 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] || Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1026, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1027, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1028, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In || TCP, 207.46.248.16:119->localhost:1072, Owner: no owner || at which point I disconnected having retrieved mail and the news || messages. || || NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip || Kernel requests. || ||| ||| | For those who do not understand firewalls, these activities ||| | would or may have been allowed as they followed either programs ||| | IN USE [allowed activity], or through addressing [broadcast or ||| | otherwise] had a firewall not been used. ||| ||| That is right. Without a firewall with a good set of denial rules, ||| all activity is allowed. Hopefully, if a virus or a trojan or a spy ||| can sneak in that way, a good virus detector will prevent it from ||| executing. Also, there may have been an MS fix or two to prevent ||| some forms of abuse along these lines (I don't know). || || What would make you think any anti-spyware or anti-virus programs || would check or correct these types of activities? || || Anti-spyware programs MAY block certain addresses and perhaps some || ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to || infect something, or emails or files which contain hacks or other. || Host or lmhost files catch what they have been configured to catch || via addressing/name. || These, however, are *network use* activities WITHIN the TCP/IP and || other aspects of Internet/network usage. Firewalls, proxies, packet || sniffers, client servers, the TCP/IP kernel, and the like, are what || handle these activities. || Of course the above is an overly simplified explanation. || ||| ||| | NOTE: this is contact through a dial-up connection[phone]/ISP ||| | [which is indicated via some of these addresses], ALWAYS ON ||| | connections are even more of a security risk. ||| ||| Uhuh. I am Dial-Up too. That way, you get a new IP address each ||| connect. || || Only if that is what the ISP requires or desires. || ||| ||| | Hopefully, this discussion will be useful to those interested and ||| | provide theory and answers to various issues. ||| | Rule sets or other settings for various firewalls would ||| | naturally be of interest. ||| | ||| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no ||| | owner ||| ||| I find I have to guess as to the meaning of that. Looks like ||| someone at ||| 67.170.2.174, who is Comcast... ||| ||| http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174 ||| .....Quote........... ||| 67.170.2.174 ||| Record Type: IP Address ||| ||| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) ||| 67.160.0.0 - 67.191.255.255 ||| Comcast Cable Communications, IP Services WASHINGTON-6 ||| (NET-67-170-0-0-1) ||| 67.170.0.0 - 67.170.127.255 ||| .....EOQ............. ||| ||| ...sent a UDP datagram to port 29081 on your machine. But I don't ||| know... ||| ||| (1) did the port exist without an owner, & would it have received ||| the datagram (except the rule blocked it)? ||| (The name of that rule suggests the answer is no.) || || The data request would have been received and likely honored. || The port would have been opened/created to allow this activity. || ||| ||| (2) did the the port once exist & at that time have an owner, ||| but somehow was closed before the datagram arrived? ||| Therefore, it couldn't get it, anyhow, even if not blocked? || || If it would have been ALLOWED activity [e.g., without proxy or || firewall monitoring or exculsion, or within a hosts or lmhosts, or || other]], then a search would have been made for an available port, || and then created/opened. Look again at this: || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1026, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1027, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1028, Owner: no owner || || See the attempt to find or create an open port? || Now, should I have stayed online, there would have been continued || attempts [see your prior discussion where I was online longer], || though with different Shaw addressing and OUT ports, again stepping || through IN [local] ports in attempt to find or create.one. || || ||| ||| (3) did the port 29081 never exist? ||| ||| Do any earlier log entries mention that port? You'd have to log all ||| activity of each "permit" rule to know for sure. But, if there is no ||| rule permitting the activity, then you would have received a Kerio ||| requestor mentioning the port. || || No we don't need that. || Were an ALLOWED program or address using that aspect, then it would || NOT have created the denial. Either would have cascaded to find an || open port for use [as long as it was in the defined rule range]. || AND you mention Kerio, which MUST have that turned on {requestor]. || Other firewalls, particularly those that automatically configure || themselves, MAY not pop-up anything unless it has been configured || that way. They also MAY pass through such requests if piggy-backed || from or on allowed activities/programs. Think "but all I want to || know is the user address". Think Microsoft's firewalls, imagine what || they are configured by default to allow. || ||| ||| Here is a Kerio help page to study... ||| ||| ......Quote............ ||| Filter.log file ||| ||| The filter.log file is used for logging Kerio Personal Firewall ||| actions on a local computer. It is created in a directory where ||| Personal Firewall is installed (typically C:\Program ||| Files\Kerio\Personal Firewall). It is created upon the first record. ||| ||| Filter.log is a text file where each record is placed on a new ||| line. It has the following format: ||| ||| 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': ||| Blocked: In TCP, richard.kerio.cz ||| [192.168.2.38:3772]->localhost:25, Owner: ||| G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE ||| ||| How to read this line: ||| ||| 1 rule type (1 = denying, 2 = permitting) ||| ||| [08/Jun/2001 16:52:09] date and time that the packet was detected ||| (we recommend checking the correct setting of the system time on ||| your computer) ||| ||| Rule 'Internet Information Services' name of a rule that was ||| applied (from the Description field) ||| ||| Blocked: / Permittted: indicates whether the packet was blocked or ||| permitted (corresponds with the number at the beginning of the line) ||| ||| In / Out indicates an incoming or outgoing packet ||| ||| IP / TCP / UDP / ICMP, etc. communication protocol (for which the ||| rule was defined) ||| ||| richard.kerio.com [192.168.2.38:3772] DNS name of the computer, ||| from which the packet was sent, in square brackets is the IP ||| address with the source port after a colon ||| ||| locahost:25 destination IP address (or DNS name) and port ||| (localhost = this computer) ||| ||| Owner: name of the local application to which the packet is ||| addressed (including its full path). If the application is a system ||| service the name displayed is SYSTEM. ||| .........EOQ................. ||| ||| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no ||| | owner ||| ||| That one seems to be coming from... ||| ||| NetRange: 200.0.0.0 - 200.255.255.255 ||| NetName: LACNIC-200 || || Yes, that is the key to your Firewall security. || Tracking each suspect activity to the originator, if possible. || || Actually were I to post prior complete TRACKING logs [which I || collect(ed) for specific use], say for one day's normal usage, vast || numbers of potentially dangerous attacks/attempts would be shown. || The Internet is a cesspool of users, unless you protect yourself || from them. NO-ONE is completely invisible or invulnerable. There is || always a starting [requesting/receiving] address [yours]. || If you were ACTUALLY invisible then nothing would reach you; you || couldn't receive a web page; you couldn't receive email; you || couldn't do any networking. Whatever is requested MUST have a || destination [You]. [Okay, I know of ways but we're not educating || hackers here.] || || FOR THE GENERAL DOUBTER [not you PCR]: || Try it. Block all network and Internet traffic in your firewall. That || closes all ports, hence no requesting/receiving address [yours]. It || doesn't matter that you may have obtained an IP address or have one || hard set, there is no way to use it {don't try this for long or you || will lose access to the net on a phoneline}. [Or clear your IP, || DHCP, and DNS entries {WINS if applicable}...] No ports or no || address and there is no network. || Now turn it on again [or re-connect] and do a TRACE [preferred] or || ping to ANY web address. Notice the addresses? Notice the routing? || NOW, exactly how did YOU receive that information? Certainly it || wasn't broadcast to the world and you just happened to have ended up || with it. Or was it? || -- || || Now what could a hacker, or someone wishing to track you for whatever || reason, do with that information? || All that is originally needed by that party is the || requesting/receiving address; e.g. your address, your activity, || something you did or allowed. Once this is known then anythng that || party wishes to do can be done. Now think about ALWAYS ON || connections. || || For instance, you did go through Sponge's other pages [used because || it was previously referenced] which address advertising and other || inoccent [cough] inclusions on web pages, or which you may find on || the Internet, correct? Such as: || http://www.geocities.com/yosponge/othrstuf.html || Did you look at his host file, etc.. || Or perhaps look at ports, packets, formation, and other aspects over || on: http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives || || 9X users? || Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] || provide some nice tools for network/Internet use/diagnostics. || Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be || careful using it, many servers do NOT like to be scanned, you may be || logged and your ISP or other agency may be contacted.. || || Another nifty test tool is called *tooleaky*. A little 3k tool to || test your supposed security [created to test/expose GRC || suggestions]. Read about what it does and how. You might think twice || about what you think you know. || || If your using 2000 or above, might want to check these older tools: || || http://www.foundstone.com/us/resources-free-tools.asp - Division of || McAfee || || Attacker 3.00 || || http://www.foundstone.com/knowledge/proddesc/fport.html || fport - find out what is using what port - 2000 - XP/NT || Identify unknown open ports and their associated applications || Copyright 2002 © by Foundstone, Inc. || http://www.foundstone.com || fport supports Windows NT4, Windows 2000 and Windows XP || fport reports all open TCP/IP and UDP ports and maps them to the || owning application. This is the same information you would see using || the 'netstat -an' command, but it also maps those ports to running || processes with the PID, process name and path. Fport can be used to || quickly identify unknown open ports and their associated || applications. || || || Trout Version 2.0 (formerly SuboTronic) || New in this release || Parallel pinging, resulting in a huge speed improvment. || Selectable background and text colors. || Improved interface. || Save trace to file. || Improved HTML output. || Optional continuous ping mode. || Traceroute and Whois program. || Copyright 2000 © by Foundstone, Inc. || A visual (i.e. GUI as opposed to command-line) traceroute and Whois || program. Pinging can be set at a controllable rate as can the || frequency of repeatedly scanning the selected host. The built-in || simple Whois lookup can be used to identify hosts discovered along || the route to the destination computer. Parallel pinging and hostname || lookup techniques make this traceroute program perhaps the fastest || currently available. || || || Of course SYSINTERNALS/WINTERNALS has some nice tools - look on || Microsoft's TechNet || ||| ||| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no ||| | owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, 218.10.137.139:55190->localhost:1027, ||| | Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 190.46.171.127:41806->localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, ||| | 189.153.168.143:32737->localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no ||| | owner 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port ||| | received': Blocked: In TCP, 219.148.119.6:12200->localhost:7212, ||| | Owner: no owner 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened ||| | port received': Blocked: In TCP, ||| | 219.148.119.6:12200->localhost:8000, Owner: no owner ||| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: ||| | In TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, ||| | Owner: no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 90.20.19.204:46983->localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 87.235.125.80:8052->localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081, ||| | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 189.128.113.251:16491->localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no ||| | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027, ||| | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 200.117.180.230:22925->localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar ||| | [200.117.180.230:22925]->localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, ||| | 74.107.240.241:48641->localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 221.208.208.95:53699->localhost:1026, Owner: no ||| | owner 1,[28/Jul/2007 01:39:54] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, ||| | 67.81.156.51:20406->localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:40:46] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 200.89.49.207:23085->localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:40:58] Rule 'Packet to unopened port ||| | received': Blocked: In UDP, 221.208.208.90:33490->localhost:1026, ||| | Owner: no owner 1,[28/Jul/2007 01:42:36] Rule 'Packet to unopened ||| | port received': Blocked: In UDP, ||| | 142.161.209.54:15611->localhost:29081, Owner: no owner ||| | 1,[28/Jul/2007 01:42:52] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 190.60.89.179:47922->localhost:29081, Owner: no ||| | owner 1,[28/Jul/2007 01:43:20] Rule 'TCP ack packet attack': ||| | Blocked: In TCP, msnews.microsoft.com ||| | [207.46.248.16:119]->localhost:1185, Owner: no owner ||| | 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 190.31.24.235:50988->localhost:29081, Owner: no ||| | owner ||| | ||| | ||| | -- ||| | MEB ||| | http://peoplescounsel.orgfree.com ||| | ________ ||| ||| -- ||| Thanks or Good Luck, ||| There may be humor in this post, and, ||| Naturally, you will not sue, ||| Should things get worse after this, ||| PCR ||| pcrrcp@netzero.net ||| ||| || || || -- || MEB || http://peoplescounsel.orgfree.com || ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest MEB Posted July 29, 2007 Posted July 29, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message news:%23tJUffZ0HHA.1204@TK2MSFTNGP03.phx.gbl... | Some real food for thought gentlemen. Thank you. | | P.S. I've been using ZA since 2000. | | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm We aim to please... I also used ZA for a number of years on the various 9X boxes and XP. The rules aspect of other firewalls always drew me [having a Linux, Zenix, NT background] but I thought it wise to use what others might be using [for comparison purposes]. Now however, with the use of highly questionable activities on the Internet, and my personal questions related to ZA, and no support from Microsoft and ZoneLabs, I thought I would return to something which gave considerably more control during my final testing days under 9X. I have an old ZA version [forgot which version though, and have no intention of re-installing it] about 1.4meg which actually seemed to supply MOST of the normal functions required, at least semi-adequately. Sometimes I thought the newer versions were attempting aspects which were not well implimented or implimented in a fashion I thought not user friendly. Of course there is an ability to setup *rules like* activities within ZA, but I would imagine most users do not do so. In the spirit of this discussion, which is to include any firewalls [and I hope it eventually does. Note this has ZONEALARM now in its subject heading]: What version and product are you or others using? Have you or others run monitoring/sniffing programs while using ZA to see if it actual performs as advertised? What settings or other seemed to be the most useful to you or other users? What advise would users give concerning settings, configuration, etc. to other users of ZA, [noting in Curt's case, I think your using it under W2K, so does that offer anything different as far as you know]? Have you or other users created any similar rules within ZA to the below [referencing Kerio PFW rules]? | | "MEB" <meb@not here@hotmail.com> wrote in message | news:eq0$HgY0HHA.6072@TK2MSFTNGP03.phx.gbl... | | | | | | | | "PCR" <pcrrcp@netzero.net> wrote in message | | news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl... | || MEB wrote: | || | PCR and Gram Pappy [among others] have been discussing firewall | || | settings and what they can or should be used for. | || | || That's right. I installed... | || http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW | || | || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months | || later began a 17 year study of what to do with it. But I should have | || spoke up sooner! | || | || | In the spirit of those discussions, I thought I would post some | || | blocked activity from a SINGLE session/contact through my ISP and | || | ONLY to this news server and my email accounts [via OE6]. This is | || | from the firewall log [several of my normal settings/restrictions | || | were specifically reset for this presentation]. | || | || Thanks for jumping in. So, you wanted to see what would happen just by | || connecting to the NET & using OE for mail & NG activity. | | | | Well, ah no, actually I wanted to let other users who may not have | | investigated or understand firewalls. | | | || | || | No other Internet activity occurred [e.g., no external IE or browser | || | usage or other activity]. All *allowed activity* has been removed, so | || | that the addresses and activities blocked might be addressed for | || | perhaps a greater understanding of the function of firewalls, what | || | they can and are used for, and other aspects related thereto. | || | || Really, it's important to see what was allowed too. Where I thought my | || Primary DNS Server rule would be used only by NetZero (they are NetZero | || addresses in there)... really a whole bunch of apps were using it! But | || that's in the other thread! | | | | DNS is used by any program requiring addressing information. The key is to | | limit to the EXACT DNS server(s) NOT within your system [unless for local | | network traffic] and the port [53] used by that (those) server(s) with | | limited [chosen by previous monitoring] local ports and applications. | | | | I will NOT post all my rules or what exactly I have configured locally | | [that would supply the exact way to circumvent my protection], however I | | will post this contact to retreive the email/news messages [your posting], | | with a few more inclusions [again, slightly modified rules and rule | | logging]. This was ONLY to retreive mail and the newsgroups on Microsoft. | | Nothing else occurred BUT the logon to the ISP. | | | | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, | | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE | | 7.0\WAOL.EXE | | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | | Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver | | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, | | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE | | 7.0\WAOL.EXE | | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip | | Kernel Driver | | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router | | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip | | Kernel Driver | | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo | | Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver | | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo | | Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1026, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1027, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1028, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP, | | 207.46.248.16:119->localhost:1072, Owner: no owner | | at which point I disconnected having retrieved mail and the news messages. | | | | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel | | requests. | | | || | || | For those who do not understand firewalls, these activities would or | || | may have been allowed as they followed either programs IN USE [allowed | || | activity], or through addressing [broadcast or otherwise] had a | || | firewall not been used. | || | || That is right. Without a firewall with a good set of denial rules, all | || activity is allowed. Hopefully, if a virus or a trojan or a spy can | || sneak in that way, a good virus detector will prevent it from executing. | || Also, there may have been an MS fix or two to prevent some forms of | || abuse along these lines (I don't know). | | | | What would make you think any anti-spyware or anti-virus programs would | | check or correct these types of activities? | | | | Anti-spyware programs MAY block certain addresses and perhaps some | ActiveX, | | or other. Anti-virus MIGHT catch scripting or attempts to infect | something, | | or emails or files which contain hacks or other. Host or lmhost files | catch | | what they have been configured to catch via addressing/name. | | These, however, are *network use* activities WITHIN the TCP/IP and other | | aspects of Internet/network usage. Firewalls, proxies, packet sniffers, | | client servers, the TCP/IP kernel, and the like, are what handle these | | activities. | | Of course the above is an overly simplified explanation. | | | || | || | NOTE: this is contact through a dial-up connection[phone]/ISP [which | || | is indicated via some of these addresses], ALWAYS ON connections are | || | even more of a security risk. | || | || Uhuh. I am Dial-Up too. That way, you get a new IP address each connect. | | | | Only if that is what the ISP requires or desires. | | | || | || | Hopefully, this discussion will be useful to those interested and | || | provide theory and answers to various issues. | || | Rule sets or other settings for various firewalls would naturally be | || | of interest. | || | | || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner | || | || I find I have to guess as to the meaning of that. Looks like someone at | || 67.170.2.174, who is Comcast... | || | || http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174 | || .....Quote........... | || 67.170.2.174 | || Record Type: IP Address | || | || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) | || 67.160.0.0 - 67.191.255.255 | || Comcast Cable Communications, IP Services WASHINGTON-6 | || (NET-67-170-0-0-1) | || 67.170.0.0 - 67.170.127.255 | || .....EOQ............. | || | || ...sent a UDP datagram to port 29081 on your machine. But I don't | || know... | || | || (1) did the port exist without an owner, & would it have received | || the datagram (except the rule blocked it)? | || (The name of that rule suggests the answer is no.) | | | | The data request would have been received and likely honored. | | The port would have been opened/created to allow this activity. | | | || | || (2) did the the port once exist & at that time have an owner, | || but somehow was closed before the datagram arrived? | || Therefore, it couldn't get it, anyhow, even if not blocked? | | | | If it would have been ALLOWED activity [e.g., without proxy or firewall | | monitoring or exculsion, or within a hosts or lmhosts, or other]], then a | | search would have been made for an available port, and then | created/opened. | | Look again at this: | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1026, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1027, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1028, Owner: no owner | | | | See the attempt to find or create an open port? | | Now, should I have stayed online, there would have been continued attempts | | [see your prior discussion where I was online longer], though with | different | | Shaw addressing and OUT ports, again stepping through IN [local] ports in | | attempt to find or create.one. | | | | | || | || (3) did the port 29081 never exist? | || | || Do any earlier log entries mention that port? You'd have to log all | || activity of each "permit" rule to know for sure. But, if there is no | || rule permitting the activity, then you would have received a Kerio | || requestor mentioning the port. | | | | No we don't need that. | | Were an ALLOWED program or address using that aspect, then it would NOT | | have created the denial. Either would have cascaded to find an open port | for | | use [as long as it was in the defined rule range]. | | AND you mention Kerio, which MUST have that turned on {requestor]. | | Other firewalls, particularly those that automatically configure | | themselves, MAY not pop-up anything unless it has been configured that | way. | | They also MAY pass through such requests if piggy-backed from or on | allowed | | activities/programs. Think "but all I want to know is the user address". | | Think Microsoft's firewalls, imagine what they are configured by default | to | | allow. | | | || | || Here is a Kerio help page to study... | || | || ......Quote............ | || Filter.log file | || | || The filter.log file is used for logging Kerio Personal Firewall actions | || on a local computer. It is created in a directory where Personal | || Firewall is installed (typically C:\Program Files\Kerio\Personal | || Firewall). It is created upon the first record. | || | || Filter.log is a text file where each record is placed on a new line. It | || has the following format: | || | || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: | || In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner: | || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE | || | || How to read this line: | || | || 1 rule type (1 = denying, 2 = permitting) | || | || [08/Jun/2001 16:52:09] date and time that the packet was detected (we | || recommend checking the correct setting of the system time on your | || computer) | || | || Rule 'Internet Information Services' name of a rule that was applied | || (from the Description field) | || | || Blocked: / Permittted: indicates whether the packet was blocked or | || permitted (corresponds with the number at the beginning of the line) | || | || In / Out indicates an incoming or outgoing packet | || | || IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule | || was defined) | || | || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from | || which the packet was sent, in square brackets is the IP address with the | || source port after a colon | || | || locahost:25 destination IP address (or DNS name) and port (localhost = | || this computer) | || | || Owner: name of the local application to which the packet is addressed | || (including its full path). If the application is a system service the | || name displayed is SYSTEM. | || .........EOQ................. | || | || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner | || | || That one seems to be coming from... | || | || NetRange: 200.0.0.0 - 200.255.255.255 | || NetName: LACNIC-200 | | | | Yes, that is the key to your Firewall security. | | Tracking each suspect activity to the originator, if possible. | | | | Actually were I to post prior complete TRACKING logs [which I collect(ed) | | for specific use], say for one day's normal usage, vast numbers of | | potentially dangerous attacks/attempts would be shown. | | The Internet is a cesspool of users, unless you protect yourself from | them. | | NO-ONE is completely invisible or invulnerable. There is always a starting | | [requesting/receiving] address [yours]. | | If you were ACTUALLY invisible then nothing would reach you; you couldn't | | receive a web page; you couldn't receive email; you couldn't do any | | networking. Whatever is requested MUST have a destination [You]. [Okay, I | | know of ways but we're not educating hackers here.] | | | | FOR THE GENERAL DOUBTER [not you PCR]: | | Try it. Block all network and Internet traffic in your firewall. That | | closes all ports, hence no requesting/receiving address [yours]. It | doesn't | | matter that you may have obtained an IP address or have one hard set, | there | | is no way to use it {don't try this for long or you will lose access to | the | | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if | | applicable}...] No ports or no address and there is no network. | | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to | | ANY web address. Notice the addresses? Notice the routing? | | NOW, exactly how did YOU receive that information? Certainly it wasn't | | broadcast to the world and you just happened to have ended up with it. Or | | was it? | | -- | | | | Now what could a hacker, or someone wishing to track you for whatever | | reason, do with that information? | | All that is originally needed by that party is the requesting/receiving | | address; e.g. your address, your activity, something you did or allowed. | | Once this is known then anythng that party wishes to do can be done. Now | | think about ALWAYS ON connections. | | | | For instance, you did go through Sponge's other pages [used because it was | | previously referenced] which address advertising and other inoccent | [cough] | | inclusions on web pages, or which you may find on the Internet, correct? | | Such as: http://www.geocities.com/yosponge/othrstuf.html | | Did you look at his host file, etc.. | | Or perhaps look at ports, packets, formation, and other aspects over on: | | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives | | | | 9X users? | | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide | some | | nice tools for network/Internet use/diagnostics. | | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be | careful | | using it, many servers do NOT like to be scanned, you may be logged and | your | | ISP or other agency may be contacted.. | | | | Another nifty test tool is called *tooleaky*. A little 3k tool to test | your | | supposed security [created to test/expose GRC suggestions]. Read about | what | | it does and how. You might think twice about what you think you know. | | | | If your using 2000 or above, might want to check these older tools: | | | | http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee | | | | Attacker 3.00 | | | | http://www.foundstone.com/knowledge/proddesc/fport.html | | fport - find out what is using what port - 2000 - XP/NT | | Identify unknown open ports and their associated applications | | Copyright 2002 © by Foundstone, Inc. | | http://www.foundstone.com | | fport supports Windows NT4, Windows 2000 and Windows XP | | fport reports all open TCP/IP and UDP ports and maps them to the owning | | application. This is the same information you would see using the | | 'netstat -an' command, but it also maps those ports to running processes | | with the PID, process name and path. Fport can be used to quickly identify | | unknown open ports and their associated applications. | | | | | | Trout Version 2.0 (formerly SuboTronic) | | New in this release | | Parallel pinging, resulting in a huge speed improvment. | | Selectable background and text colors. | | Improved interface. | | Save trace to file. | | Improved HTML output. | | Optional continuous ping mode. | | Traceroute and Whois program. | | Copyright 2000 © by Foundstone, Inc. | | A visual (i.e. GUI as opposed to command-line) traceroute and Whois | program. | | Pinging can be set at a controllable rate as can the frequency of | repeatedly | | scanning the selected host. The built-in simple Whois lookup can be used | to | | identify hosts discovered along the route to the destination computer. | | Parallel pinging and hostname lookup techniques make this traceroute | program | | perhaps the fastest currently available. | | | | | | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on | Microsoft's | | TechNet | | | || | || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no owner | || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no owner | || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no | || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened | || | port received': Blocked: In UDP, | || | 189.153.168.143:32737->localhost:29081, Owner: no owner | || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner | || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': | || | Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner | || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': | || | Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner | || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In | || | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner: | || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened | || | port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened | || | port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened | || | port received': Blocked: In UDP, | || | 189.128.113.251:16491->localhost:29081, Owner: no owner | || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no | || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027, | || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened | || | port received': Blocked: In UDP, | || | 200.117.180.230:22925->localhost:29081, Owner: no owner | || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no | || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port | || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar | || | [200.117.180.230:22925]->localhost:29081, Owner: no owner | || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no | || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081, | || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened | || | port received': Blocked: In UDP, | || | 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007 | || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007 | || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007 | || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007 | || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007 | || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, | || | 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007 | || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, | || | msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no | || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port | || | received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081, | || | Owner: no owner | || | | || | | || | -- | || | MEB | || | http://peoplescounsel.orgfree.com | || | ________ | || | || -- | || Thanks or Good Luck, | || There may be humor in this post, and, | || Naturally, you will not sue, | || Should things get worse after this, | || PCR | || pcrrcp@netzero.net | || | || | | | | | | -- | | MEB | | http://peoplescounsel.orgfree.com | | ________ | | | | | | | | | | -- MEB http://peoplescounsel.orgfree.com ________
Guest Curt Christianson Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk Hi MEB, and all, I'm actually running a rather old version of ZA; v. 3.1.291. My philosophy is *unlike* AV apps. etc., there just isn't much to improve IMHO. I don't want or need any additional bells and whistles. And you were close, I'm running XP Pro, but I keep perusing this group, because this is where it all started for me. I still have my copy of W98SE, but it's kind of a pain to install that *after* XP is already there. I was a die-hard 98 fan, and swore I would *never* switch to XP, but the computer I inherited already had it on it. I figured I'd give it a try, and if I didn't like it, well, then back to good ol' 98. The way I have XP set up, you'd almost think it was 98. I turned off *all* the cutesy eye-candy etc., mainly for performance reasons. Besides, I *hate* pastels! This box was built for W98. I have to admit that it is extremely stable, but then again so was my 98 install. It's the "junk" we add later that tends to muck things up. Sorry I digressed. -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "MEB" <meb@not here@hotmail.com> wrote in message news:%23VgmuJi0HHA.4476@TK2MSFTNGP06.phx.gbl... | | | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message | news:%23tJUffZ0HHA.1204@TK2MSFTNGP03.phx.gbl... || Some real food for thought gentlemen. Thank you. || || P.S. I've been using ZA since 2000. || || -- || HTH, || Curt || || Windows Support Center || http://www.aumha.org || Practically Nerded,... || http://dundats.mvps.org/Index.htm | | We aim to please... | | I also used ZA for a number of years on the various 9X boxes and XP. The | rules aspect of other firewalls always drew me [having a Linux, Zenix, NT | background] but I thought it wise to use what others might be using [for | comparison purposes]. | Now however, with the use of highly questionable activities on the | Internet, and my personal questions related to ZA, and no support from | Microsoft and ZoneLabs, I thought I would return to something which gave | considerably more control during my final testing days under 9X. | | I have an old ZA version [forgot which version though, and have no | intention of re-installing it] about 1.4meg which actually seemed to supply | MOST of the normal functions required, at least semi-adequately. Sometimes I | thought the newer versions were attempting aspects which were not well | implimented or implimented in a fashion I thought not user friendly. Of | course there is an ability to setup *rules like* activities within ZA, but I | would imagine most users do not do so. | | In the spirit of this discussion, which is to include any firewalls [and I | hope it eventually does. Note this has ZONEALARM now in its subject | heading]: | | What version and product are you or others using? | | Have you or others run monitoring/sniffing programs while using ZA to see | if it actual performs as advertised? | | What settings or other seemed to be the most useful to you or other users? | | What advise would users give concerning settings, configuration, etc. to | other users of ZA, [noting in Curt's case, I think your using it under W2K, | so does that offer anything different as far as you know]? | | Have you or other users created any similar rules within ZA to the below | [referencing Kerio PFW rules]? | || || "MEB" <meb@not here@hotmail.com> wrote in message || news:eq0$HgY0HHA.6072@TK2MSFTNGP03.phx.gbl... || | || | || | || | "PCR" <pcrrcp@netzero.net> wrote in message || | news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl... || || MEB wrote: || || | PCR and Gram Pappy [among others] have been discussing firewall || || | settings and what they can or should be used for. || || || || That's right. I installed... || || | http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW || || || || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months || || later began a 17 year study of what to do with it. But I should have || || spoke up sooner! || || || || | In the spirit of those discussions, I thought I would post some || || | blocked activity from a SINGLE session/contact through my ISP and || || | ONLY to this news server and my email accounts [via OE6]. This is || || | from the firewall log [several of my normal settings/restrictions || || | were specifically reset for this presentation]. || || || || Thanks for jumping in. So, you wanted to see what would happen just by || || connecting to the NET & using OE for mail & NG activity. || | || | Well, ah no, actually I wanted to let other users who may not have || | investigated or understand firewalls. || | || || || || | No other Internet activity occurred [e.g., no external IE or browser || || | usage or other activity]. All *allowed activity* has been removed, so || || | that the addresses and activities blocked might be addressed for || || | perhaps a greater understanding of the function of firewalls, what || || | they can and are used for, and other aspects related thereto. || || || || Really, it's important to see what was allowed too. Where I thought my || || Primary DNS Server rule would be used only by NetZero (they are NetZero || || addresses in there)... really a whole bunch of apps were using it! But || || that's in the other thread! || | || | DNS is used by any program requiring addressing information. The key is | to || | limit to the EXACT DNS server(s) NOT within your system [unless for | local || | network traffic] and the port [53] used by that (those) server(s) with || | limited [chosen by previous monitoring] local ports and applications. || | || | I will NOT post all my rules or what exactly I have configured locally || | [that would supply the exact way to circumvent my protection], however I || | will post this contact to retreive the email/news messages [your | posting], || | with a few more inclusions [again, slightly modified rules and rule || | logging]. This was ONLY to retreive mail and the newsgroups on | Microsoft. || | Nothing else occurred BUT the logon to the ISP. || | || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, || | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA | ONLINE || | 7.0\WAOL.EXE || | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router || | Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, || | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA | ONLINE || | 7.0\WAOL.EXE || | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router || | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip || | Kernel Driver || | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router || | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip || | Kernel Driver || | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo || | Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver || | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo || | Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898->localhost:1026, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898->localhost:1027, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898->localhost:1028, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP, || | 207.46.248.16:119->localhost:1072, Owner: no owner || | at which point I disconnected having retrieved mail and the news | messages. || | || | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel || | requests. || | || || || || | For those who do not understand firewalls, these activities would or || || | may have been allowed as they followed either programs IN USE | [allowed || || | activity], or through addressing [broadcast or otherwise] had a || || | firewall not been used. || || || || That is right. Without a firewall with a good set of denial rules, all || || activity is allowed. Hopefully, if a virus or a trojan or a spy can || || sneak in that way, a good virus detector will prevent it from | executing. || || Also, there may have been an MS fix or two to prevent some forms of || || abuse along these lines (I don't know). || | || | What would make you think any anti-spyware or anti-virus programs would || | check or correct these types of activities? || | || | Anti-spyware programs MAY block certain addresses and perhaps some || ActiveX, || | or other. Anti-virus MIGHT catch scripting or attempts to infect || something, || | or emails or files which contain hacks or other. Host or lmhost files || catch || | what they have been configured to catch via addressing/name. || | These, however, are *network use* activities WITHIN the TCP/IP and other || | aspects of Internet/network usage. Firewalls, proxies, packet sniffers, || | client servers, the TCP/IP kernel, and the like, are what handle these || | activities. || | Of course the above is an overly simplified explanation. || | || || || || | NOTE: this is contact through a dial-up connection[phone]/ISP [which || || | is indicated via some of these addresses], ALWAYS ON connections are || || | even more of a security risk. || || || || Uhuh. I am Dial-Up too. That way, you get a new IP address each | connect. || | || | Only if that is what the ISP requires or desires. || | || || || || | Hopefully, this discussion will be useful to those interested and || || | provide theory and answers to various issues. || || | Rule sets or other settings for various firewalls would naturally be || || | of interest. || || | || || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner || || || || I find I have to guess as to the meaning of that. Looks like someone at || || 67.170.2.174, who is Comcast... || || || || http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174 || || .....Quote........... || || 67.170.2.174 || || Record Type: IP Address || || || || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) || || 67.160.0.0 - 67.191.255.255 || || Comcast Cable Communications, IP Services WASHINGTON-6 || || (NET-67-170-0-0-1) || || 67.170.0.0 - 67.170.127.255 || || .....EOQ............. || || || || ...sent a UDP datagram to port 29081 on your machine. But I don't || || know... || || || || (1) did the port exist without an owner, & would it have received || || the datagram (except the rule blocked it)? || || (The name of that rule suggests the answer is no.) || | || | The data request would have been received and likely honored. || | The port would have been opened/created to allow this activity. || | || || || || (2) did the the port once exist & at that time have an owner, || || but somehow was closed before the datagram arrived? || || Therefore, it couldn't get it, anyhow, even if not blocked? || | || | If it would have been ALLOWED activity [e.g., without proxy or firewall || | monitoring or exculsion, or within a hosts or lmhosts, or other]], then | a || | search would have been made for an available port, and then || created/opened. || | Look again at this: || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898->localhost:1026, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898->localhost:1027, Owner: no owner || | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || | 24.64.192.20:17898->localhost:1028, Owner: no owner || | || | See the attempt to find or create an open port? || | Now, should I have stayed online, there would have been continued | attempts || | [see your prior discussion where I was online longer], though with || different || | Shaw addressing and OUT ports, again stepping through IN [local] ports | in || | attempt to find or create.one. || | || | || || || || (3) did the port 29081 never exist? || || || || Do any earlier log entries mention that port? You'd have to log all || || activity of each "permit" rule to know for sure. But, if there is no || || rule permitting the activity, then you would have received a Kerio || || requestor mentioning the port. || | || | No we don't need that. || | Were an ALLOWED program or address using that aspect, then it would NOT || | have created the denial. Either would have cascaded to find an open port || for || | use [as long as it was in the defined rule range]. || | AND you mention Kerio, which MUST have that turned on {requestor]. || | Other firewalls, particularly those that automatically configure || | themselves, MAY not pop-up anything unless it has been configured that || way. || | They also MAY pass through such requests if piggy-backed from or on || allowed || | activities/programs. Think "but all I want to know is the user address". || | Think Microsoft's firewalls, imagine what they are configured by default || to || | allow. || | || || || || Here is a Kerio help page to study... || || || || ......Quote............ || || Filter.log file || || || || The filter.log file is used for logging Kerio Personal Firewall actions || || on a local computer. It is created in a directory where Personal || || Firewall is installed (typically C:\Program Files\Kerio\Personal || || Firewall). It is created upon the first record. || || || || Filter.log is a text file where each record is placed on a new line. It || || has the following format: || || || || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked: || || In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner: || || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE || || || || How to read this line: || || || || 1 rule type (1 = denying, 2 = permitting) || || || || [08/Jun/2001 16:52:09] date and time that the packet was detected (we || || recommend checking the correct setting of the system time on your || || computer) || || || || Rule 'Internet Information Services' name of a rule that was applied || || (from the Description field) || || || || Blocked: / Permittted: indicates whether the packet was blocked or || || permitted (corresponds with the number at the beginning of the line) || || || || In / Out indicates an incoming or outgoing packet || || || || IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule || || was defined) || || || || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from || || which the packet was sent, in square brackets is the IP address with | the || || source port after a colon || || || || locahost:25 destination IP address (or DNS name) and port (localhost = || || this computer) || || || || Owner: name of the local application to which the packet is addressed || || (including its full path). If the application is a system service the || || name displayed is SYSTEM. || || .........EOQ................. || || || || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner || || || || That one seems to be coming from... || || || || NetRange: 200.0.0.0 - 200.255.255.255 || || NetName: LACNIC-200 || | || | Yes, that is the key to your Firewall security. || | Tracking each suspect activity to the originator, if possible. || | || | Actually were I to post prior complete TRACKING logs [which I | collect(ed) || | for specific use], say for one day's normal usage, vast numbers of || | potentially dangerous attacks/attempts would be shown. || | The Internet is a cesspool of users, unless you protect yourself from || them. || | NO-ONE is completely invisible or invulnerable. There is always a | starting || | [requesting/receiving] address [yours]. || | If you were ACTUALLY invisible then nothing would reach you; you | couldn't || | receive a web page; you couldn't receive email; you couldn't do any || | networking. Whatever is requested MUST have a destination [You]. [Okay, | I || | know of ways but we're not educating hackers here.] || | || | FOR THE GENERAL DOUBTER [not you PCR]: || | Try it. Block all network and Internet traffic in your firewall. That || | closes all ports, hence no requesting/receiving address [yours]. It || doesn't || | matter that you may have obtained an IP address or have one hard set, || there || | is no way to use it {don't try this for long or you will lose access to || the || | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if || | applicable}...] No ports or no address and there is no network. || | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping | to || | ANY web address. Notice the addresses? Notice the routing? || | NOW, exactly how did YOU receive that information? Certainly it wasn't || | broadcast to the world and you just happened to have ended up with it. | Or || | was it? || | -- || | || | Now what could a hacker, or someone wishing to track you for whatever || | reason, do with that information? || | All that is originally needed by that party is the requesting/receiving || | address; e.g. your address, your activity, something you did or allowed. || | Once this is known then anythng that party wishes to do can be done. Now || | think about ALWAYS ON connections. || | || | For instance, you did go through Sponge's other pages [used because it | was || | previously referenced] which address advertising and other inoccent || [cough] || | inclusions on web pages, or which you may find on the Internet, correct? || | Such as: http://www.geocities.com/yosponge/othrstuf.html || | Did you look at his host file, etc.. || | Or perhaps look at ports, packets, formation, and other aspects over on: || | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives || | || | 9X users? || | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide || some || | nice tools for network/Internet use/diagnostics. || | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be || careful || | using it, many servers do NOT like to be scanned, you may be logged and || your || | ISP or other agency may be contacted.. || | || | Another nifty test tool is called *tooleaky*. A little 3k tool to test || your || | supposed security [created to test/expose GRC suggestions]. Read about || what || | it does and how. You might think twice about what you think you know. || | || | If your using 2000 or above, might want to check these older tools: || | || | http://www.foundstone.com/us/resources-free-tools.asp - Division of | McAfee || | || | Attacker 3.00 || | || | http://www.foundstone.com/knowledge/proddesc/fport.html || | fport - find out what is using what port - 2000 - XP/NT || | Identify unknown open ports and their associated applications || | Copyright 2002 © by Foundstone, Inc. || | http://www.foundstone.com || | fport supports Windows NT4, Windows 2000 and Windows XP || | fport reports all open TCP/IP and UDP ports and maps them to the owning || | application. This is the same information you would see using the || | 'netstat -an' command, but it also maps those ports to running processes || | with the PID, process name and path. Fport can be used to quickly | identify || | unknown open ports and their associated applications. || | || | || | Trout Version 2.0 (formerly SuboTronic) || | New in this release || | Parallel pinging, resulting in a huge speed improvment. || | Selectable background and text colors. || | Improved interface. || | Save trace to file. || | Improved HTML output. || | Optional continuous ping mode. || | Traceroute and Whois program. || | Copyright 2000 © by Foundstone, Inc. || | A visual (i.e. GUI as opposed to command-line) traceroute and Whois || program. || | Pinging can be set at a controllable rate as can the frequency of || repeatedly || | scanning the selected host. The built-in simple Whois lookup can be used || to || | identify hosts discovered along the route to the destination computer. || | Parallel pinging and hostname lookup techniques make this traceroute || program || | perhaps the fastest currently available. || | || | || | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on || Microsoft's || | TechNet || | || || || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no | owner || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no | owner || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no || || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened || || | port received': Blocked: In UDP, || || | 189.153.168.143:32737->localhost:29081, Owner: no owner || || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner || || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': || || | Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner || || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': || || | Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner || || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In || || | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner: || || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened || || | port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened || || | port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened || || | port received': Blocked: In UDP, || || | 189.128.113.251:16491->localhost:29081, Owner: no owner || || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no || || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027, || || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened || || | port received': Blocked: In UDP, || || | 200.117.180.230:22925->localhost:29081, Owner: no owner || || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no || || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port || || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar || || | [200.117.180.230:22925]->localhost:29081, Owner: no owner || || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': || || | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no || || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081, || || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened || || | port received': Blocked: In UDP, || || | 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007 || || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007 || || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007 || || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007 || || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007 || || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP, || || | 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007 || || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP, || || | msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no || || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port || || | received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081, || || | Owner: no owner || || | || || | || || | -- || || | MEB || || | http://peoplescounsel.orgfree.com || || | ________ || || || || -- || || Thanks or Good Luck, || || There may be humor in this post, and, || || Naturally, you will not sue, || || Should things get worse after this, || || PCR || || pcrrcp@netzero.net || || || || || | || | || | -- || | MEB || | http://peoplescounsel.orgfree.com || | ________ || | || | || | || | || || | | -- | MEB | http://peoplescounsel.orgfree.com | ________ | | |
Guest PCR Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - what to block and why - your security at risk MEB wrote: | "PCR" <pcrrcp@netzero.net> wrote in message | news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl... || MEB wrote: || | PCR and Gram Pappy [among others] have been discussing firewall || | settings and what they can or should be used for. || || That's right. I installed... || http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW || || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months || later began a 17 year study of what to do with it. But I should have || spoke up sooner! || || | In the spirit of those discussions, I thought I would post some || | blocked activity from a SINGLE session/contact through my ISP and || | ONLY to this news server and my email accounts [via OE6]. This is || | from the firewall log [several of my normal settings/restrictions || | were specifically reset for this presentation]. || || Thanks for jumping in. So, you wanted to see what would happen just || by connecting to the NET & using OE for mail & NG activity. | | Well, ah no, actually I wanted to let other users who may not have | investigated or understand firewalls. Uh-huh. Naturally, you & I have advanced beyond that point. || || | No other Internet activity occurred [e.g., no external IE or || | browser usage or other activity]. All *allowed activity* has been || | removed, so that the addresses and activities blocked might be || | addressed for perhaps a greater understanding of the function of || | firewalls, what they can and are used for, and other aspects || | related thereto. || || Really, it's important to see what was allowed too. Where I thought || my Primary DNS Server rule would be used only by NetZero (they are || NetZero addresses in there)... really a whole bunch of apps were || using it! But that's in the other thread! | | DNS is used by any program requiring addressing information. The sole purpose of my DNS Server rule(s)... Protocol.......... UDP Direction......... Both Local Endpoint Ports........... 1024-5000 Application... Any (but now I've limited it to 5 apps by creating 5 of these rules) Remote Endpoint Addresses.... The entire NetZero range Port............. 53 .... is to resolve NET addresses? Still, am I right to seek to limit it to the five apps I kind of have to trust? Otherwise, can't it be appropriated by some devious app to do ill? | The key | is to limit to the EXACT DNS server(s) NOT within your system [unless | for local network traffic] and the port [53] used by that (those) | server(s) with limited [chosen by previous monitoring] local ports | and applications. Why do I need to bother with ports, if I limit the DNS rule(s) to trusted apps & to trusted NetZero addresses? Unfortunately, Kerio does not permit a list of apps in a rule, the way it does with ports & addresses. So, currently I have coded 5 of them...!... (1) DNS Server-- EXEC.exe (NetZero) (2) DNS Server-- ASHWEBSV (avast! Web Scanner) (3) DNS Server-- AVAST.SETUP (There actually is no program) (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service) (5) DNS Server-- IExplore | I will NOT post all my rules or what exactly I have configured | locally [that would supply the exact way to circumvent my | protection], OK. | however I will post this contact to retreive the | email/news messages [your posting], with a few more inclusions | [again, slightly modified rules and rule logging]. This was ONLY to | retreive mail and the newsgroups on Microsoft. Nothing else occurred | BUT the logon to the ISP. OK, limited to mail & NG activities, right. | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA | ONLINE | 7.0\WAOL.EXE So... WAOL.exe (which was port 1030 on your computer) needed to resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is that what that says? | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver I get lots of those. Here is the last I recorded... 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8] Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver ...., but, beginning yesterday, I have chosen NOT to log those anymore. I have two rules above that blocker. One allows ICMP incoming for... [0] Echo Reply, [3] Destination Unreachable, [11] Time Exceeded The other allows it outgoing for... [3] Destination Unreachable, [8] Echo Request I think that's probably finalized for ICMP. In this case, specific apps & ports are not possible in the rules-- only specific endpoint addresses are. But mine apply to any address. | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA | ONLINE | 7.0\WAOL.EXE | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], | Owner: Tcpip Kernel Driver I've never seen an ALL-ROUTERS.MCAST.NET. But this would also be blocked in my machine! | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] | Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], | Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] | Echo Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] | Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1026, Owner: no owner I used to get these Kerio alert's about Shaw Comm... Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port 1027 owned by 'Distributed COM Services' on your computer. ...., but they are prevented now with a rule that specifically blocks RPCSS.exe (which is Distributed COM Services & which establishes the port 1027) from using UDP/TCP. Eventually, I hope to remove that block rule (& 4 others)-- after I have completed my UDP & TCP permit rules for speific, trusted apps/addresses. Then, RPCSS.exe will be blocked along with the others by virtue of not being included in the PERMITs-- & having one single BLOCK after them. | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1027, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1028, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In | TCP, 207.46.248.16:119->localhost:1072, Owner: no owner I haven't begun to finalize my TCP rules yet. That's probably where I go next, once UDP is done! | at which point I disconnected having retrieved mail and the news | messages. Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe, PersFW.exe, & PFWadMin.exe-- which are just some of the ones using it in here before I recently have prevented them! Well, I guess it may require the clicking of an URL for those to kick in. | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip | Kernel requests. What specifically is notable about them? || || | For those who do not understand firewalls, these activities would || | or may have been allowed as they followed either programs IN USE || | [allowed activity], or through addressing [broadcast or otherwise] || | had a firewall not been used. || || That is right. Without a firewall with a good set of denial rules, || all activity is allowed. Hopefully, if a virus or a trojan or a spy || can sneak in that way, a good virus detector will prevent it from || executing. Also, there may have been an MS fix or two to prevent || some forms of abuse along these lines (I don't know). | | What would make you think any anti-spyware or anti-virus programs | would check or correct these types of activities? I do believe an actual executable can be read into a machine through malicious use of these NET packets, although I'm not sure which precise protocols can do it. Once it is read in &/or tries to run, one hopes one's virus/malware scanner WILL catch it, before it delivers its payload! | Anti-spyware programs MAY block certain addresses and perhaps some | ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to | infect something, or emails or files which contain hacks or other. It is still quick enough, in the cases when this bad stuff makes it through the firewall (or the lack of one), for these other apps to catch them trying to do their ill work-- if they can! BUT, I'm sure some ill-conceived packet can possibly do ill without delivering an executable that can be caught in another way. Somewhere in my 12th year of study I will know what these packets are & the protocols they use! But I'm hoping to get my Kerio rules solidified a lot sooner! | Host or lmhost files catch what they have been configured to catch | via addressing/name. These, however, are *network use* activities | WITHIN the TCP/IP and other aspects of Internet/network usage. | Firewalls, proxies, packet sniffers, client servers, the TCP/IP | kernel, and the like, are what handle these activities. | Of course the above is an overly simplified explanation. This isn't the year for me to really want to know every little detail, anyhow. || || | NOTE: this is contact through a dial-up connection[phone]/ISP || | [which is indicated via some of these addresses], ALWAYS ON || | connections are even more of a security risk. || || Uhuh. I am Dial-Up too. That way, you get a new IP address each || connect. | | Only if that is what the ISP requires or desires. OK. For me, it does happen that way, I'm fairly sure. || || | Hopefully, this discussion will be useful to those interested and || | provide theory and answers to various issues. || | Rule sets or other settings for various firewalls would naturally || | be of interest. || | || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': || | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no || | owner || || I find I have to guess as to the meaning of that. Looks like someone || at || 67.170.2.174, who is Comcast... || || http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174 || .....Quote........... || 67.170.2.174 || Record Type: IP Address || || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) || 67.160.0.0 - 67.191.255.255 || Comcast Cable Communications, IP Services WASHINGTON-6 || (NET-67-170-0-0-1) || 67.170.0.0 - 67.170.127.255 || .....EOQ............. || || ...sent a UDP datagram to port 29081 on your machine. But I don't || know... || || (1) did the port exist without an owner, & would it have received || the datagram (except the rule blocked it)? || (The name of that rule suggests the answer is no.) | | The data request would have been received and likely honored. | The port would have been opened/created to allow this activity. I'm still thinking the port has to already be open to receive a packet. Is there documentation that may say otherwise? || || (2) did the the port once exist & at that time have an owner, || but somehow was closed before the datagram arrived? || Therefore, it couldn't get it, anyhow, even if not blocked? | | If it would have been ALLOWED activity [e.g., without proxy or | firewall monitoring or exculsion, or within a hosts or lmhosts, or | other]], then a search would have been made for an available port, | and then created/opened. Look again at this: | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1026, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1027, Owner: no owner | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | 24.64.192.20:17898->localhost:1028, Owner: no owner | | See the attempt to find or create an open port? Looks like Shaw Comm is trying to FIND one. If it could create one, why wouldn't it stop & just create 1026? It might still be worthwhile to block these-- but I wouldn't want to block them on an individual basis per abuser like Shaw Comm. | Now, should I have stayed online, there would have been continued | attempts [see your prior discussion where I was online longer], | though with different Shaw addressing and OUT ports, again stepping | through IN [local] ports in attempt to find or create.one. I'll look. || || (3) did the port 29081 never exist? || || Do any earlier log entries mention that port? You'd have to log all || activity of each "permit" rule to know for sure. But, if there is no || rule permitting the activity, then you would have received a Kerio || requestor mentioning the port. | | No we don't need that. | Were an ALLOWED program or address using that aspect, then it would | NOT have created the denial. No, I wanted to know... did a PERMIT exist that came from port 29081? That would prove the port once existed & possibly initiated a communication with Shaw Comm. But, I'm fairly confident no such thing happened-- but it was Shaw Comm doing a probe. If it found it & activity was permitted-- mayhem such as pop-up ads or at least spying may have ensued, I think! | Either would have cascaded to find an | open port for use [as long as it was in the defined rule range]. That's what I think-- it wants to find one that is already open. | AND you mention Kerio, which MUST have that turned on {requestor]. Oops, that's right. "Kerio, Administration, Firewall tab" has to be set at "Ask me first". Then, when activity occurs that is not covered by a rule, an alert requestor will appear. It offers to create the rule, which later can be fine tuned. Yep, & that's a great feature! | Other firewalls, particularly those that automatically configure | themselves, MAY not pop-up anything unless it has been configured | that way. They also MAY pass through such requests if piggy-backed | from or on allowed activities/programs. Think "but all I want to know | is the user address". Think Microsoft's firewalls, imagine what they | are configured by default to allow. Yep. Kerio seems to have it all. It's highly configurable! ....snip of Kerio help page || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': || | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner || || That one seems to be coming from... || || NetRange: 200.0.0.0 - 200.255.255.255 || NetName: LACNIC-200 | | Yes, that is the key to your Firewall security. | Tracking each suspect activity to the originator, if possible. In the end, I just want to block them. | Actually were I to post prior complete TRACKING logs [which I | collect(ed) for specific use], say for one day's normal usage, vast | numbers of potentially dangerous attacks/attempts would be shown. By the way, how do you empty Kerio's Filter.log, when you think you've seen enough? (I've been deleting it in DOS along with Filter.log.idx.) ....snip of stuff not meant for me, but thanks for the additional URLs to research. And thanks for continuing to contribute to my understanding of it. | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on | Microsoft's TechNet | OK, I see here again are the other "no owner's"... || || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': || | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no || | owner This is an attempt to send a UDP packet to port 1026. I still doubt it really needs to be blocked, if the port indeed does not exist. For UDP, I favor PERMITs of trusted apps from trusted addresses-- & one single block of UPD afterwards that will cover all others. (But I'm not even totally set up that way, myself, yet.) And I want to do it that way for TCP too. ....snip of other In UDP. 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port || | received': Blocked: In TCP, 219.148.119.6:12200->localhost:7212, || | Owner: no owner Ah-- a TCP! Soon, I must do with TCP what I nearly am finishing with UDP! ....snip || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In || | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, || | Owner: no owner I don't believe I've seen one of those. Could be I'm just not tracking the rule that does it. Looks like msnews.microsoft.com was still trying to communicate after the NET connection was closed. What app controlled localhost:1186? ....snip of a bunch more of In UDPs & possibly In TCPs.
Guest MEB Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message news:ua30J4j0HHA.4184@TK2MSFTNGP06.phx.gbl... | Hi MEB, and all, | | | I'm actually running a rather old version of ZA; v. 3.1.291. My philosophy | is *unlike* AV apps. etc., there just isn't much to improve IMHO. I don't | want or need any additional bells and whistles. Well, I certainly can't say otherwise, I now use a Kerio PF version, long ago supposedly left in the dust, yet it seems, so far, to provide what is needed. | | And you were close, I'm running XP Pro, but I keep perusing this group, | because this is where it all started for me. I still have my copy of W98SE, | but it's kind of a pain to install that *after* XP is already there. I was a | die-hard 98 fan, and swore I would *never* switch to XP, but the computer I | inherited already had it on it. I figured I'd give it a try, and if I | didn't like it, well, then back to good ol' 98. The way I have XP set up, | you'd almost think it was 98. I turned off *all* the cutesy eye-candy etc., | mainly for performance reasons. Besides, I *hate* pastels! This box was | built for W98. Hey, I tested a XP PRO box for a few years [using ZA], and yeah, to think that users actually like those glitsy aspects. I turned most of it off as well, cause it seemed to make everything much more difficult [though I suppose I can trace that to all those years of command prompt usage]... and slooooooow.. I felt like I was being dumbed down ... | I have to admit that it is extremely stable, but then again so was my 98 | install. It's the "junk" we add later that tends to muck things up. Yeah, and that junk does accumulate... gees, with this last 98SE testing install I dumped another couple of dozen MORE progs,, I couldn't remember the last time I even thought about using them... then again I had to dig out some old testing programs CDs that I hadn't installed for at least two prior testing installations [old video test stuff]... | | Sorry I digressed. Hey, your still a die hard 98 user at heart, PCR would say that tin foil hat did some good, still got a few bits of brain matter left <;-Q ... So what words of wisdom for ZA could you give to its users? | | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "MEB" <meb@not here@hotmail.com> wrote in message | news:%23VgmuJi0HHA.4476@TK2MSFTNGP06.phx.gbl... | | | | | | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message | | news:%23tJUffZ0HHA.1204@TK2MSFTNGP03.phx.gbl... | || Some real food for thought gentlemen. Thank you. | || | || P.S. I've been using ZA since 2000. | || | || -- | || HTH, | || Curt | || | || Windows Support Center | || http://www.aumha.org | || Practically Nerded,... | || http://dundats.mvps.org/Index.htm | | | | We aim to please... | | | | I also used ZA for a number of years on the various 9X boxes and XP. The | | rules aspect of other firewalls always drew me [having a Linux, Zenix, NT | | background] but I thought it wise to use what others might be using [for | | comparison purposes]. | | Now however, with the use of highly questionable activities on the | | Internet, and my personal questions related to ZA, and no support from | | Microsoft and ZoneLabs, I thought I would return to something which gave | | considerably more control during my final testing days under 9X. | | | | I have an old ZA version [forgot which version though, and have no | | intention of re-installing it] about 1.4meg which actually seemed to | supply | | MOST of the normal functions required, at least semi-adequately. Sometimes | I | | thought the newer versions were attempting aspects which were not well | | implimented or implimented in a fashion I thought not user friendly. Of | | course there is an ability to setup *rules like* activities within ZA, but | I | | would imagine most users do not do so. | | | | In the spirit of this discussion, which is to include any firewalls [and | I | | hope it eventually does. Note this has ZONEALARM now in its subject | | heading]: | | | | What version and product are you or others using? | | | | Have you or others run monitoring/sniffing programs while using ZA to see | | if it actual performs as advertised? | | | | What settings or other seemed to be the most useful to you or other users? | | | | What advise would users give concerning settings, configuration, etc. to | | other users of ZA, [noting in Curt's case, I think your using it under | W2K, | | so does that offer anything different as far as you know]? | | | | Have you or other users created any similar rules within ZA to the below | | [referencing Kerio PFW rules]? | | -- MEB http://peoplescounsel.orgfree.com ________
Guest Curt Christianson Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk | | So what words of wisdom for ZA could you give to its users? Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR might claim I don't have any words at all, let alone "wise" ones. I can only say that if one is running an older machine as I am, and would like to use a software firewall, you're not stuck with having to use the newest and fanciest (and usually most resource intensive). Old versions of ZA, and I imagine other names can be found all over the Internet. The fist place that comes to mind is http://www.oldversion.com/ . Firewalls and AV apps. are notorious for causing longer boot times, and resource usage--and newer usually means even more overhead. I *need* the latest/greatest, most up-to-date AV, but when it comes to firewalls newer is *not* necessarily better. I also encountered a problem between AOL and ZA back in the days. ZA would block AOL, no matter what kind of permissions etc. I gave unless I dropped the "Internet Security Zone" from "High" to "Medium", then all was well. MEB, I believe you are using AOL or Netscape, am I correct? I finally turned off the "casual" alerts, as they were coming too fast and furious. I just sat back and let ZA do its' job. One final note, if one has logging enabled, be sure to occasionally clean out the old ZA logs--not a whole lot of use for them usually. On old ZA installations, it's not located in the ZA folder, but rather at C:\Windows\Internet Logs. That's more than I've said in the whole time I used to hang out here! -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "MEB" <meb@not here@hotmail.com> wrote in message news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl... | <snipped>
Guest Galen Somerville Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message news:enX73Vq0HHA.4184@TK2MSFTNGP06.phx.gbl... > | > | So what words of wisdom for ZA could you give to its users? > > Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR > might claim I don't have any words at all, let alone "wise" ones. > > I can only say that if one is running an older machine as I am, and would > like to use a software firewall, you're not stuck with having to use the > newest and fanciest (and usually most resource intensive). Old versions of > ZA, and I imagine other names can be found all over the Internet. The fist > place that comes to mind is http://www.oldversion.com/ . Firewalls and AV > apps. are notorious for causing longer boot times, and resource usage--and > newer usually means even more overhead. I *need* the latest/greatest, most > up-to-date AV, but when it comes to firewalls newer is *not* necessarily > better. > I also encountered a problem between AOL and ZA back in the days. ZA would > block AOL, no matter what kind of permissions etc. I gave unless I dropped > the "Internet Security Zone" from "High" to "Medium", then all was well. > MEB, I believe you are using AOL or Netscape, am I correct? > I finally turned off the "casual" alerts, as they were coming too fast and > furious. I just sat back and let ZA do its' job. > One final note, if one has logging enabled, be sure to occasionally clean > out the old ZA logs--not a whole lot of use for them usually. On old ZA > installations, it's not located in the ZA folder, but rather at > C:\Windows\Internet Logs. > > That's more than I've said in the whole time I used to hang out here! > > > -- > HTH, > Curt > > Windows Support Center > http://www.aumha.org > Practically Nerded,... > http://dundats.mvps.org/Index.htm > > "MEB" <meb@not here@hotmail.com> wrote in message > news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl... > | > <snipped> > > I use ZA 6.1.744.001 on my Win98se and have had zero problems with it. Galen
Guest MEB Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message news:enX73Vq0HHA.4184@TK2MSFTNGP06.phx.gbl... | | | | So what words of wisdom for ZA could you give to its users? | | Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR | might claim I don't have any words at all, let alone "wise" ones. | | I can only say that if one is running an older machine as I am, and would | like to use a software firewall, you're not stuck with having to use the | newest and fanciest (and usually most resource intensive). Old versions of | ZA, and I imagine other names can be found all over the Internet. The fist | place that comes to mind is http://www.oldversion.com/ . Firewalls and AV | apps. are notorious for causing longer boot times, and resource usage--and | newer usually means even more overhead. I *need* the latest/greatest, most | up-to-date AV, but when it comes to firewalls newer is *not* necessarily | better. Those are good points. AV of course does require updates constantly to address new threats, whereas firewalls if they actually provided the protection needed at some point in their version history, MAY continue to do so. As long as IPv6 and other newer aspects of net usage can be addressed within the firewall, their function can still be counted upon. I would presume though, that protocal/packet changes may make some of the oldest versions incapable. I seem to remember ZA issuing a few supposed updates which were more for *visual effects* than for much of anything else... I also thought the clickable *server* / two zone aspects were perhaps a bit weak for control, though useful... since I was previously testing a number of programs from the net, I can say ZA DID catch [at least] one which would have been a security threat since it constantly wanted full control and net contact, and to *phone home* even when supposedly not running [no visual in crtl/alt/del, though viewable in Process Explorer and other such programs, and locatable in the registry] which could be blocked via those server/zone allowances, though those programs were always removed when that was found; if it isn't being used, what right does it have to MY Internet usage or my network.... | I also encountered a problem between AOL and ZA back in the days. ZA would | block AOL, no matter what kind of permissions etc. I gave unless I dropped | the "Internet Security Zone" from "High" to "Medium", then all was well. | MEB, I believe you are using AOL or Netscape, am I correct? YES, in part ... AOL is used for this: contact name; news group contact; and tracking/testing installation. AOL is *all over the place* in addressing, sometimes one address is used exclusively for one function, sometimes it appears to be used for something else... then other servers are added, then not used again,,, I suppose AOL believes its a private network and its users will not use anything but the AOL browser, email, and its local network for everything ... AS IF AOL would force a lengthy discussion all its own, such a mess, so intrusive... I'm STILL trying to lock down aspects because I hate general allowances, believing they give too much control to someone else, to many attackable entry points ... | I finally turned off the "casual" alerts, as they were coming too fast and | furious. I just sat back and let ZA do its' job. | One final note, if one has logging enabled, be sure to occasionally clean | out the old ZA logs--not a whole lot of use for them usually. On old ZA | installations, it's not located in the ZA folder, but rather at | C:\Windows\Internet Logs. | | That's more than I've said in the whole time I used to hang out here! | But you're still here, AND that is good advise... don't be a stranger, I'm sure you still remember enough about 98 to participate in the group ... and we do have the dual booters, so your XP experiance is relevant ... Though remarkably, many try to run those issues out of here ... as if the issues aren't relevant in either XP groups or here .... though supposedly they ARE relevant in those 2000, 2003, XP, VISTA groups, AND even though some of those same people monitoring this group DO answer those questions in those groups or other forums, go figure ... guess they must think 98 users are intellectually incapable, you HAVE to use those nifty new OSs to have any interest or comprehension ... But now *I* digress .... [Let's see if this makes it through, my PCR response has not, through six attempts] | | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "MEB" <meb@not here@hotmail.com> wrote in message | news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl... | | | <snipped> | | -- MEB http://peoplescounsel.orgfree.com ________
Guest MEB Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk Make that seven attempts. -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk Curt Christianson wrote: || So what words of wisdom for ZA could you give to its users? | | Words of wisdom, well, after spending 1 1/2 years under XP's spell, | PCR might claim I don't have any words at all, let alone "wise" ones. You had one/two episodes of wisdom once, Christianson. I'm sure we all would remember them, if we try. But I'm just wondering now... you say you INHERITED that machine? I'm very suspicious of XP-irradiation being the reason why! | I can only say that if one is running an older machine as I am, and | would like to use a software firewall, you're not stuck with having | to use the newest and fanciest (and usually most resource intensive). | Old versions of ZA, and I imagine other names can be found all over | the Internet. The fist place that comes to mind is | http://www.oldversion.com/ . Firewalls and AV apps. are notorious | for causing longer boot times, and resource usage--and newer usually | means even more overhead. I *need* the latest/greatest, most | up-to-date AV, but when it comes to firewalls newer is *not* | necessarily better. I agree. Until new protocols are added to NET talk, a new firewall should be unnecessary. And I can't imagine anything being more configurable than Kerio Firewall v.2.1.5. The only things... (a) I wish there could be a list of apps in a single rule, like they allow a list/range of ports & addresses. (b) It would be nice to duplicate a rule with a click, just as a template or starting point for a similar one. BUT, there's a TON to like about Kerio. Very configurable! | I also encountered a problem between AOL and ZA back in the days. ZA | would block AOL, no matter what kind of permissions etc. I gave | unless I dropped the "Internet Security Zone" from "High" to | "Medium", then all was well. MEB, I believe you are using AOL or | Netscape, am I correct? | I finally turned off the "casual" alerts, as they were coming too | fast and furious. I just sat back and let ZA do its' job. | One final note, if one has logging enabled, be sure to occasionally | clean out the old ZA logs--not a whole lot of use for them usually. | On old ZA installations, it's not located in the ZA folder, but | rather at C:\Windows\Internet Logs. Hmm. There seems to be no way to delete Kerio's Filter.log, except to drop into DOS for it. And I think Filter.log.idx must be deleted too, then. That's another thing! | That's more than I've said in the whole time I used to hang out here! Maybe you're getting giddy of XP-poisoning now! | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "MEB" <meb@not here@hotmail.com> wrote in message | news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl... || | <snipped> -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest Curt Christianson Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk LOL! Thanks PCR. That reminds me of the one where "I thought I was wrong once, but I must have been mistaken". -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "PCR" <pcrrcp@netzero.net> wrote in message news:ekyxRqu0HHA.3768@TK2MSFTNGP06.phx.gbl... | Curt Christianson wrote: ||| So what words of wisdom for ZA could you give to its users? || || Words of wisdom, well, after spending 1 1/2 years under XP's spell, || PCR might claim I don't have any words at all, let alone "wise" ones. | | You had one/two episodes of wisdom once, Christianson. I'm sure we all | would remember them, if we try. But I'm just wondering now... you say | you INHERITED that machine? I'm very suspicious of XP-irradiation being | the reason why! | || I can only say that if one is running an older machine as I am, and || would like to use a software firewall, you're not stuck with having || to use the newest and fanciest (and usually most resource intensive). || Old versions of ZA, and I imagine other names can be found all over || the Internet. The fist place that comes to mind is || http://www.oldversion.com/ . Firewalls and AV apps. are notorious || for causing longer boot times, and resource usage--and newer usually || means even more overhead. I *need* the latest/greatest, most || up-to-date AV, but when it comes to firewalls newer is *not* || necessarily better. | | I agree. Until new protocols are added to NET talk, a new firewall | should be unnecessary. And I can't imagine anything being more | configurable than Kerio Firewall v.2.1.5. The only things... | | (a) I wish there could be a list of apps in a single rule, | like they allow a list/range of ports & addresses. | | (b) It would be nice to duplicate a rule with a click, | just as a template or starting point for a similar one. | | BUT, there's a TON to like about Kerio. Very configurable! | || I also encountered a problem between AOL and ZA back in the days. ZA || would block AOL, no matter what kind of permissions etc. I gave || unless I dropped the "Internet Security Zone" from "High" to || "Medium", then all was well. MEB, I believe you are using AOL or || Netscape, am I correct? || I finally turned off the "casual" alerts, as they were coming too || fast and furious. I just sat back and let ZA do its' job. || One final note, if one has logging enabled, be sure to occasionally || clean out the old ZA logs--not a whole lot of use for them usually. || On old ZA installations, it's not located in the ZA folder, but || rather at C:\Windows\Internet Logs. | | Hmm. There seems to be no way to delete Kerio's Filter.log, except to | drop into DOS for it. And I think Filter.log.idx must be deleted too, | then. That's another thing! | || That's more than I've said in the whole time I used to hang out here! | | Maybe you're getting giddy of XP-poisoning now! | || -- || HTH, || Curt || || Windows Support Center || http://www.aumha.org || Practically Nerded,... || http://dundats.mvps.org/Index.htm || || "MEB" <meb@not here@hotmail.com> wrote in message || news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl... ||| || <snipped> | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net | |
Guest Curt Christianson Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk Thanks so much. I'll be watching for further developments, and putting my 2 cents worth in. -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "MEB" <meb@not here@hotmail.com> wrote in message news:uYzk%23Ju0HHA.4344@TK2MSFTNGP03.phx.gbl... | | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message | news:enX73Vq0HHA.4184@TK2MSFTNGP06.phx.gbl... || | || | So what words of wisdom for ZA could you give to its users? || || Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR || might claim I don't have any words at all, let alone "wise" ones. || || I can only say that if one is running an older machine as I am, and would || like to use a software firewall, you're not stuck with having to use the || newest and fanciest (and usually most resource intensive). Old versions | of || ZA, and I imagine other names can be found all over the Internet. The | fist || place that comes to mind is http://www.oldversion.com/ . Firewalls and AV || apps. are notorious for causing longer boot times, and resource usage--and || newer usually means even more overhead. I *need* the latest/greatest, | most || up-to-date AV, but when it comes to firewalls newer is *not* necessarily || better. | | Those are good points. AV of course does require updates constantly to | address new threats, whereas firewalls if they actually provided the | protection needed at some point in their version history, MAY continue to do | so. As long as IPv6 and other newer aspects of net usage can be addressed | within the firewall, their function can still be counted upon. | I would presume though, that protocal/packet changes may make some of the | oldest versions incapable. I seem to remember ZA issuing a few supposed | updates which were more for *visual effects* than for much of anything | else... | | I also thought the clickable *server* / two zone aspects were perhaps a bit | weak for control, though useful... since I was previously testing a number | of programs from the net, I can say ZA DID catch [at least] one which would | have been a security threat since it constantly wanted full control and net | contact, and to *phone home* even when supposedly not running [no visual in | crtl/alt/del, though viewable in Process Explorer and other such programs, | and locatable in the registry] which could be blocked via those server/zone | allowances, though those programs were always removed when that was found; | if it isn't being used, what right does it have to MY Internet usage or my | network.... | || I also encountered a problem between AOL and ZA back in the days. ZA | would || block AOL, no matter what kind of permissions etc. I gave unless I dropped || the "Internet Security Zone" from "High" to "Medium", then all was well. || MEB, I believe you are using AOL or Netscape, am I correct? | | YES, in part ... | AOL is used for this: contact name; news group contact; and | tracking/testing installation. | AOL is *all over the place* in addressing, sometimes one address is used | exclusively for one function, sometimes it appears to be used for something | else... then other servers are added, then not used again,,, I suppose AOL | believes its a private network and its users will not use anything but the | AOL browser, email, and its local network for everything ... AS IF | AOL would force a lengthy discussion all its own, such a mess, so | intrusive... I'm STILL trying to lock down aspects because I hate general | allowances, believing they give too much control to someone else, to many | attackable entry points ... | || I finally turned off the "casual" alerts, as they were coming too fast and || furious. I just sat back and let ZA do its' job. || One final note, if one has logging enabled, be sure to occasionally clean || out the old ZA logs--not a whole lot of use for them usually. On old ZA || installations, it's not located in the ZA folder, but rather at || C:\Windows\Internet Logs. || || That's more than I've said in the whole time I used to hang out here! || | | But you're still here, AND that is good advise... don't be a stranger, I'm | sure you still remember enough about 98 to participate in the group ... and | we do have the dual booters, so your XP experiance is relevant ... | | Though remarkably, many try to run those issues out of here ... as if the | issues aren't relevant in either XP groups or here .... though supposedly | they ARE relevant in those 2000, 2003, XP, VISTA groups, AND even though | some of those same people monitoring this group DO answer those questions in | those groups or other forums, go figure ... guess they must think 98 users | are intellectually incapable, you HAVE to use those nifty new OSs to have | any interest or comprehension ... | | But now *I* digress .... | [Let's see if this makes it through, my PCR response has not, through six | attempts] | || || -- || HTH, || Curt || || Windows Support Center || http://www.aumha.org || Practically Nerded,... || http://dundats.mvps.org/Index.htm || || "MEB" <meb@not here@hotmail.com> wrote in message || news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl... || | || <snipped> || || | | -- | MEB | http://peoplescounsel.orgfree.com | ________ | | |
Guest PCR Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - what to block and why - your security at risk Just testing to see whether this thread segment died of XP-irradiation from Christianson's post! MEB has complained he couldn't post here!
Guest PCR Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk MEB wrote: ....snip | [Let's see if this makes it through, my PCR response has not, through | six attempts] Let me go try. But if it won't work there, put it here. There's no telling which thread segments will perish first, once an XP-machine has posted to the thread!
Guest PCR Posted July 30, 2007 Posted July 30, 2007 Re: firewalls - ZONEALARM - what to block and why - your security at risk Re: firewalls - ZONEALARM - what to block and why - your security at risk Curt Christianson wrote: | LOL! Thanks PCR. That reminds me of the one where "I thought I was | wrong once, but I must have been mistaken". You are welcome. And looks like I can still post to this thread. MEB must have forgotten his tinfoil hat, is all! | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "PCR" <pcrrcp@netzero.net> wrote in message | news:ekyxRqu0HHA.3768@TK2MSFTNGP06.phx.gbl... || Curt Christianson wrote: |||| So what words of wisdom for ZA could you give to its users? ||| ||| Words of wisdom, well, after spending 1 1/2 years under XP's spell, ||| PCR might claim I don't have any words at all, let alone "wise" ||| ones. || || You had one/two episodes of wisdom once, Christianson. I'm sure we || all would remember them, if we try. But I'm just wondering now... || you say you INHERITED that machine? I'm very suspicious of || XP-irradiation being the reason why! || ||| I can only say that if one is running an older machine as I am, and ||| would like to use a software firewall, you're not stuck with having ||| to use the newest and fanciest (and usually most resource ||| intensive). Old versions of ZA, and I imagine other names can be ||| found all over the Internet. The fist place that comes to mind is ||| http://www.oldversion.com/ . Firewalls and AV apps. are notorious ||| for causing longer boot times, and resource usage--and newer usually ||| means even more overhead. I *need* the latest/greatest, most ||| up-to-date AV, but when it comes to firewalls newer is *not* ||| necessarily better. || || I agree. Until new protocols are added to NET talk, a new firewall || should be unnecessary. And I can't imagine anything being more || configurable than Kerio Firewall v.2.1.5. The only things... || || (a) I wish there could be a list of apps in a single rule, || like they allow a list/range of ports & addresses. || || (b) It would be nice to duplicate a rule with a click, || just as a template or starting point for a similar one. || || BUT, there's a TON to like about Kerio. Very configurable! || ||| I also encountered a problem between AOL and ZA back in the days. ||| ZA would block AOL, no matter what kind of permissions etc. I gave ||| unless I dropped the "Internet Security Zone" from "High" to ||| "Medium", then all was well. MEB, I believe you are using AOL or ||| Netscape, am I correct? ||| I finally turned off the "casual" alerts, as they were coming too ||| fast and furious. I just sat back and let ZA do its' job. ||| One final note, if one has logging enabled, be sure to occasionally ||| clean out the old ZA logs--not a whole lot of use for them usually. ||| On old ZA installations, it's not located in the ZA folder, but ||| rather at C:\Windows\Internet Logs. || || Hmm. There seems to be no way to delete Kerio's Filter.log, except to || drop into DOS for it. And I think Filter.log.idx must be deleted too, || then. That's another thing! || ||| That's more than I've said in the whole time I used to hang out ||| here! || || Maybe you're getting giddy of XP-poisoning now! || ||| -- ||| HTH, ||| Curt ||| ||| Windows Support Center ||| http://www.aumha.org ||| Practically Nerded,... ||| http://dundats.mvps.org/Index.htm ||| ||| "MEB" <meb@not here@hotmail.com> wrote in message ||| news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl... |||| ||| <snipped> || || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || pcrrcp@netzero.net -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest MEB Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk PART 2 of 2 | | || | || | NOTE: this is contact through a dial-up connection[phone]/ISP | || | [which is indicated via some of these addresses], ALWAYS ON | || | connections are even more of a security risk. | || | || Uhuh. I am Dial-Up too. That way, you get a new IP address each | || connect. | | | | Only if that is what the ISP requires or desires. | | OK. For me, it does happen that way, I'm fairly sure. | | || | || | Hopefully, this discussion will be useful to those interested and | || | provide theory and answers to various issues. | || | Rule sets or other settings for various firewalls would naturally | || | be of interest. | || | | || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no | || | owner | || | || I find I have to guess as to the meaning of that. Looks like someone | || at | || 67.170.2.174, who is Comcast... | || | || http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174 | | || .....Quote........... | || 67.170.2.174 | || Record Type: IP Address | || | || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) | || 67.160.0.0 - 67.191.255.255 | || Comcast Cable Communications, IP Services WASHINGTON-6 | || (NET-67-170-0-0-1) | || 67.170.0.0 - 67.170.127.255 | || .....EOQ............. | || | || ...sent a UDP datagram to port 29081 on your machine. But I don't | || know... The Comcast Cable apparently came from an adverti$ement appearing upon the AOL start page.. | || | || (1) did the port exist without an owner, & would it have received | || the datagram (except the rule blocked it)? | || (The name of that rule suggests the answer is no.) | | | | The data request would have been received and likely honored. | | The port would have been opened/created to allow this activity. | | I'm still thinking the port has to already be open to receive a packet. | Is there documentation that may say otherwise? The port has to be free/not in use. [with exceptions such as piggy-backed activity].. The ports are already there in the protocol... ports available range from what to what? Created is actually somewhat misleading.. when I use that I refer to the intended use and the port.. Ports supposedly to be assigned/used for specific purposes CAN be used for other activities... so using external port 53 for example, without a rule it COULD potentially be used for some nefarious activities. The same holds true for other normally acceptable port usage such as 67 and 68 [DHCP]... | | || | || (2) did the the port once exist & at that time have an owner, | || but somehow was closed before the datagram arrived? | || Therefore, it couldn't get it, anyhow, even if not blocked? | | | | If it would have been ALLOWED activity [e.g., without proxy or | | firewall monitoring or exclusion, or within a hosts or lmhosts, or | | other]], then a search would have been made for an available port, | | and then created/opened. Look again at this: | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1026, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1027, Owner: no owner | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1028, Owner: no owner | | | | See the attempt to find or create an open port? | | Looks like Shaw Comm is trying to FIND one. If it could create one, why | wouldn't it stop & just create 1026? It would if it was allowed to do so. Once there, its all a matter of time.. .. | | It might still be worthwhile to block these-- but I wouldn't want to | block them on an individual basis per abuser like Shaw Comm. | | | Now, should I have stayed online, there would have been continued | | attempts [see your prior discussion where I was online longer], | | though with different Shaw addressing and OUT ports, again stepping | | through IN [local] ports in attempt to find or create.one. | | I'll look. | | || | || (3) did the port 29081 never exist? | || | || Do any earlier log entries mention that port? You'd have to log all | || activity of each "permit" rule to know for sure. But, if there is no | || rule permitting the activity, then you would have received a Kerio | || requestor mentioning the port. | | | | No we don't need that. | | Were an ALLOWED program or address using that aspect, then it would | | NOT have created the denial. | | No, I wanted to know... did a PERMIT exist that came from port 29081? | That would prove the port once existed & possibly initiated a | communication with Shaw Comm. But, I'm fairly confident no such thing | happened-- but it was Shaw Comm doing a probe. If it found it & activity | was permitted-- mayhem such as pop-up ads or at least spying may have | ensued, I think! EXACTLY, a probe to see if anything was open it could use... for instance, even just a monitor of this forum OFF SITE, might be in violation of the Law unless it is strictly the forum that is monitored, any other tracking [like users] could be illegal .. | | | Either would have cascaded to find an | | open port for use [as long as it was in the defined rule range]. | | That's what I think-- it wants to find one that is already open. | | | AND you mention Kerio, which MUST have that turned on {requestor]. | | Oops, that's right. "Kerio, Administration, Firewall tab" has to be set | at "Ask me first". Then, when activity occurs that is not covered by a | rule, an alert requestor will appear. It offers to create the rule, | which later can be fine tuned. Yep, & that's a great feature! | | | Other firewalls, particularly those that automatically configure | | themselves, MAY not pop-up anything unless it has been configured | | that way. They also MAY pass through such requests if piggy-backed | | from or on allowed activities/programs. Think "but all I want to know | | is the user address". Think Microsoft's firewalls, imagine what they | | are configured by default to allow. | | Yep. Kerio seems to have it all. It's highly configurable! | | ...snip of Kerio help page | || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner | || | || That one seems to be coming from... | || | || NetRange: 200.0.0.0 - 200.255.255.255 | || NetName: LACNIC-200 | | | | Yes, that is the key to your Firewall security. | | Tracking each suspect activity to the originator, if possible. | | In the end, I just want to block them. Oh I agree, just blocking is much easier. But presently i don't like or accept all this activity, so I block the ones I have finished tracing, and monitor/log the others til I have sufficient materials. Kind of like preparing cases... | | | Actually were I to post prior complete TRACKING logs [which I | | collect(ed) for specific use], say for one day's normal usage, vast | | numbers of potentially dangerous attacks/attempts would be shown. | | By the way, how do you empty Kerio's Filter.log, when you think you've | seen enough? (I've been deleting it in DOS along with Filter.log.idx.) Right click and delete within the viewer.. | | ...snip of stuff not meant for me, but thanks for the additional URLs to | research. And thanks for continuing to contribute to my understanding of | it. | | | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on | | Microsoft's TechNet | | | | OK, I see here again are the other "no owner's"... | | || | || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': | || | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no | || | owner | | This is an attempt to send a UDP packet to port 1026. I still doubt it | really needs to be blocked, if the port indeed does not exist. For UDP, | I favor PERMITs of trusted apps from trusted addresses-- & one single | block of UPD afterwards that will cover all others. (But I'm not even | totally set up that way, myself, yet.) And I want to do it that way for | TCP too. Its blocked because I have no rule to specifically allow it... TCP is infinitely harder to rule, blanket rules WILL allow access you likely will regret. | | ...snip of other In UDP. | | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port | || | received': Blocked: In TCP, 219.148.119.6:12200->localhost:7212, | || | Owner: no owner | | Ah-- a TCP! Soon, I must do with TCP what I nearly am finishing with | UDP! | | ...snip | || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In | || | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, | || | Owner: no owner | | I don't believe I've seen one of those. Could be I'm just not tracking | the rule that does it. Looks like msnews.microsoft.com was still trying | to communicate after the NET connection was closed. What app controlled | localhost:1186? In my *tracking* config, your continuing port concerns are not the primary issue, but whether the specific address has been allowed. This address is not allowed... the PRIMARY point is to track *hack/trace/AD/spyware* attempts, AND secondary, minimum required addresses for the target application so ranges can be found. | | ...snip of a bunch more of In UDPs & possibly In TCPs. | | -- MEB http://peoplescounsel.orgfree.com ________ "PCR" <pcrrcp@netzero.net> wrote in message news:eEz4Oyu0HHA.1204@TK2MSFTNGP03.phx.gbl... | Just testing to see whether this thread segment died of XP-irradiation | from Christianson's post! MEB has complained he couldn't post here! | |
Guest PCR Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk MEB wrote: | PART 2 of 2 I don't see part 1. ....snip || By the way, how do you empty Kerio's Filter.log, when you think || you've seen enough? (I've been deleting it in DOS along with || Filter.log.idx.) | | Right click and delete within the viewer.. Oh, my God! You are right! And it deleted the .idx file too! Thanks! I'll answer the rest of the post tomorrow.
Guest MEB Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk Part 1 will have to be broken up.. I think the filters are now ON and there is an area that is not supposed to be discussed.. think I might have located it... after 15 trys and several addition partial post failed attempts... -- MEB http://peoplescounsel.orgfree.com ________ "PCR" <pcrrcp@netzero.net> wrote in message news:OFdYmUx0HHA.4652@TK2MSFTNGP05.phx.gbl... | MEB wrote: | | PART 2 of 2 | | I don't see part 1. | | ...snip | || By the way, how do you empty Kerio's Filter.log, when you think | || you've seen enough? (I've been deleting it in DOS along with | || Filter.log.idx.) | | | | Right click and delete within the viewer.. | | Oh, my God! You are right! And it deleted the .idx file too! Thanks! | | I'll answer the rest of the post tomorrow. | |
Guest MEB Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk "PCR" <pcrrcp@netzero.net> wrote in message news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl... |"PCR" <pcrrcp@netzero.net> wrote in message |news:eEz4Oyu0HHA.1204@TK2MSFTNGP03.phx.gbl... | Just testing to see whether this thread segment died of XP-irradiation | from Christianson's post! MEB has complained he couldn't post here! | | |"PCR" <pcrrcp@netzero.net> wrote in message |news:eEz4Oyu0HHA.1204@TK2MSFTNGP03.phx.gbl... | Just testing to see whether this thread segment died of XP-irradiation | from Christianson's post! MEB has complained he couldn't post here! | | |"PCR" <pcrrcp@netzero.net> wrote in message |news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl... | MEB wrote: | | "PCR" <pcrrcp@netzero.net> wrote in message | | news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl... | || MEB wrote: | || | PCR and Gram Pappy [among others] have been discussing firewall | || | settings and what they can or should be used for. | || | || That's right. I installed... | || | http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW | || | || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months | || later began a 17 year study of what to do with it. But I should have | || spoke up sooner! | || | || | In the spirit of those discussions, I thought I would post some | || | blocked activity from a SINGLE session/contact through my ISP and | || | ONLY to this news server and my email accounts [via OE6]. This is | || | from the firewall log [several of my normal settings/restrictions | || | were specifically reset for this presentation]. | || | || Thanks for jumping in. So, you wanted to see what would happen just | || by connecting to the NET & using OE for mail & NG activity. | | | | Well, ah no, actually I wanted to let other users who may not have | | investigated or understand firewalls. | | Uh-huh. Naturally, you & I have advanced beyond that point. hehehe, maybe,,,,, | | || | || | No other Internet activity occurred [e.g., no external IE or | || | browser usage or other activity]. All *allowed activity* has been | || | removed, so that the addresses and activities blocked might be | || | addressed for perhaps a greater understanding of the function of | || | firewalls, what they can and are used for, and other aspects | || | related thereto. | || | || Really, it's important to see what was allowed too. Where I thought | || my Primary DNS Server rule would be used only by NetZero (they are | || NetZero addresses in there)... really a whole bunch of apps were | || using it! But that's in the other thread! | | | | DNS is used by any program requiring addressing information. | | The sole purpose of my DNS Server rule(s)... | | Protocol.......... UDP | Direction......... Both | Local Endpoint | Ports........... 1024-5000 | Application... Any (but now I've limited it to 5 apps | by creating 5 of these rules) | Remote Endpoint | Addresses.... The entire NetZero range | Port............. 53 | | ... is to resolve NET addresses? Still, am I right to seek to limit it | to the five apps I kind of have to trust? Otherwise, can't it be | appropriated by some devious app to do ill? As you posted, yes, it would appear so. But is it necessary or reasonable to create one rule with ALL the address range included and allowed? Seems that leaves an awful lot of addresses available to hijack/spoof... though limiting it to JUST those apps does decrease that ability.. | | | The key | | is to limit to the EXACT DNS server(s) NOT within your system [unless | | for local network traffic] and the port [53] used by that (those) | | server(s) with limited [chosen by previous monitoring] local ports | | and applications. | | Why do I need to bother with ports, if I limit the DNS rule(s) to | trusted apps & to trusted NetZero addresses? Well, 53 is the standard port for that type of request, and is held as such... as for requesting port, there may be a LARGE fluctuation.. I think you limiting to the specific apps will suffice, perhaps someone more qualified can confirm... | Unfortunately, Kerio does | not permit a list of apps in a rule, the way it does with ports & | addresses. So, currently I have coded 5 of them...!... | | (1) DNS Server-- EXEC.exe (NetZero) | (2) DNS Server-- ASHWEBSV (avast! Web Scanner) | (3) DNS Server-- AVAST.SETUP (There actually is no program) | (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service) | (5) DNS Server-- IExplore | | | I will NOT post all my rules or what exactly I have configured | | locally [that would supply the exact way to circumvent my | | protection], | | OK. | | | however I will post this contact to retrieve the | | email/news messages [your posting], with a few more inclusions | | [again, slightly modified rules and rule logging]. This was ONLY to | | retrieve mail and the newsgroups on Microsoft. Nothing else occurred | | BUT the logon to the ISP. | | OK, limited to mail & NG activities, right. | | | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, | | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA | | ONLINE | | 7.0\WAOL.EXE | | So... WAOL.exe (which was port 1030 on your computer) needed to resolve | an address? And it did so at XXX.XXX.XXX.X, port7427? Is that what that | says? No and yes, there is another set of rules applied prior to this, and UDP need not be DNS. | | | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] | | Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver | | I get lots of those. Here is the last I recorded... | | 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8] | Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver | | ..., but, beginning yesterday, I have chosen NOT to log those anymore. I | have two rules above that blocker. One allows ICMP incoming for... | [0] Echo Reply, [3] Destination Unreachable, [11] Time Exceeded | | The other allows it outgoing for... | [3] Destination Unreachable, [8] Echo Request Those are the suggestions by most, including Sponge... So you have no specific rule for Netzero ICMP? | | I think that's probably finalized for ICMP. In this case, specific apps | & ports are not possible in the rules-- only specific endpoint addresses | are. But mine apply to any address. | | | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, | | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA | | ONLINE | | 7.0\WAOL.EXE *********** This is apparently the problem area. If this posts refer to the original. Google search for what this was and think of the potential uses. ********** | | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] | | Echo Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver | | | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] | | Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver | | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1026, Owner: no owner | | I used to get these Kerio alert's about Shaw Comm... | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer. | | ..., but they are prevented now with a rule that specifically blocks | RPCSS.exe (which is Distributed COM Services & which establishes the | port 1027) from using UDP/TCP. Eventually, I hope to remove that block | rule (& 4 others)-- after I have completed my UDP & TCP permit rules for | specific, trusted apps/addresses. Then, RPCSS.exe will be blocked along | with the others by virtue of not being included in the PERMITs-- & | having one single BLOCK after them. Well I would suggest you block SHAW's range entirely, if you have others, create a custom list or put them in your hosts file | | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1027, Owner: no owner | | | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, | | 24.64.192.20:17898->localhost:1028, Owner: no owner | | | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In | | TCP, 207.46.248.16:119->localhost:1072, Owner: no owner | | I haven't begun to finalize my TCP rules yet. That's probably where I go | next, once UDP is done! Yeah get UDP outadaway... then lock down Outlook or whatever mail prog you use... There are a lot of TCP activities, back and forth, that can be blocked. Each application should have only enough access to allow it to function for its use... | | | at which point I disconnected having retrieved mail and the news | | messages. | | Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe, | PersFW.exe, & PFWadMin.exe-- which are just some of the ones using it in | here before I recently have prevented them! Well, I guess it may require | the clicking of an URL for those to kick in. As I said, I would not post all my rules or the logs they would create, that creates too much of a security risk.. RPCSS was locked down previously, along with krnl386, and several other potential exploits. Anything and EVERYTHING that might apply to web/network usage should have its own settings JUST IN CASE... or at least in my config.. If you remember [likely not], several months ago a program was suggested to me which attempted to bypass/reset ALL of my firewall settings,,, were it not for my prior restrictions it likely would have succeeded. As it was already ruled, it popped up and requested what to do since I said it couldn't do what the installation wanted to do PRIOR to disabling the firewall.. | ANOTHER POTENTIAL AREA REMOVED | | What specifically is notable about them? See the prior links. So this was an attempt to locate other routers.. And *tcpip Kernel request* indicates the driver/protocol itself,, e.g. part of normal network usage, normally ALLOWED due to its usual necessity. | | || | || | For those who do not understand firewalls, these activities would | || | or may have been allowed as they followed either programs IN USE | || | [allowed activity], or through addressing [broadcast or otherwise] | || | had a firewall not been used. | || | || That is right. Without a firewall with a good set of denial rules, | || all activity is allowed. Hopefully, if a virus or a Trojan or a spy | || can sneak in that way, a good virus detector will prevent it from | || executing. Also, there may have been an MS fix or two to prevent | || some forms of abuse along these lines (I don't know). | | | | What would make you think any anti-spyware or anti-virus programs | | would check or correct these types of activities? | | I do believe an actual executable can be read into a machine through | malicious use of these NET packets, although I'm not sure which precise | protocols can do it. Once it is read in &/or tries to run, one hopes | one's virus/malware scanner WILL catch it, before it delivers its | payload! You forget JAVA, server side includes/codes [php, asp, other], FLASH, streaming media, PDFs, and other aspects which are not necessarily caught by ANYTHING except for your proxy and/or firewall. ALL [emphasis all] are potential carriers of damaging hacks... | | | Anti-spyware programs MAY block certain addresses and perhaps some | | ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to | | infect something, or emails or files which contain hacks or other. | | It is still quick enough, in the cases when this bad stuff makes it | through the firewall (or the lack of one), for these other apps to catch | them trying to do their ill work-- if they can! | | BUT, I'm sure some ill-conceived packet can possibly do ill without | delivering an executable that can be caught in another way. Somewhere in | my 12th year of study I will know what these packets are & the protocols | they use! But I'm hoping to get my Kerio rules solidified a lot sooner! | | | Host or lmhost files catch what they have been configured to catch | | via addressing/name. These, however, are *network use* activities | | WITHIN the TCP/IP and other aspects of Internet/network usage. | | Firewalls, proxies, packet sniffers, client servers, the TCP/IP | | kernel, and the like, are what handle these activities. | | Of course the above is an overly simplified explanation. | | This isn't the year for me to really want to know every little detail, | anyhow. | END PART 1 of 2 LESS THE DELETED MATERIAL -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - what to block and why - your security at risk Testing again-- to see whether I can reply to this post while quoting it, Google search & all. But I think MEB has forgotten to put on his tinfoil hat yet again! PCR wrote: | MEB wrote: || "PCR" <pcrrcp@netzero.net> wrote in message || news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl... ||| MEB wrote: ||| | PCR and Gram Pappy [among others] have been discussing firewall ||| | settings and what they can or should be used for. ||| ||| That's right. I installed... ||| | http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW ||| ||| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months ||| later began a 17 year study of what to do with it. But I should have ||| spoke up sooner! ||| ||| | In the spirit of those discussions, I thought I would post some ||| | blocked activity from a SINGLE session/contact through my ISP and ||| | ONLY to this news server and my email accounts [via OE6]. This is ||| | from the firewall log [several of my normal settings/restrictions ||| | were specifically reset for this presentation]. ||| ||| Thanks for jumping in. So, you wanted to see what would happen just ||| by connecting to the NET & using OE for mail & NG activity. || || Well, ah no, actually I wanted to let other users who may not have || investigated or understand firewalls. | | Uh-huh. Naturally, you & I have advanced beyond that point. | ||| ||| | No other Internet activity occurred [e.g., no external IE or ||| | browser usage or other activity]. All *allowed activity* has been ||| | removed, so that the addresses and activities blocked might be ||| | addressed for perhaps a greater understanding of the function of ||| | firewalls, what they can and are used for, and other aspects ||| | related thereto. ||| ||| Really, it's important to see what was allowed too. Where I thought ||| my Primary DNS Server rule would be used only by NetZero (they are ||| NetZero addresses in there)... really a whole bunch of apps were ||| using it! But that's in the other thread! || || DNS is used by any program requiring addressing information. | | The sole purpose of my DNS Server rule(s)... | | Protocol.......... UDP | Direction......... Both | Local Endpoint | Ports........... 1024-5000 | Application... Any (but now I've limited it to 5 apps | by creating 5 of these rules) | Remote Endpoint | Addresses.... The entire NetZero range | Port............. 53 | | ... is to resolve NET addresses? Still, am I right to seek to limit it | to the five apps I kind of have to trust? Otherwise, can't it be | appropriated by some devious app to do ill? | || The key || is to limit to the EXACT DNS server(s) NOT within your system [unless || for local network traffic] and the port [53] used by that (those) || server(s) with limited [chosen by previous monitoring] local ports || and applications. | | Why do I need to bother with ports, if I limit the DNS rule(s) to | trusted apps & to trusted NetZero addresses? Unfortunately, Kerio does | not permit a list of apps in a rule, the way it does with ports & | addresses. So, currently I have coded 5 of them...!... | | (1) DNS Server-- EXEC.exe (NetZero) | (2) DNS Server-- ASHWEBSV (avast! Web Scanner) | (3) DNS Server-- AVAST.SETUP (There actually is no program) | (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service) | (5) DNS Server-- IExplore | || I will NOT post all my rules or what exactly I have configured || locally [that would supply the exact way to circumvent my || protection], | | OK. | || however I will post this contact to retreive the || email/news messages [your posting], with a few more inclusions || [again, slightly modified rules and rule logging]. This was ONLY to || retreive mail and the newsgroups on Microsoft. Nothing else occurred || BUT the logon to the ISP. | | OK, limited to mail & NG activities, right. | || 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, || localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA || ONLINE || 7.0\WAOL.EXE | | So... WAOL.exe (which was port 1030 on your computer) needed to | resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is that | what that says? | || 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] || Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver | | I get lots of those. Here is the last I recorded... | | 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8] | Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver | | ..., but, beginning yesterday, I have chosen NOT to log those | anymore. I have two rules above that blocker. One allows ICMP | incoming for... [0] Echo Reply, [3] Destination Unreachable, [11] | Time Exceeded | | The other allows it outgoing for... | [3] Destination Unreachable, [8] Echo Request | | I think that's probably finalized for ICMP. In this case, specific | apps & ports are not possible in the rules-- only specific endpoint | addresses are. But mine apply to any address. | || 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, || XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA || ONLINE || 7.0\WAOL.EXE | || 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] || Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], || Owner: Tcpip Kernel Driver | | I've never seen an ALL-ROUTERS.MCAST.NET. But this would also be | blocked in my machine! | || 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] || Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], || Owner: Tcpip Kernel Driver | || 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] || Echo Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver | || 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] || Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver | || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1026, Owner: no owner | | I used to get these Kerio alert's about Shaw Comm... | | Someone from 24.64.9.177, port 3222 wants to send UDP datagram to | port 1027 owned by 'Distributed COM Services' on your computer. | | ..., but they are prevented now with a rule that specifically blocks | RPCSS.exe (which is Distributed COM Services & which establishes the | port 1027) from using UDP/TCP. Eventually, I hope to remove that block | rule (& 4 others)-- after I have completed my UDP & TCP permit rules | for speific, trusted apps/addresses. Then, RPCSS.exe will be blocked | along with the others by virtue of not being included in the | PERMITs-- & having one single BLOCK after them. | || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1027, Owner: no owner | || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1028, Owner: no owner | || 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In || TCP, 207.46.248.16:119->localhost:1072, Owner: no owner | | I haven't begun to finalize my TCP rules yet. That's probably where I | go next, once UDP is done! | || at which point I disconnected having retrieved mail and the news || messages. | | Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe, | PersFW.exe, & PFWadMin.exe-- which are just some of the ones using it | in here before I recently have prevented them! Well, I guess it may | require the clicking of an URL for those to kick in. | || NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip || Kernel requests. | | What specifically is notable about them? | ||| ||| | For those who do not understand firewalls, these activities would ||| | or may have been allowed as they followed either programs IN USE ||| | [allowed activity], or through addressing [broadcast or otherwise] ||| | had a firewall not been used. ||| ||| That is right. Without a firewall with a good set of denial rules, ||| all activity is allowed. Hopefully, if a virus or a trojan or a spy ||| can sneak in that way, a good virus detector will prevent it from ||| executing. Also, there may have been an MS fix or two to prevent ||| some forms of abuse along these lines (I don't know). || || What would make you think any anti-spyware or anti-virus programs || would check or correct these types of activities? | | I do believe an actual executable can be read into a machine through | malicious use of these NET packets, although I'm not sure which | precise protocols can do it. Once it is read in &/or tries to run, | one hopes one's virus/malware scanner WILL catch it, before it | delivers its payload! | || Anti-spyware programs MAY block certain addresses and perhaps some || ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to || infect something, or emails or files which contain hacks or other. | | It is still quick enough, in the cases when this bad stuff makes it | through the firewall (or the lack of one), for these other apps to | catch them trying to do their ill work-- if they can! | | BUT, I'm sure some ill-conceived packet can possibly do ill without | delivering an executable that can be caught in another way. Somewhere | in my 12th year of study I will know what these packets are & the | protocols they use! But I'm hoping to get my Kerio rules solidified a | lot sooner! | || Host or lmhost files catch what they have been configured to catch || via addressing/name. These, however, are *network use* activities || WITHIN the TCP/IP and other aspects of Internet/network usage. || Firewalls, proxies, packet sniffers, client servers, the TCP/IP || kernel, and the like, are what handle these activities. || Of course the above is an overly simplified explanation. | | This isn't the year for me to really want to know every little detail, | anyhow. | ||| ||| | NOTE: this is contact through a dial-up connection[phone]/ISP ||| | [which is indicated via some of these addresses], ALWAYS ON ||| | connections are even more of a security risk. ||| ||| Uhuh. I am Dial-Up too. That way, you get a new IP address each ||| connect. || || Only if that is what the ISP requires or desires. | | OK. For me, it does happen that way, I'm fairly sure. | ||| ||| | Hopefully, this discussion will be useful to those interested and ||| | provide theory and answers to various issues. ||| | Rule sets or other settings for various firewalls would naturally ||| | be of interest. ||| | ||| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no ||| | owner ||| ||| I find I have to guess as to the meaning of that. Looks like someone ||| at ||| 67.170.2.174, who is Comcast... ||| ||| http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174 | ||| .....Quote........... ||| 67.170.2.174 ||| Record Type: IP Address ||| ||| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) ||| 67.160.0.0 - 67.191.255.255 ||| Comcast Cable Communications, IP Services WASHINGTON-6 ||| (NET-67-170-0-0-1) ||| 67.170.0.0 - 67.170.127.255 ||| .....EOQ............. ||| ||| ...sent a UDP datagram to port 29081 on your machine. But I don't ||| know... ||| ||| (1) did the port exist without an owner, & would it have received ||| the datagram (except the rule blocked it)? ||| (The name of that rule suggests the answer is no.) || || The data request would have been received and likely honored. || The port would have been opened/created to allow this activity. | | I'm still thinking the port has to already be open to receive a | packet. Is there documentation that may say otherwise? | ||| ||| (2) did the the port once exist & at that time have an owner, ||| but somehow was closed before the datagram arrived? ||| Therefore, it couldn't get it, anyhow, even if not blocked? || || If it would have been ALLOWED activity [e.g., without proxy or || firewall monitoring or exculsion, or within a hosts or lmhosts, or || other]], then a search would have been made for an available port, || and then created/opened. Look again at this: || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1026, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1027, Owner: no owner || 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP, || 24.64.192.20:17898->localhost:1028, Owner: no owner || || See the attempt to find or create an open port? | | Looks like Shaw Comm is trying to FIND one. If it could create one, | why wouldn't it stop & just create 1026? | | It might still be worthwhile to block these-- but I wouldn't want to | block them on an individual basis per abuser like Shaw Comm. | || Now, should I have stayed online, there would have been continued || attempts [see your prior discussion where I was online longer], || though with different Shaw addressing and OUT ports, again stepping || through IN [local] ports in attempt to find or create.one. | | I'll look. | ||| ||| (3) did the port 29081 never exist? ||| ||| Do any earlier log entries mention that port? You'd have to log all ||| activity of each "permit" rule to know for sure. But, if there is no ||| rule permitting the activity, then you would have received a Kerio ||| requestor mentioning the port. || || No we don't need that. || Were an ALLOWED program or address using that aspect, then it would || NOT have created the denial. | | No, I wanted to know... did a PERMIT exist that came from port 29081? | That would prove the port once existed & possibly initiated a | communication with Shaw Comm. But, I'm fairly confident no such thing | happened-- but it was Shaw Comm doing a probe. If it found it & | activity was permitted-- mayhem such as pop-up ads or at least spying | may have ensued, I think! | || Either would have cascaded to find an || open port for use [as long as it was in the defined rule range]. | | That's what I think-- it wants to find one that is already open. | || AND you mention Kerio, which MUST have that turned on {requestor]. | | Oops, that's right. "Kerio, Administration, Firewall tab" has to be | set at "Ask me first". Then, when activity occurs that is not covered | by a rule, an alert requestor will appear. It offers to create the | rule, which later can be fine tuned. Yep, & that's a great feature! | || Other firewalls, particularly those that automatically configure || themselves, MAY not pop-up anything unless it has been configured || that way. They also MAY pass through such requests if piggy-backed || from or on allowed activities/programs. Think "but all I want to know || is the user address". Think Microsoft's firewalls, imagine what they || are configured by default to allow. | | Yep. Kerio seems to have it all. It's highly configurable! | | ...snip of Kerio help page ||| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no ||| | owner ||| ||| That one seems to be coming from... ||| ||| NetRange: 200.0.0.0 - 200.255.255.255 ||| NetName: LACNIC-200 || || Yes, that is the key to your Firewall security. || Tracking each suspect activity to the originator, if possible. | | In the end, I just want to block them. | || Actually were I to post prior complete TRACKING logs [which I || collect(ed) for specific use], say for one day's normal usage, vast || numbers of potentially dangerous attacks/attempts would be shown. | | By the way, how do you empty Kerio's Filter.log, when you think you've | seen enough? (I've been deleting it in DOS along with Filter.log.idx.) | | ...snip of stuff not meant for me, but thanks for the additional URLs | to research. And thanks for continuing to contribute to my | understanding of it. | || Of course SYSINTERNALS/WINTERNALS has some nice tools - look on || Microsoft's TechNet || | | OK, I see here again are the other "no owner's"... | ||| ||| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': ||| | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no ||| | owner | | This is an attempt to send a UDP packet to port 1026. I still doubt it | really needs to be blocked, if the port indeed does not exist. For | UDP, I favor PERMITs of trusted apps from trusted addresses-- & one | single block of UPD afterwards that will cover all others. (But I'm | not even totally set up that way, myself, yet.) And I want to do it | that way for TCP too. | | ...snip of other In UDP. | | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port ||| | received': Blocked: In TCP, 219.148.119.6:12200->localhost:7212, ||| | Owner: no owner | | Ah-- a TCP! Soon, I must do with TCP what I nearly am finishing with | UDP! | | ...snip ||| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In ||| | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, ||| | Owner: no owner | | I don't believe I've seen one of those. Could be I'm just not tracking | the rule that does it. Looks like msnews.microsoft.com was still | trying to communicate after the NET connection was closed. What app | controlled localhost:1186? | | ...snip of a bunch more of In UDPs & possibly In TCPs. -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk MEB wrote: | Part 1 will have to be broken up.. I think the filters are now ON and | there is an area that is not supposed to be discussed.. think I might | have located it... after 15 trys and several addition partial post | failed attempts... Well, I've sent another response to that post, this time quoting it. Looks like it went through for me. Therefore... (a) You are not wearing your tinfoil hat, &/or (b) You are making it too long with more additions from Filter.log, &/or © Properties of your posts shows... X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 ...Mine shows... X-Newsreader: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 | -- | MEB | http://peoplescounsel.orgfree.com | ________ | | | "PCR" <pcrrcp@netzero.net> wrote in message | news:OFdYmUx0HHA.4652@TK2MSFTNGP05.phx.gbl... || MEB wrote: || | PART 2 of 2 || || I don't see part 1. || || ...snip || || By the way, how do you empty Kerio's Filter.log, when you think || || you've seen enough? (I've been deleting it in DOS along with || || Filter.log.idx.) || | || | Right click and delete within the viewer.. || || Oh, my God! You are right! And it deleted the .idx file too! Thanks! || || I'll answer the rest of the post tomorrow. -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Recommended Posts