- Thread starter
- #21
P
PCR
MEB wrote:
| Some parts of prior posts [this was the post that had to be broken
| apart as it wouldn't post through many attempts (22) when the filters
| were modified] might be beneficial:
Oh, God-- those issues! I'll have to get back to this. It seems I've
wiped all my good Kerio Firewall rule improvements with my recent full
system restore. Now, I am back to just one Primary DNS Server rule,
albeit the improvement of including the entire NetZero range still
remains...
Primary DNS Server (Log)
Protocol: UDP
Direction: Both directions
Local Endpoint-- Ports: 1024-5000
-- Application: Any
Remote Endpoint-- Address: Entire NetZero/Juno range
-- Port: 53
Action: Permit
....This is followed by...
DNS Alert (Log, Alert)
Protocol: TCP & UDP
Direction: Both directions
Local Endpoint-- Ports: Any
-- Application: Any
Remote Endpoint-- Address: Any Address
-- Port: 53
Action: Deny
You know, what I had begun was to code a separate Primary DNS Server
rule for each separate application I deemed trustworthy. But I've lost
all that now! After that, I was to move on to the other rule types that
allowed "application" in the rule & code them specifically too. So far
today I see nothing untoward in my Kerio .log, though. I'll get back to
this soon.
In the meantime... yea, Merry Christmas... in fact, Merry Chistmas for
each one that may pass between now & then! But I'll get back to it!
| MEB to PCR July 29, 2007 and additionals:
|| | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
|| | Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel
|| | Driver
||
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1026, Owner: no owner
||
|| I used to get these Kerio alert's about Shaw Comm...
||
|| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer.
||
|| ..., but they are prevented now with a rule that specifically blocks
|| RPCSS.exe (which is Distributed COM Services & which establishes the
|| port 1027) from using UDP/TCP. Eventually, I hope to remove that
|| block rule (& 4 others)-- after I have completed my UDP & TCP permit
|| rules for specific, trusted apps/addresses. Then, RPCSS.exe will be
|| blocked along with the others by virtue of not being included in the
|| PERMITs-- & having one single BLOCK after them.
|
| Well I would suggest you block SHAW's range entirely, if you have
| others, create a custom list or put them in your hosts file
|
||
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1027, Owner: no owner
||
| {cut}
|
|| Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe,
|| PersFW.exe, & PFWadMin.exe-- which are just some of the ones using
|| it in here before I recently have prevented them! Well, I guess it
|| may require the clicking of an URL for those to kick in.
| {cut}
| | What would make you think any anti-spyware or anti-virus programs
|| | would check or correct these types of activities?
||
|| I do believe an actual executable can be read into a machine through
|| malicious use of these NET packets, although I'm not sure which
|| precise protocols can do it. Once it is read in &/or tries to run,
|| one hopes one's virus/malware scanner WILL catch it, before it
|| delivers its payload!
|
| You forget JAVA, server side includes [php, asp, other], FLASH,
| streaming media, PDFs, and other aspects which are not necessarily
| caught by ANYTHING except for your proxy and/or firewall. ALL
| [emphasis all] are potential carriers of damaging hacks...
|
||
| {cut}
|| || (2) did the the port once exist & at that time have an owner,
|| || but somehow was closed before the datagram arrived?
|| || Therefore, it couldn't get it, anyhow, even if not blocked?
|| |
|| | If it would have been ALLOWED activity [e.g., without proxy or
|| | firewall monitoring or exclusion, or within a hosts or lmhosts, or
|| | other]], then a search would have been made for an available port,
|| | and then created/opened. Look again at this:
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1026, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1027, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1028, Owner: no owner
|| |
|| | See the attempt to find or create an open port?
||
|| Looks like Shaw Comm is trying to FIND one. If it could create one,
|| why wouldn't it stop & just create 1026?
|
| It would if it was allowed to do so. Once there, its all a matter of
| time..
|
|| Why do I need to bother with ports, if I limit the DNS rule(s) to
|| trusted apps & to trusted NetZero addresses?
|
| Well, 53 is the standard port for that type of request, and is held
| as such... as for requesting port, there may be a LARGE fluctuation..
| I think you limiting to the specific apps will suffice, perhaps
| someone more qualified can confirm...
|
|| Unfortunately, Kerio does
|| not permit a list of apps in a rule, the way it does with ports &
|| addresses. So, currently I have coded 5 of them...!...
||
|| (1) DNS Server-- EXEC.exe (NetZero)
|| (2) DNS Server-- ASHWEBSV (avast! Web Scanner)
|| (3) DNS Server-- AVAST.SETUP (There actually is no program)
|| (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
|| (5) DNS Server-- IExplore
||
| .
| ======
|
| See also:
| Re: firewalls - Kerio PF Part 1 - what to block and why - your
| security at risk - 08-02-2007
|
| ---------
|
| NOW, why the above relates to AVAST. The RPCSS and DCOM issues above
| come with the installation of AVAST. Unless they are blocked by a
| firewall, they are ready and available for any use or contact.
|
| Another aspect is its update service. A list of two supposed AVAST
| update addresses logged as contacting its update hook that display
| why you TURN BOTH OFF completely:
|
| ihn-inc.com 70.86.91.130
| 'avast! antivirus Update' from your computer wants to connect to
| lhn-inc.com [70.86.91.130], port 80
| This *name* is *SEARCH Portal* which attempted to use the address of
| an AVAST server - a980sm.avast.com
|
| 82.8a.364a.static.theplanet.com 74.54.138.130 - the address is also an
| update server - a973sm.avast.com
| check here -
| http://forums.theplanet.com/lofiversion/index.php/t85131.html
|
| If you monitor the update service you *will* {likely} find
| considerable more,
| but the point is leaving the update service running/open is not a
| good idea. Apparently AVAST is either using old abandoned addresses
| and/or others are using known AVAST addresses and its autoupdate
| feature as an entry point. Moreover, make sure your firewall is also
| properly setup.
|
| Anyway, enough of this, about to do the re-install, so before I go:
|
| HAPPY HOLIDAYS to all, hope all goes well, and be careful on New
| Years.
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net
| Some parts of prior posts [this was the post that had to be broken
| apart as it wouldn't post through many attempts (22) when the filters
| were modified] might be beneficial:
Oh, God-- those issues! I'll have to get back to this. It seems I've
wiped all my good Kerio Firewall rule improvements with my recent full
system restore. Now, I am back to just one Primary DNS Server rule,
albeit the improvement of including the entire NetZero range still
remains...
Primary DNS Server (Log)
Protocol: UDP
Direction: Both directions
Local Endpoint-- Ports: 1024-5000
-- Application: Any
Remote Endpoint-- Address: Entire NetZero/Juno range
-- Port: 53
Action: Permit
....This is followed by...
DNS Alert (Log, Alert)
Protocol: TCP & UDP
Direction: Both directions
Local Endpoint-- Ports: Any
-- Application: Any
Remote Endpoint-- Address: Any Address
-- Port: 53
Action: Deny
You know, what I had begun was to code a separate Primary DNS Server
rule for each separate application I deemed trustworthy. But I've lost
all that now! After that, I was to move on to the other rule types that
allowed "application" in the rule & code them specifically too. So far
today I see nothing untoward in my Kerio .log, though. I'll get back to
this soon.
In the meantime... yea, Merry Christmas... in fact, Merry Chistmas for
each one that may pass between now & then! But I'll get back to it!
| MEB to PCR July 29, 2007 and additionals:
|| | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
|| | Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel
|| | Driver
||
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1026, Owner: no owner
||
|| I used to get these Kerio alert's about Shaw Comm...
||
|| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer.
||
|| ..., but they are prevented now with a rule that specifically blocks
|| RPCSS.exe (which is Distributed COM Services & which establishes the
|| port 1027) from using UDP/TCP. Eventually, I hope to remove that
|| block rule (& 4 others)-- after I have completed my UDP & TCP permit
|| rules for specific, trusted apps/addresses. Then, RPCSS.exe will be
|| blocked along with the others by virtue of not being included in the
|| PERMITs-- & having one single BLOCK after them.
|
| Well I would suggest you block SHAW's range entirely, if you have
| others, create a custom list or put them in your hosts file
|
||
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1027, Owner: no owner
||
| {cut}
|
|| Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe,
|| PersFW.exe, & PFWadMin.exe-- which are just some of the ones using
|| it in here before I recently have prevented them! Well, I guess it
|| may require the clicking of an URL for those to kick in.
| {cut}
| | What would make you think any anti-spyware or anti-virus programs
|| | would check or correct these types of activities?
||
|| I do believe an actual executable can be read into a machine through
|| malicious use of these NET packets, although I'm not sure which
|| precise protocols can do it. Once it is read in &/or tries to run,
|| one hopes one's virus/malware scanner WILL catch it, before it
|| delivers its payload!
|
| You forget JAVA, server side includes [php, asp, other], FLASH,
| streaming media, PDFs, and other aspects which are not necessarily
| caught by ANYTHING except for your proxy and/or firewall. ALL
| [emphasis all] are potential carriers of damaging hacks...
|
||
| {cut}
|| || (2) did the the port once exist & at that time have an owner,
|| || but somehow was closed before the datagram arrived?
|| || Therefore, it couldn't get it, anyhow, even if not blocked?
|| |
|| | If it would have been ALLOWED activity [e.g., without proxy or
|| | firewall monitoring or exclusion, or within a hosts or lmhosts, or
|| | other]], then a search would have been made for an available port,
|| | and then created/opened. Look again at this:
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1026, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1027, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1028, Owner: no owner
|| |
|| | See the attempt to find or create an open port?
||
|| Looks like Shaw Comm is trying to FIND one. If it could create one,
|| why wouldn't it stop & just create 1026?
|
| It would if it was allowed to do so. Once there, its all a matter of
| time..
|
|| Why do I need to bother with ports, if I limit the DNS rule(s) to
|| trusted apps & to trusted NetZero addresses?
|
| Well, 53 is the standard port for that type of request, and is held
| as such... as for requesting port, there may be a LARGE fluctuation..
| I think you limiting to the specific apps will suffice, perhaps
| someone more qualified can confirm...
|
|| Unfortunately, Kerio does
|| not permit a list of apps in a rule, the way it does with ports &
|| addresses. So, currently I have coded 5 of them...!...
||
|| (1) DNS Server-- EXEC.exe (NetZero)
|| (2) DNS Server-- ASHWEBSV (avast! Web Scanner)
|| (3) DNS Server-- AVAST.SETUP (There actually is no program)
|| (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
|| (5) DNS Server-- IExplore
||
| .
| ======
|
| See also:
| Re: firewalls - Kerio PF Part 1 - what to block and why - your
| security at risk - 08-02-2007
|
| ---------
|
| NOW, why the above relates to AVAST. The RPCSS and DCOM issues above
| come with the installation of AVAST. Unless they are blocked by a
| firewall, they are ready and available for any use or contact.
|
| Another aspect is its update service. A list of two supposed AVAST
| update addresses logged as contacting its update hook that display
| why you TURN BOTH OFF completely:
|
| ihn-inc.com 70.86.91.130
| 'avast! antivirus Update' from your computer wants to connect to
| lhn-inc.com [70.86.91.130], port 80
| This *name* is *SEARCH Portal* which attempted to use the address of
| an AVAST server - a980sm.avast.com
|
| 82.8a.364a.static.theplanet.com 74.54.138.130 - the address is also an
| update server - a973sm.avast.com
| check here -
| http://forums.theplanet.com/lofiversion/index.php/t85131.html
|
| If you monitor the update service you *will* {likely} find
| considerable more,
| but the point is leaving the update service running/open is not a
| good idea. Apparently AVAST is either using old abandoned addresses
| and/or others are using known AVAST addresses and its autoupdate
| feature as an entry point. Moreover, make sure your firewall is also
| properly setup.
|
| Anyway, enough of this, about to do the re-install, so before I go:
|
| HAPPY HOLIDAYS to all, hope all goes well, and be careful on New
| Years.
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net