firewalls - what to block and why - your security at risk

M

MEB

PCR and Gram Pappy [among others] have been discussing firewall settings and
what they can or should be used for.

In the spirit of those discussions, I thought I would post some blocked
activity from a SINGLE session/contact through my ISP and ONLY to this news
server and my email accounts [via OE6]. This is from the firewall log
[several of my normal settings/restrictions were specifically reset for this
presentation].
No other Internet activity occurred [e.g., no external IE or browser usage
or other activity]. All *allowed activity* has been removed, so that the
addresses and activities blocked might be addressed for perhaps a greater
understanding of the function of firewalls, what they can and are used for,
and other aspects related thereto.
For those who do not understand firewalls, these activities would or may
have been allowed as they followed either programs IN USE [allowed
activity], or through addressing [broadcast or otherwise] had a firewall not
been used.
NOTE: this is contact through a dial-up connection[phone]/ISP [which is
indicated via some of these addresses], ALWAYS ON connections are even more
of a security risk.

Hopefully, this discussion will be useful to those interested and provide
theory and answers to various issues.
Rule sets or other settings for various firewalls would naturally be of
interest.

1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': Blocked:
In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': Blocked:
In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked:
In UDP, 218.10.137.139:55190->localhost:1026, Owner: no owner
1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked:
In UDP, 218.10.137.139:55190->localhost:1027, Owner: no owner
1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked:
In UDP, 190.46.171.127:41806->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port received': Blocked:
In UDP, 190.46.171.127:41806->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened port received': Blocked:
In UDP, 189.153.168.143:32737->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': Blocked:
In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner
1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': Blocked:
In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner
1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': Blocked:
In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner
1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In TCP,
msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner: no owner
1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port received': Blocked:
In UDP, 90.20.19.204:46983->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened port received': Blocked:
In UDP, 87.235.125.80:8052->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened port received': Blocked:
In UDP, 69.126.6.107:32338->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened port received': Blocked:
In UDP, 189.128.113.251:16491->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': Blocked:
In UDP, 221.209.110.13:49282->localhost:1026, Owner: no owner
1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': Blocked:
In UDP, 221.209.110.13:49282->localhost:1027, Owner: no owner
1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened port received': Blocked:
In UDP, 200.117.180.230:22925->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': Blocked:
In UDP, 74.120.200.92:45097->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port received': Blocked:
In UDP, host230.200-117-180.telecom.net.ar
[200.117.180.230:22925]->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': Blocked:
In UDP, 88.22.213.173:19033->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port received': Blocked:
In UDP, 74.107.240.241:48641->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened port received': Blocked:
In UDP, 221.208.208.95:53699->localhost:1026, Owner: no owner
1,[28/Jul/2007 01:39:54] Rule 'Packet to unopened port received': Blocked:
In UDP, 67.81.156.51:20406->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:40:46] Rule 'Packet to unopened port received': Blocked:
In UDP, 200.89.49.207:23085->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:40:58] Rule 'Packet to unopened port received': Blocked:
In UDP, 221.208.208.90:33490->localhost:1026, Owner: no owner
1,[28/Jul/2007 01:42:36] Rule 'Packet to unopened port received': Blocked:
In UDP, 142.161.209.54:15611->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:42:52] Rule 'Packet to unopened port received': Blocked:
In UDP, 190.60.89.179:47922->localhost:29081, Owner: no owner
1,[28/Jul/2007 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no owner
1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port received': Blocked:
In UDP, 190.31.24.235:50988->localhost:29081, Owner: no owner


--
MEB
http://peoplescounsel.orgfree.com
________
 
P

PCR

MEB wrote:
| PCR and Gram Pappy [among others] have been discussing firewall
| settings and what they can or should be used for.

That's right. I installed...
http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW

....Kerio Personal Firewall v2.1.5 about 4 years ago & several months
later began a 17 year study of what to do with it. But I should have
spoke up sooner!

| In the spirit of those discussions, I thought I would post some
| blocked activity from a SINGLE session/contact through my ISP and
| ONLY to this news server and my email accounts [via OE6]. This is
| from the firewall log [several of my normal settings/restrictions
| were specifically reset for this presentation].

Thanks for jumping in. So, you wanted to see what would happen just by
connecting to the NET & using OE for mail & NG activity.

| No other Internet activity occurred [e.g., no external IE or browser
| usage or other activity]. All *allowed activity* has been removed, so
| that the addresses and activities blocked might be addressed for
| perhaps a greater understanding of the function of firewalls, what
| they can and are used for, and other aspects related thereto.

Really, it's important to see what was allowed too. Where I thought my
Primary DNS Server rule would be used only by NetZero (they are NetZero
addresses in there)... really a whole bunch of apps were using it! But
that's in the other thread!

| For those who do not understand firewalls, these activities would or
| may have been allowed as they followed either programs IN USE [allowed
| activity], or through addressing [broadcast or otherwise] had a
| firewall not been used.

That is right. Without a firewall with a good set of denial rules, all
activity is allowed. Hopefully, if a virus or a trojan or a spy can
sneak in that way, a good virus detector will prevent it from executing.
Also, there may have been an MS fix or two to prevent some forms of
abuse along these lines (I don't know).

| NOTE: this is contact through a dial-up connection[phone]/ISP [which
| is indicated via some of these addresses], ALWAYS ON connections are
| even more of a security risk.

Uhuh. I am Dial-Up too. That way, you get a new IP address each connect.

| Hopefully, this discussion will be useful to those interested and
| provide theory and answers to various issues.
| Rule sets or other settings for various firewalls would naturally be
| of interest.
|
| 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
| Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner

I find I have to guess as to the meaning of that. Looks like someone at
67.170.2.174, who is Comcast...

http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174
......Quote...........
67.170.2.174
Record Type: IP Address

Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
67.160.0.0 - 67.191.255.255
Comcast Cable Communications, IP Services WASHINGTON-6
(NET-67-170-0-0-1)
67.170.0.0 - 67.170.127.255
......EOQ.............

....sent a UDP datagram to port 29081 on your machine. But I don't
know...

(1) did the port exist without an owner, & would it have received
the datagram (except the rule blocked it)?
(The name of that rule suggests the answer is no.)

(2) did the the port once exist & at that time have an owner,
but somehow was closed before the datagram arrived?
Therefore, it couldn't get it, anyhow, even if not blocked?

(3) did the port 29081 never exist?

Do any earlier log entries mention that port? You'd have to log all
activity of each "permit" rule to know for sure. But, if there is no
rule permitting the activity, then you would have received a Kerio
requestor mentioning the port.

Here is a Kerio help page to study...

.......Quote............
Filter.log file

The filter.log file is used for logging Kerio Personal Firewall actions
on a local computer. It is created in a directory where Personal
Firewall is installed (typically C:\Program Files\Kerio\Personal
Firewall). It is created upon the first record.

Filter.log is a text file where each record is placed on a new line. It
has the following format:

1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked:
In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner:
G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE

How to read this line:

1 — rule type (1 = denying, 2 = permitting)

[08/Jun/2001 16:52:09] — date and time that the packet was detected (we
recommend checking the correct setting of the system time on your
computer)

Rule 'Internet Information Services' — name of a rule that was applied
(from the Description field)

Blocked: / Permittted: — indicates whether the packet was blocked or
permitted (corresponds with the number at the beginning of the line)

In / Out — indicates an incoming or outgoing packet

IP / TCP / UDP / ICMP, etc. — communication protocol (for which the rule
was defined)

richard.kerio.com [192.168.2.38:3772] — DNS name of the computer, from
which the packet was sent, in square brackets is the IP address with the
source port after a colon

locahost:25 — destination IP address (or DNS name) and port (localhost =
this computer)

Owner: — name of the local application to which the packet is addressed
(including its full path). If the application is a system service the
name displayed is SYSTEM.
..........EOQ.................

| 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
| Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner

That one seems to be coming from...

NetRange: 200.0.0.0 - 200.255.255.255
NetName: LACNIC-200

| 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no owner
| 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no owner
| 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no
| owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
| received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
| port received': Blocked: In UDP,
| 189.153.168.143:32737->localhost:29081, Owner: no owner
| 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
| Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner
| 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
| Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner
| 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
| Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner
| 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
| TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner:
| no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
| received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
| port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
| port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
| port received': Blocked: In UDP,
| 189.128.113.251:16491->localhost:29081, Owner: no owner
| 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
| Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no
| owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
| received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027,
| Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
| port received': Blocked: In UDP,
| 200.117.180.230:22925->localhost:29081, Owner: no owner
| 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
| Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no
| owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
| received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
| [200.117.180.230:22925]->localhost:29081, Owner: no owner
| 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
| Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no
| owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
| received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
| port received': Blocked: In UDP,
| 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007
| 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
| 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007
| 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
| 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007
| 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
| 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007
| 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
| 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007
| 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
| 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007
| 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
| msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no
| owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
| received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081,
| Owner: no owner
|
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net
 
M

MEB

"PCR" <pcrrcp@netzero.net> wrote in message
news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl...
| MEB wrote:
| | PCR and Gram Pappy [among others] have been discussing firewall
| | settings and what they can or should be used for.
|
| That's right. I installed...
| http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW
|
| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
| later began a 17 year study of what to do with it. But I should have
| spoke up sooner!
|
| | In the spirit of those discussions, I thought I would post some
| | blocked activity from a SINGLE session/contact through my ISP and
| | ONLY to this news server and my email accounts [via OE6]. This is
| | from the firewall log [several of my normal settings/restrictions
| | were specifically reset for this presentation].
|
| Thanks for jumping in. So, you wanted to see what would happen just by
| connecting to the NET & using OE for mail & NG activity.

Well, ah no, actually I wanted to let other users who may not have
investigated or understand firewalls.

|
| | No other Internet activity occurred [e.g., no external IE or browser
| | usage or other activity]. All *allowed activity* has been removed, so
| | that the addresses and activities blocked might be addressed for
| | perhaps a greater understanding of the function of firewalls, what
| | they can and are used for, and other aspects related thereto.
|
| Really, it's important to see what was allowed too. Where I thought my
| Primary DNS Server rule would be used only by NetZero (they are NetZero
| addresses in there)... really a whole bunch of apps were using it! But
| that's in the other thread!

DNS is used by any program requiring addressing information. The key is to
limit to the EXACT DNS server(s) NOT within your system [unless for local
network traffic] and the port [53] used by that (those) server(s) with
limited [chosen by previous monitoring] local ports and applications.

I will NOT post all my rules or what exactly I have configured locally
[that would supply the exact way to circumvent my protection], however I
will post this contact to retreive the email/news messages [your posting],
with a few more inclusions [again, slightly modified rules and rule
logging]. This was ONLY to retreive mail and the newsgroups on Microsoft.
Nothing else occurred BUT the logon to the ISP.

2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE
7.0\WAOL.EXE
1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver
2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE
7.0\WAOL.EXE
1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
Kernel Driver
1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
Kernel Driver
1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver
1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898->localhost:1026, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898->localhost:1027, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898->localhost:1028, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP,
207.46.248.16:119->localhost:1072, Owner: no owner
at which point I disconnected having retrieved mail and the news messages.

NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel
requests.

|
| | For those who do not understand firewalls, these activities would or
| | may have been allowed as they followed either programs IN USE [allowed
| | activity], or through addressing [broadcast or otherwise] had a
| | firewall not been used.
|
| That is right. Without a firewall with a good set of denial rules, all
| activity is allowed. Hopefully, if a virus or a trojan or a spy can
| sneak in that way, a good virus detector will prevent it from executing.
| Also, there may have been an MS fix or two to prevent some forms of
| abuse along these lines (I don't know).

What would make you think any anti-spyware or anti-virus programs would
check or correct these types of activities?

Anti-spyware programs MAY block certain addresses and perhaps some ActiveX,
or other. Anti-virus MIGHT catch scripting or attempts to infect something,
or emails or files which contain hacks or other. Host or lmhost files catch
what they have been configured to catch via addressing/name.
These, however, are *network use* activities WITHIN the TCP/IP and other
aspects of Internet/network usage. Firewalls, proxies, packet sniffers,
client servers, the TCP/IP kernel, and the like, are what handle these
activities.
Of course the above is an overly simplified explanation.

|
| | NOTE: this is contact through a dial-up connection[phone]/ISP [which
| | is indicated via some of these addresses], ALWAYS ON connections are
| | even more of a security risk.
|
| Uhuh. I am Dial-Up too. That way, you get a new IP address each connect.

Only if that is what the ISP requires or desires.

|
| | Hopefully, this discussion will be useful to those interested and
| | provide theory and answers to various issues.
| | Rule sets or other settings for various firewalls would naturally be
| | of interest.
| |
| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner
|
| I find I have to guess as to the meaning of that. Looks like someone at
| 67.170.2.174, who is Comcast...
|
| http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174
| .....Quote...........
| 67.170.2.174
| Record Type: IP Address
|
| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
| 67.160.0.0 - 67.191.255.255
| Comcast Cable Communications, IP Services WASHINGTON-6
| (NET-67-170-0-0-1)
| 67.170.0.0 - 67.170.127.255
| .....EOQ.............
|
| ...sent a UDP datagram to port 29081 on your machine. But I don't
| know...
|
| (1) did the port exist without an owner, & would it have received
| the datagram (except the rule blocked it)?
| (The name of that rule suggests the answer is no.)

The data request would have been received and likely honored.
The port would have been opened/created to allow this activity.

|
| (2) did the the port once exist & at that time have an owner,
| but somehow was closed before the datagram arrived?
| Therefore, it couldn't get it, anyhow, even if not blocked?

If it would have been ALLOWED activity [e.g., without proxy or firewall
monitoring or exculsion, or within a hosts or lmhosts, or other]], then a
search would have been made for an available port, and then created/opened.
Look again at this:
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898->localhost:1026, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898->localhost:1027, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898->localhost:1028, Owner: no owner

See the attempt to find or create an open port?
Now, should I have stayed online, there would have been continued attempts
[see your prior discussion where I was online longer], though with different
Shaw addressing and OUT ports, again stepping through IN [local] ports in
attempt to find or create.one.


|
| (3) did the port 29081 never exist?
|
| Do any earlier log entries mention that port? You'd have to log all
| activity of each "permit" rule to know for sure. But, if there is no
| rule permitting the activity, then you would have received a Kerio
| requestor mentioning the port.

No we don't need that.
Were an ALLOWED program or address using that aspect, then it would NOT
have created the denial. Either would have cascaded to find an open port for
use [as long as it was in the defined rule range].
AND you mention Kerio, which MUST have that turned on {requestor].
Other firewalls, particularly those that automatically configure
themselves, MAY not pop-up anything unless it has been configured that way.
They also MAY pass through such requests if piggy-backed from or on allowed
activities/programs. Think "but all I want to know is the user address".
Think Microsoft's firewalls, imagine what they are configured by default to
allow.

|
| Here is a Kerio help page to study...
|
| ......Quote............
| Filter.log file
|
| The filter.log file is used for logging Kerio Personal Firewall actions
| on a local computer. It is created in a directory where Personal
| Firewall is installed (typically C:\Program Files\Kerio\Personal
| Firewall). It is created upon the first record.
|
| Filter.log is a text file where each record is placed on a new line. It
| has the following format:
|
| 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked:
| In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner:
| G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
|
| How to read this line:
|
| 1 rule type (1 = denying, 2 = permitting)
|
| [08/Jun/2001 16:52:09] date and time that the packet was detected (we
| recommend checking the correct setting of the system time on your
| computer)
|
| Rule 'Internet Information Services' name of a rule that was applied
| (from the Description field)
|
| Blocked: / Permittted: indicates whether the packet was blocked or
| permitted (corresponds with the number at the beginning of the line)
|
| In / Out indicates an incoming or outgoing packet
|
| IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule
| was defined)
|
| richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from
| which the packet was sent, in square brackets is the IP address with the
| source port after a colon
|
| locahost:25 destination IP address (or DNS name) and port (localhost =
| this computer)
|
| Owner: name of the local application to which the packet is addressed
| (including its full path). If the application is a system service the
| name displayed is SYSTEM.
| .........EOQ.................
|
| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner
|
| That one seems to be coming from...
|
| NetRange: 200.0.0.0 - 200.255.255.255
| NetName: LACNIC-200

Yes, that is the key to your Firewall security.
Tracking each suspect activity to the originator, if possible.

Actually were I to post prior complete TRACKING logs [which I collect(ed)
for specific use], say for one day's normal usage, vast numbers of
potentially dangerous attacks/attempts would be shown.
The Internet is a cesspool of users, unless you protect yourself from them.
NO-ONE is completely invisible or invulnerable. There is always a starting
[requesting/receiving] address [yours].
If you were ACTUALLY invisible then nothing would reach you you couldn't
receive a web page you couldn't receive email you couldn't do any
networking. Whatever is requested MUST have a destination [You]. [Okay, I
know of ways but we're not educating hackers here.]

FOR THE GENERAL DOUBTER [not you PCR]:
Try it. Block all network and Internet traffic in your firewall. That
closes all ports, hence no requesting/receiving address [yours]. It doesn't
matter that you may have obtained an IP address or have one hard set, there
is no way to use it {don't try this for long or you will lose access to the
net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if
applicable}...] No ports or no address and there is no network.
Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to
ANY web address. Notice the addresses? Notice the routing?
NOW, exactly how did YOU receive that information? Certainly it wasn't
broadcast to the world and you just happened to have ended up with it. Or
was it?
--

Now what could a hacker, or someone wishing to track you for whatever
reason, do with that information?
All that is originally needed by that party is the requesting/receiving
address e.g. your address, your activity, something you did or allowed.
Once this is known then anythng that party wishes to do can be done. Now
think about ALWAYS ON connections.

For instance, you did go through Sponge's other pages [used because it was
previously referenced] which address advertising and other inoccent [cough]
inclusions on web pages, or which you may find on the Internet, correct?
Such as: http://www.geocities.com/yosponge/othrstuf.html
Did you look at his host file, etc..
Or perhaps look at ports, packets, formation, and other aspects over on:
http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives

9X users?
Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide some
nice tools for network/Internet use/diagnostics.
Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be careful
using it, many servers do NOT like to be scanned, you may be logged and your
ISP or other agency may be contacted..

Another nifty test tool is called *tooleaky*. A little 3k tool to test your
supposed security [created to test/expose GRC suggestions]. Read about what
it does and how. You might think twice about what you think you know.

If your using 2000 or above, might want to check these older tools:

http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee

Attacker 3.00

http://www.foundstone.com/knowledge/proddesc/fport.html
fport - find out what is using what port - 2000 - XP/NT
Identify unknown open ports and their associated applications
Copyright 2002 (c) by Foundstone, Inc.
http://www.foundstone.com
fport supports Windows NT4, Windows 2000 and Windows XP
fport reports all open TCP/IP and UDP ports and maps them to the owning
application. This is the same information you would see using the
'netstat -an' command, but it also maps those ports to running processes
with the PID, process name and path. Fport can be used to quickly identify
unknown open ports and their associated applications.


Trout Version 2.0 (formerly SuboTronic)
New in this release
Parallel pinging, resulting in a huge speed improvment.
Selectable background and text colors.
Improved interface.
Save trace to file.
Improved HTML output.
Optional continuous ping mode.
Traceroute and Whois program.
Copyright 2000 (c) by Foundstone, Inc.
A visual (i.e. GUI as opposed to command-line) traceroute and Whois program.
Pinging can be set at a controllable rate as can the frequency of repeatedly
scanning the selected host. The built-in simple Whois lookup can be used to
identify hosts discovered along the route to the destination computer.
Parallel pinging and hostname lookup techniques make this traceroute program
perhaps the fastest currently available.


Of course SYSINTERNALS/WINTERNALS has some nice tools - look on Microsoft's
TechNet

|
| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no owner
| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no owner
| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no
| | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
| | port received': Blocked: In UDP,
| | 189.153.168.143:32737->localhost:29081, Owner: no owner
| | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner
| | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
| | Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner
| | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
| | Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner
| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
| | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner:
| | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
| | port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
| | port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
| | port received': Blocked: In UDP,
| | 189.128.113.251:16491->localhost:29081, Owner: no owner
| | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no
| | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027,
| | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
| | port received': Blocked: In UDP,
| | 200.117.180.230:22925->localhost:29081, Owner: no owner
| | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no
| | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
| | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
| | [200.117.180.230:22925]->localhost:29081, Owner: no owner
| | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no
| | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
| | port received': Blocked: In UDP,
| | 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007
| | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007
| | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007
| | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007
| | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007
| | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007
| | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
| | msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no
| | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081,
| | Owner: no owner
| |
| |
| | --
| | MEB
| | http://peoplescounsel.orgfree.com
| | ________
|
| --
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| Should things get worse after this,
| PCR
| pcrrcp@netzero.net
|
|


--
MEB
http://peoplescounsel.orgfree.com
________
 
C

Curt Christianson

Some real food for thought gentlemen. Thank you.

P.S. I've been using ZA since 2000.

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"MEB" <meb@not here@hotmail.com> wrote in message
news:eq0$HgY0HHA.6072@TK2MSFTNGP03.phx.gbl...
|
|
|
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl...
|| MEB wrote:
|| | PCR and Gram Pappy [among others] have been discussing firewall
|| | settings and what they can or should be used for.
||
|| That's right. I installed...
|| http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW
||
|| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
|| later began a 17 year study of what to do with it. But I should have
|| spoke up sooner!
||
|| | In the spirit of those discussions, I thought I would post some
|| | blocked activity from a SINGLE session/contact through my ISP and
|| | ONLY to this news server and my email accounts [via OE6]. This is
|| | from the firewall log [several of my normal settings/restrictions
|| | were specifically reset for this presentation].
||
|| Thanks for jumping in. So, you wanted to see what would happen just by
|| connecting to the NET & using OE for mail & NG activity.
|
| Well, ah no, actually I wanted to let other users who may not have
| investigated or understand firewalls.
|
||
|| | No other Internet activity occurred [e.g., no external IE or browser
|| | usage or other activity]. All *allowed activity* has been removed, so
|| | that the addresses and activities blocked might be addressed for
|| | perhaps a greater understanding of the function of firewalls, what
|| | they can and are used for, and other aspects related thereto.
||
|| Really, it's important to see what was allowed too. Where I thought my
|| Primary DNS Server rule would be used only by NetZero (they are NetZero
|| addresses in there)... really a whole bunch of apps were using it! But
|| that's in the other thread!
|
| DNS is used by any program requiring addressing information. The key is to
| limit to the EXACT DNS server(s) NOT within your system [unless for local
| network traffic] and the port [53] used by that (those) server(s) with
| limited [chosen by previous monitoring] local ports and applications.
|
| I will NOT post all my rules or what exactly I have configured locally
| [that would supply the exact way to circumvent my protection], however I
| will post this contact to retreive the email/news messages [your posting],
| with a few more inclusions [again, slightly modified rules and rule
| logging]. This was ONLY to retreive mail and the newsgroups on Microsoft.
| Nothing else occurred BUT the logon to the ISP.
|
| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
| localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE
| 7.0\WAOL.EXE
| 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
| Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver
| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
| XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE
| 7.0\WAOL.EXE
| 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
| Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
| Kernel Driver
| 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
| Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
| Kernel Driver
| 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
| Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver
| 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
| Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1026, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1027, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1028, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP,
| 207.46.248.16:119->localhost:1072, Owner: no owner
| at which point I disconnected having retrieved mail and the news messages.
|
| NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel
| requests.
|
||
|| | For those who do not understand firewalls, these activities would or
|| | may have been allowed as they followed either programs IN USE [allowed
|| | activity], or through addressing [broadcast or otherwise] had a
|| | firewall not been used.
||
|| That is right. Without a firewall with a good set of denial rules, all
|| activity is allowed. Hopefully, if a virus or a trojan or a spy can
|| sneak in that way, a good virus detector will prevent it from executing.
|| Also, there may have been an MS fix or two to prevent some forms of
|| abuse along these lines (I don't know).
|
| What would make you think any anti-spyware or anti-virus programs would
| check or correct these types of activities?
|
| Anti-spyware programs MAY block certain addresses and perhaps some
ActiveX,
| or other. Anti-virus MIGHT catch scripting or attempts to infect
something,
| or emails or files which contain hacks or other. Host or lmhost files
catch
| what they have been configured to catch via addressing/name.
| These, however, are *network use* activities WITHIN the TCP/IP and other
| aspects of Internet/network usage. Firewalls, proxies, packet sniffers,
| client servers, the TCP/IP kernel, and the like, are what handle these
| activities.
| Of course the above is an overly simplified explanation.
|
||
|| | NOTE: this is contact through a dial-up connection[phone]/ISP [which
|| | is indicated via some of these addresses], ALWAYS ON connections are
|| | even more of a security risk.
||
|| Uhuh. I am Dial-Up too. That way, you get a new IP address each connect.
|
| Only if that is what the ISP requires or desires.
|
||
|| | Hopefully, this discussion will be useful to those interested and
|| | provide theory and answers to various issues.
|| | Rule sets or other settings for various firewalls would naturally be
|| | of interest.
|| |
|| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner
||
|| I find I have to guess as to the meaning of that. Looks like someone at
|| 67.170.2.174, who is Comcast...
||
|| http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174
|| .....Quote...........
|| 67.170.2.174
|| Record Type: IP Address
||
|| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
|| 67.160.0.0 - 67.191.255.255
|| Comcast Cable Communications, IP Services WASHINGTON-6
|| (NET-67-170-0-0-1)
|| 67.170.0.0 - 67.170.127.255
|| .....EOQ.............
||
|| ...sent a UDP datagram to port 29081 on your machine. But I don't
|| know...
||
|| (1) did the port exist without an owner, & would it have received
|| the datagram (except the rule blocked it)?
|| (The name of that rule suggests the answer is no.)
|
| The data request would have been received and likely honored.
| The port would have been opened/created to allow this activity.
|
||
|| (2) did the the port once exist & at that time have an owner,
|| but somehow was closed before the datagram arrived?
|| Therefore, it couldn't get it, anyhow, even if not blocked?
|
| If it would have been ALLOWED activity [e.g., without proxy or firewall
| monitoring or exculsion, or within a hosts or lmhosts, or other]], then a
| search would have been made for an available port, and then
created/opened.
| Look again at this:
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1026, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1027, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1028, Owner: no owner
|
| See the attempt to find or create an open port?
| Now, should I have stayed online, there would have been continued attempts
| [see your prior discussion where I was online longer], though with
different
| Shaw addressing and OUT ports, again stepping through IN [local] ports in
| attempt to find or create.one.
|
|
||
|| (3) did the port 29081 never exist?
||
|| Do any earlier log entries mention that port? You'd have to log all
|| activity of each "permit" rule to know for sure. But, if there is no
|| rule permitting the activity, then you would have received a Kerio
|| requestor mentioning the port.
|
| No we don't need that.
| Were an ALLOWED program or address using that aspect, then it would NOT
| have created the denial. Either would have cascaded to find an open port
for
| use [as long as it was in the defined rule range].
| AND you mention Kerio, which MUST have that turned on {requestor].
| Other firewalls, particularly those that automatically configure
| themselves, MAY not pop-up anything unless it has been configured that
way.
| They also MAY pass through such requests if piggy-backed from or on
allowed
| activities/programs. Think "but all I want to know is the user address".
| Think Microsoft's firewalls, imagine what they are configured by default
to
| allow.
|
||
|| Here is a Kerio help page to study...
||
|| ......Quote............
|| Filter.log file
||
|| The filter.log file is used for logging Kerio Personal Firewall actions
|| on a local computer. It is created in a directory where Personal
|| Firewall is installed (typically C:\Program Files\Kerio\Personal
|| Firewall). It is created upon the first record.
||
|| Filter.log is a text file where each record is placed on a new line. It
|| has the following format:
||
|| 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked:
|| In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner:
|| G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
||
|| How to read this line:
||
|| 1 rule type (1 = denying, 2 = permitting)
||
|| [08/Jun/2001 16:52:09] date and time that the packet was detected (we
|| recommend checking the correct setting of the system time on your
|| computer)
||
|| Rule 'Internet Information Services' name of a rule that was applied
|| (from the Description field)
||
|| Blocked: / Permittted: indicates whether the packet was blocked or
|| permitted (corresponds with the number at the beginning of the line)
||
|| In / Out indicates an incoming or outgoing packet
||
|| IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule
|| was defined)
||
|| richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from
|| which the packet was sent, in square brackets is the IP address with the
|| source port after a colon
||
|| locahost:25 destination IP address (or DNS name) and port (localhost =
|| this computer)
||
|| Owner: name of the local application to which the packet is addressed
|| (including its full path). If the application is a system service the
|| name displayed is SYSTEM.
|| .........EOQ.................
||
|| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner
||
|| That one seems to be coming from...
||
|| NetRange: 200.0.0.0 - 200.255.255.255
|| NetName: LACNIC-200
|
| Yes, that is the key to your Firewall security.
| Tracking each suspect activity to the originator, if possible.
|
| Actually were I to post prior complete TRACKING logs [which I collect(ed)
| for specific use], say for one day's normal usage, vast numbers of
| potentially dangerous attacks/attempts would be shown.
| The Internet is a cesspool of users, unless you protect yourself from
them.
| NO-ONE is completely invisible or invulnerable. There is always a starting
| [requesting/receiving] address [yours].
| If you were ACTUALLY invisible then nothing would reach you you couldn't
| receive a web page you couldn't receive email you couldn't do any
| networking. Whatever is requested MUST have a destination [You]. [Okay, I
| know of ways but we're not educating hackers here.]
|
| FOR THE GENERAL DOUBTER [not you PCR]:
| Try it. Block all network and Internet traffic in your firewall. That
| closes all ports, hence no requesting/receiving address [yours]. It
doesn't
| matter that you may have obtained an IP address or have one hard set,
there
| is no way to use it {don't try this for long or you will lose access to
the
| net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if
| applicable}...] No ports or no address and there is no network.
| Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to
| ANY web address. Notice the addresses? Notice the routing?
| NOW, exactly how did YOU receive that information? Certainly it wasn't
| broadcast to the world and you just happened to have ended up with it. Or
| was it?
| --
|
| Now what could a hacker, or someone wishing to track you for whatever
| reason, do with that information?
| All that is originally needed by that party is the requesting/receiving
| address e.g. your address, your activity, something you did or allowed.
| Once this is known then anythng that party wishes to do can be done. Now
| think about ALWAYS ON connections.
|
| For instance, you did go through Sponge's other pages [used because it was
| previously referenced] which address advertising and other inoccent
[cough]
| inclusions on web pages, or which you may find on the Internet, correct?
| Such as: http://www.geocities.com/yosponge/othrstuf.html
| Did you look at his host file, etc..
| Or perhaps look at ports, packets, formation, and other aspects over on:
| http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives
|
| 9X users?
| Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide
some
| nice tools for network/Internet use/diagnostics.
| Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be
careful
| using it, many servers do NOT like to be scanned, you may be logged and
your
| ISP or other agency may be contacted..
|
| Another nifty test tool is called *tooleaky*. A little 3k tool to test
your
| supposed security [created to test/expose GRC suggestions]. Read about
what
| it does and how. You might think twice about what you think you know.
|
| If your using 2000 or above, might want to check these older tools:
|
| http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee
|
| Attacker 3.00
|
| http://www.foundstone.com/knowledge/proddesc/fport.html
| fport - find out what is using what port - 2000 - XP/NT
| Identify unknown open ports and their associated applications
| Copyright 2002 (c) by Foundstone, Inc.
| http://www.foundstone.com
| fport supports Windows NT4, Windows 2000 and Windows XP
| fport reports all open TCP/IP and UDP ports and maps them to the owning
| application. This is the same information you would see using the
| 'netstat -an' command, but it also maps those ports to running processes
| with the PID, process name and path. Fport can be used to quickly identify
| unknown open ports and their associated applications.
|
|
| Trout Version 2.0 (formerly SuboTronic)
| New in this release
| Parallel pinging, resulting in a huge speed improvment.
| Selectable background and text colors.
| Improved interface.
| Save trace to file.
| Improved HTML output.
| Optional continuous ping mode.
| Traceroute and Whois program.
| Copyright 2000 (c) by Foundstone, Inc.
| A visual (i.e. GUI as opposed to command-line) traceroute and Whois
program.
| Pinging can be set at a controllable rate as can the frequency of
repeatedly
| scanning the selected host. The built-in simple Whois lookup can be used
to
| identify hosts discovered along the route to the destination computer.
| Parallel pinging and hostname lookup techniques make this traceroute
program
| perhaps the fastest currently available.
|
|
| Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
Microsoft's
| TechNet
|
||
|| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no owner
|| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no owner
|| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no
|| | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
|| | port received': Blocked: In UDP,
|| | 189.153.168.143:32737->localhost:29081, Owner: no owner
|| | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner
|| | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
|| | Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner
|| | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
|| | Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner
|| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
|| | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner:
|| | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
|| | port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
|| | port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
|| | port received': Blocked: In UDP,
|| | 189.128.113.251:16491->localhost:29081, Owner: no owner
|| | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no
|| | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027,
|| | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
|| | port received': Blocked: In UDP,
|| | 200.117.180.230:22925->localhost:29081, Owner: no owner
|| | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no
|| | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
|| | [200.117.180.230:22925]->localhost:29081, Owner: no owner
|| | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no
|| | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
|| | port received': Blocked: In UDP,
|| | 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007
|| | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007
|| | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007
|| | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007
|| | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007
|| | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007
|| | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
|| | msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no
|| | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081,
|| | Owner: no owner
|| |
|| |
|| | --
|| | MEB
|| | http://peoplescounsel.orgfree.com
|| | ________
||
|| --
|| Thanks or Good Luck,
|| There may be humor in this post, and,
|| Naturally, you will not sue,
|| Should things get worse after this,
|| PCR
|| pcrrcp@netzero.net
||
||
|
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________
|
|
|
|
 
P

PCR

Curt Christianson wrote:
| Some real food for thought gentlemen. Thank you.

You are welcome. I have only begun & will not rest until I get these
Kerio rules right-- even if I have to complete the rest of my 17 year
study! I'm moving it to the top of my to-do list! My master plan is to
discover just what my legit apps want to or must do to function
properly. Then, I will code rules that permit JUST those apps to do it.
Only my denial rules will apply to "any application", is my plan.

And I have begun with my Primary DNS Server rule, which now I have split
into FIVE...

(1) DNS Server-- EXEC.exe (NetZero)
(2) DNS Server-- ASHWEBSV (avast! Web Scanner)
(3) DNS Server-- AVAST.SETUP
(4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
(5) DNS Server-- IExplore

I may attempt again to narrow it down. But, currently, each of those
gets to do UDP, both directions, local ports 1024-5000, any NetZero
address, port 53.

Lots of other apps were using it before. But that's in another thread!

| P.S. I've been using ZA since 2000.
|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "MEB" <meb@not here@hotmail.com> wrote in message
| news:eq0$HgY0HHA.6072@TK2MSFTNGP03.phx.gbl...
||
||
||
|| "PCR" <pcrrcp@netzero.net> wrote in message
|| news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl...
||| MEB wrote:
||| | PCR and Gram Pappy [among others] have been discussing firewall
||| | settings and what they can or should be used for.
|||
||| That's right. I installed...
|||
http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW
|||
||| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
||| later began a 17 year study of what to do with it. But I should have
||| spoke up sooner!
|||
||| | In the spirit of those discussions, I thought I would post some
||| | blocked activity from a SINGLE session/contact through my ISP and
||| | ONLY to this news server and my email accounts [via OE6]. This is
||| | from the firewall log [several of my normal settings/restrictions
||| | were specifically reset for this presentation].
|||
||| Thanks for jumping in. So, you wanted to see what would happen just
||| by connecting to the NET & using OE for mail & NG activity.
||
|| Well, ah no, actually I wanted to let other users who may not have
|| investigated or understand firewalls.
||
|||
||| | No other Internet activity occurred [e.g., no external IE or
||| | browser usage or other activity]. All *allowed activity* has been
||| | removed, so that the addresses and activities blocked might be
||| | addressed for perhaps a greater understanding of the function of
||| | firewalls, what they can and are used for, and other aspects
||| | related thereto.
|||
||| Really, it's important to see what was allowed too. Where I thought
||| my Primary DNS Server rule would be used only by NetZero (they are
||| NetZero addresses in there)... really a whole bunch of apps were
||| using it! But that's in the other thread!
||
|| DNS is used by any program requiring addressing information. The key
|| is to limit to the EXACT DNS server(s) NOT within your system
|| [unless for local network traffic] and the port [53] used by that
|| (those) server(s) with limited [chosen by previous monitoring] local
|| ports and applications.
||
|| I will NOT post all my rules or what exactly I have configured
|| locally [that would supply the exact way to circumvent my
|| protection], however I will post this contact to retreive the
|| email/news messages [your posting], with a few more inclusions
|| [again, slightly modified rules and rule logging]. This was ONLY to
|| retreive mail and the newsgroups on Microsoft. Nothing else occurred
|| BUT the logon to the ISP.
||
|| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
|| localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
|| ONLINE
|| 7.0\WAOL.EXE
|| 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver
|| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
|| XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
|| ONLINE
|| 7.0\WAOL.EXE
|| 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2],
|| Owner: Tcpip Kernel Driver
|| 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2],
|| Owner: Tcpip Kernel Driver
|| 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8]
|| Echo Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver
|| 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
|| Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1026, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1027, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1028, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In
|| TCP, 207.46.248.16:119->localhost:1072, Owner: no owner
|| at which point I disconnected having retrieved mail and the news
|| messages.
||
|| NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip
|| Kernel requests.
||
|||
||| | For those who do not understand firewalls, these activities
||| | would or may have been allowed as they followed either programs
||| | IN USE [allowed activity], or through addressing [broadcast or
||| | otherwise] had a firewall not been used.
|||
||| That is right. Without a firewall with a good set of denial rules,
||| all activity is allowed. Hopefully, if a virus or a trojan or a spy
||| can sneak in that way, a good virus detector will prevent it from
||| executing. Also, there may have been an MS fix or two to prevent
||| some forms of abuse along these lines (I don't know).
||
|| What would make you think any anti-spyware or anti-virus programs
|| would check or correct these types of activities?
||
|| Anti-spyware programs MAY block certain addresses and perhaps some
|| ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to
|| infect something, or emails or files which contain hacks or other.
|| Host or lmhost files catch what they have been configured to catch
|| via addressing/name.
|| These, however, are *network use* activities WITHIN the TCP/IP and
|| other aspects of Internet/network usage. Firewalls, proxies, packet
|| sniffers, client servers, the TCP/IP kernel, and the like, are what
|| handle these activities.
|| Of course the above is an overly simplified explanation.
||
|||
||| | NOTE: this is contact through a dial-up connection[phone]/ISP
||| | [which is indicated via some of these addresses], ALWAYS ON
||| | connections are even more of a security risk.
|||
||| Uhuh. I am Dial-Up too. That way, you get a new IP address each
||| connect.
||
|| Only if that is what the ISP requires or desires.
||
|||
||| | Hopefully, this discussion will be useful to those interested and
||| | provide theory and answers to various issues.
||| | Rule sets or other settings for various firewalls would
||| | naturally be of interest.
||| |
||| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no
||| | owner
|||
||| I find I have to guess as to the meaning of that. Looks like
||| someone at
||| 67.170.2.174, who is Comcast...
|||
||| http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174
||| .....Quote...........
||| 67.170.2.174
||| Record Type: IP Address
|||
||| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
||| 67.160.0.0 - 67.191.255.255
||| Comcast Cable Communications, IP Services WASHINGTON-6
||| (NET-67-170-0-0-1)
||| 67.170.0.0 - 67.170.127.255
||| .....EOQ.............
|||
||| ...sent a UDP datagram to port 29081 on your machine. But I don't
||| know...
|||
||| (1) did the port exist without an owner, & would it have received
||| the datagram (except the rule blocked it)?
||| (The name of that rule suggests the answer is no.)
||
|| The data request would have been received and likely honored.
|| The port would have been opened/created to allow this activity.
||
|||
||| (2) did the the port once exist & at that time have an owner,
||| but somehow was closed before the datagram arrived?
||| Therefore, it couldn't get it, anyhow, even if not blocked?
||
|| If it would have been ALLOWED activity [e.g., without proxy or
|| firewall monitoring or exculsion, or within a hosts or lmhosts, or
|| other]], then a search would have been made for an available port,
|| and then created/opened. Look again at this:
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1026, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1027, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1028, Owner: no owner
||
|| See the attempt to find or create an open port?
|| Now, should I have stayed online, there would have been continued
|| attempts [see your prior discussion where I was online longer],
|| though with different Shaw addressing and OUT ports, again stepping
|| through IN [local] ports in attempt to find or create.one.
||
||
|||
||| (3) did the port 29081 never exist?
|||
||| Do any earlier log entries mention that port? You'd have to log all
||| activity of each "permit" rule to know for sure. But, if there is no
||| rule permitting the activity, then you would have received a Kerio
||| requestor mentioning the port.
||
|| No we don't need that.
|| Were an ALLOWED program or address using that aspect, then it would
|| NOT have created the denial. Either would have cascaded to find an
|| open port for use [as long as it was in the defined rule range].
|| AND you mention Kerio, which MUST have that turned on {requestor].
|| Other firewalls, particularly those that automatically configure
|| themselves, MAY not pop-up anything unless it has been configured
|| that way. They also MAY pass through such requests if piggy-backed
|| from or on allowed activities/programs. Think "but all I want to
|| know is the user address". Think Microsoft's firewalls, imagine what
|| they are configured by default to allow.
||
|||
||| Here is a Kerio help page to study...
|||
||| ......Quote............
||| Filter.log file
|||
||| The filter.log file is used for logging Kerio Personal Firewall
||| actions on a local computer. It is created in a directory where
||| Personal Firewall is installed (typically C:\Program
||| Files\Kerio\Personal Firewall). It is created upon the first record.
|||
||| Filter.log is a text file where each record is placed on a new
||| line. It has the following format:
|||
||| 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services':
||| Blocked: In TCP, richard.kerio.cz
||| [192.168.2.38:3772]->localhost:25, Owner:
||| G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
|||
||| How to read this line:
|||
||| 1 rule type (1 = denying, 2 = permitting)
|||
||| [08/Jun/2001 16:52:09] date and time that the packet was detected
||| (we recommend checking the correct setting of the system time on
||| your computer)
|||
||| Rule 'Internet Information Services' name of a rule that was
||| applied (from the Description field)
|||
||| Blocked: / Permittted: indicates whether the packet was blocked or
||| permitted (corresponds with the number at the beginning of the line)
|||
||| In / Out indicates an incoming or outgoing packet
|||
||| IP / TCP / UDP / ICMP, etc. communication protocol (for which the
||| rule was defined)
|||
||| richard.kerio.com [192.168.2.38:3772] DNS name of the computer,
||| from which the packet was sent, in square brackets is the IP
||| address with the source port after a colon
|||
||| locahost:25 destination IP address (or DNS name) and port
||| (localhost = this computer)
|||
||| Owner: name of the local application to which the packet is
||| addressed (including its full path). If the application is a system
||| service the name displayed is SYSTEM.
||| .........EOQ.................
|||
||| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no
||| | owner
|||
||| That one seems to be coming from...
|||
||| NetRange: 200.0.0.0 - 200.255.255.255
||| NetName: LACNIC-200
||
|| Yes, that is the key to your Firewall security.
|| Tracking each suspect activity to the originator, if possible.
||
|| Actually were I to post prior complete TRACKING logs [which I
|| collect(ed) for specific use], say for one day's normal usage, vast
|| numbers of potentially dangerous attacks/attempts would be shown.
|| The Internet is a cesspool of users, unless you protect yourself
|| from them. NO-ONE is completely invisible or invulnerable. There is
|| always a starting [requesting/receiving] address [yours].
|| If you were ACTUALLY invisible then nothing would reach you you
|| couldn't receive a web page you couldn't receive email you
|| couldn't do any networking. Whatever is requested MUST have a
|| destination [You]. [Okay, I know of ways but we're not educating
|| hackers here.]
||
|| FOR THE GENERAL DOUBTER [not you PCR]:
|| Try it. Block all network and Internet traffic in your firewall. That
|| closes all ports, hence no requesting/receiving address [yours]. It
|| doesn't matter that you may have obtained an IP address or have one
|| hard set, there is no way to use it {don't try this for long or you
|| will lose access to the net on a phoneline}. [Or clear your IP,
|| DHCP, and DNS entries {WINS if applicable}...] No ports or no
|| address and there is no network.
|| Now turn it on again [or re-connect] and do a TRACE [preferred] or
|| ping to ANY web address. Notice the addresses? Notice the routing?
|| NOW, exactly how did YOU receive that information? Certainly it
|| wasn't broadcast to the world and you just happened to have ended up
|| with it. Or was it?
|| --
||
|| Now what could a hacker, or someone wishing to track you for whatever
|| reason, do with that information?
|| All that is originally needed by that party is the
|| requesting/receiving address e.g. your address, your activity,
|| something you did or allowed. Once this is known then anythng that
|| party wishes to do can be done. Now think about ALWAYS ON
|| connections.
||
|| For instance, you did go through Sponge's other pages [used because
|| it was previously referenced] which address advertising and other
|| inoccent [cough] inclusions on web pages, or which you may find on
|| the Internet, correct? Such as:
|| http://www.geocities.com/yosponge/othrstuf.html
|| Did you look at his host file, etc..
|| Or perhaps look at ports, packets, formation, and other aspects over
|| on: http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives
||
|| 9X users?
|| Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)]
|| provide some nice tools for network/Internet use/diagnostics.
|| Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be
|| careful using it, many servers do NOT like to be scanned, you may be
|| logged and your ISP or other agency may be contacted..
||
|| Another nifty test tool is called *tooleaky*. A little 3k tool to
|| test your supposed security [created to test/expose GRC
|| suggestions]. Read about what it does and how. You might think twice
|| about what you think you know.
||
|| If your using 2000 or above, might want to check these older tools:
||
|| http://www.foundstone.com/us/resources-free-tools.asp - Division of
|| McAfee
||
|| Attacker 3.00
||
|| http://www.foundstone.com/knowledge/proddesc/fport.html
|| fport - find out what is using what port - 2000 - XP/NT
|| Identify unknown open ports and their associated applications
|| Copyright 2002 (c) by Foundstone, Inc.
|| http://www.foundstone.com
|| fport supports Windows NT4, Windows 2000 and Windows XP
|| fport reports all open TCP/IP and UDP ports and maps them to the
|| owning application. This is the same information you would see using
|| the 'netstat -an' command, but it also maps those ports to running
|| processes with the PID, process name and path. Fport can be used to
|| quickly identify unknown open ports and their associated
|| applications.
||
||
|| Trout Version 2.0 (formerly SuboTronic)
|| New in this release
|| Parallel pinging, resulting in a huge speed improvment.
|| Selectable background and text colors.
|| Improved interface.
|| Save trace to file.
|| Improved HTML output.
|| Optional continuous ping mode.
|| Traceroute and Whois program.
|| Copyright 2000 (c) by Foundstone, Inc.
|| A visual (i.e. GUI as opposed to command-line) traceroute and Whois
|| program. Pinging can be set at a controllable rate as can the
|| frequency of repeatedly scanning the selected host. The built-in
|| simple Whois lookup can be used to identify hosts discovered along
|| the route to the destination computer. Parallel pinging and hostname
|| lookup techniques make this traceroute program perhaps the fastest
|| currently available.
||
||
|| Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
|| Microsoft's TechNet
||
|||
||| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no
||| | owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, 218.10.137.139:55190->localhost:1027,
||| | Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 190.46.171.127:41806->localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened port
||| | received': Blocked: In UDP,
||| | 189.153.168.143:32737->localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no
||| | owner 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port
||| | received': Blocked: In TCP, 219.148.119.6:12200->localhost:7212,
||| | Owner: no owner 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened
||| | port received': Blocked: In TCP,
||| | 219.148.119.6:12200->localhost:8000, Owner: no owner
||| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked:
||| | In TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186,
||| | Owner: no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 90.20.19.204:46983->localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 87.235.125.80:8052->localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081,
||| | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 189.128.113.251:16491->localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no
||| | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027,
||| | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 200.117.180.230:22925->localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
||| | [200.117.180.230:22925]->localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
||| | received': Blocked: In UDP,
||| | 74.107.240.241:48641->localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 221.208.208.95:53699->localhost:1026, Owner: no
||| | owner 1,[28/Jul/2007 01:39:54] Rule 'Packet to unopened port
||| | received': Blocked: In UDP,
||| | 67.81.156.51:20406->localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:40:46] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 200.89.49.207:23085->localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:40:58] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, 221.208.208.90:33490->localhost:1026,
||| | Owner: no owner 1,[28/Jul/2007 01:42:36] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 142.161.209.54:15611->localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:42:52] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 190.60.89.179:47922->localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:43:20] Rule 'TCP ack packet attack':
||| | Blocked: In TCP, msnews.microsoft.com
||| | [207.46.248.16:119]->localhost:1185, Owner: no owner
||| | 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 190.31.24.235:50988->localhost:29081, Owner: no
||| | owner
||| |
||| |
||| | --
||| | MEB
||| | http://peoplescounsel.orgfree.com
||| | ________
|||
||| --
||| Thanks or Good Luck,
||| There may be humor in this post, and,
||| Naturally, you will not sue,
||| Should things get worse after this,
||| PCR
||| pcrrcp@netzero.net
|||
|||
||
||
|| --
|| MEB
|| http://peoplescounsel.orgfree.com
|| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net
 
M

MEB

Re: firewalls - ZONEALARM - what to block and why - your security at risk

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
news:%23tJUffZ0HHA.1204@TK2MSFTNGP03.phx.gbl...
| Some real food for thought gentlemen. Thank you.
|
| P.S. I've been using ZA since 2000.
|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm

We aim to please...

I also used ZA for a number of years on the various 9X boxes and XP. The
rules aspect of other firewalls always drew me [having a Linux, Zenix, NT
background] but I thought it wise to use what others might be using [for
comparison purposes].
Now however, with the use of highly questionable activities on the
Internet, and my personal questions related to ZA, and no support from
Microsoft and ZoneLabs, I thought I would return to something which gave
considerably more control during my final testing days under 9X.

I have an old ZA version [forgot which version though, and have no
intention of re-installing it] about 1.4meg which actually seemed to supply
MOST of the normal functions required, at least semi-adequately. Sometimes I
thought the newer versions were attempting aspects which were not well
implimented or implimented in a fashion I thought not user friendly. Of
course there is an ability to setup *rules like* activities within ZA, but I
would imagine most users do not do so.

In the spirit of this discussion, which is to include any firewalls [and I
hope it eventually does. Note this has ZONEALARM now in its subject
heading]:

What version and product are you or others using?

Have you or others run monitoring/sniffing programs while using ZA to see
if it actual performs as advertised?

What settings or other seemed to be the most useful to you or other users?

What advise would users give concerning settings, configuration, etc. to
other users of ZA, [noting in Curt's case, I think your using it under W2K,
so does that offer anything different as far as you know]?

Have you or other users created any similar rules within ZA to the below
[referencing Kerio PFW rules]?

|
| "MEB" <meb@not here@hotmail.com> wrote in message
| news:eq0$HgY0HHA.6072@TK2MSFTNGP03.phx.gbl...
| |
| |
| |
| | "PCR" <pcrrcp@netzero.net> wrote in message
| | news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl...
| || MEB wrote:
| || | PCR and Gram Pappy [among others] have been discussing firewall
| || | settings and what they can or should be used for.
| ||
| || That's right. I installed...
| ||
http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW
| ||
| || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
| || later began a 17 year study of what to do with it. But I should have
| || spoke up sooner!
| ||
| || | In the spirit of those discussions, I thought I would post some
| || | blocked activity from a SINGLE session/contact through my ISP and
| || | ONLY to this news server and my email accounts [via OE6]. This is
| || | from the firewall log [several of my normal settings/restrictions
| || | were specifically reset for this presentation].
| ||
| || Thanks for jumping in. So, you wanted to see what would happen just by
| || connecting to the NET & using OE for mail & NG activity.
| |
| | Well, ah no, actually I wanted to let other users who may not have
| | investigated or understand firewalls.
| |
| ||
| || | No other Internet activity occurred [e.g., no external IE or browser
| || | usage or other activity]. All *allowed activity* has been removed, so
| || | that the addresses and activities blocked might be addressed for
| || | perhaps a greater understanding of the function of firewalls, what
| || | they can and are used for, and other aspects related thereto.
| ||
| || Really, it's important to see what was allowed too. Where I thought my
| || Primary DNS Server rule would be used only by NetZero (they are NetZero
| || addresses in there)... really a whole bunch of apps were using it! But
| || that's in the other thread!
| |
| | DNS is used by any program requiring addressing information. The key is
to
| | limit to the EXACT DNS server(s) NOT within your system [unless for
local
| | network traffic] and the port [53] used by that (those) server(s) with
| | limited [chosen by previous monitoring] local ports and applications.
| |
| | I will NOT post all my rules or what exactly I have configured locally
| | [that would supply the exact way to circumvent my protection], however I
| | will post this contact to retreive the email/news messages [your
posting],
| | with a few more inclusions [again, slightly modified rules and rule
| | logging]. This was ONLY to retreive mail and the newsgroups on
Microsoft.
| | Nothing else occurred BUT the logon to the ISP.
| |
| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
| | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
ONLINE
| | 7.0\WAOL.EXE
| | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
Router
| | Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver
| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
| | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
ONLINE
| | 7.0\WAOL.EXE
| | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10]
Router
| | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
| | Kernel Driver
| | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10]
Router
| | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
| | Kernel Driver
| | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
| | Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver
| | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
| | Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1026, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1027, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1028, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP,
| | 207.46.248.16:119->localhost:1072, Owner: no owner
| | at which point I disconnected having retrieved mail and the news
messages.
| |
| | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel
| | requests.
| |
| ||
| || | For those who do not understand firewalls, these activities would or
| || | may have been allowed as they followed either programs IN USE
[allowed
| || | activity], or through addressing [broadcast or otherwise] had a
| || | firewall not been used.
| ||
| || That is right. Without a firewall with a good set of denial rules, all
| || activity is allowed. Hopefully, if a virus or a trojan or a spy can
| || sneak in that way, a good virus detector will prevent it from
executing.
| || Also, there may have been an MS fix or two to prevent some forms of
| || abuse along these lines (I don't know).
| |
| | What would make you think any anti-spyware or anti-virus programs would
| | check or correct these types of activities?
| |
| | Anti-spyware programs MAY block certain addresses and perhaps some
| ActiveX,
| | or other. Anti-virus MIGHT catch scripting or attempts to infect
| something,
| | or emails or files which contain hacks or other. Host or lmhost files
| catch
| | what they have been configured to catch via addressing/name.
| | These, however, are *network use* activities WITHIN the TCP/IP and other
| | aspects of Internet/network usage. Firewalls, proxies, packet sniffers,
| | client servers, the TCP/IP kernel, and the like, are what handle these
| | activities.
| | Of course the above is an overly simplified explanation.
| |
| ||
| || | NOTE: this is contact through a dial-up connection[phone]/ISP [which
| || | is indicated via some of these addresses], ALWAYS ON connections are
| || | even more of a security risk.
| ||
| || Uhuh. I am Dial-Up too. That way, you get a new IP address each
connect.
| |
| | Only if that is what the ISP requires or desires.
| |
| ||
| || | Hopefully, this discussion will be useful to those interested and
| || | provide theory and answers to various issues.
| || | Rule sets or other settings for various firewalls would naturally be
| || | of interest.
| || |
| || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no owner
| ||
| || I find I have to guess as to the meaning of that. Looks like someone at
| || 67.170.2.174, who is Comcast...
| ||
| || http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174
| || .....Quote...........
| || 67.170.2.174
| || Record Type: IP Address
| ||
| || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
| || 67.160.0.0 - 67.191.255.255
| || Comcast Cable Communications, IP Services WASHINGTON-6
| || (NET-67-170-0-0-1)
| || 67.170.0.0 - 67.170.127.255
| || .....EOQ.............
| ||
| || ...sent a UDP datagram to port 29081 on your machine. But I don't
| || know...
| ||
| || (1) did the port exist without an owner, & would it have received
| || the datagram (except the rule blocked it)?
| || (The name of that rule suggests the answer is no.)
| |
| | The data request would have been received and likely honored.
| | The port would have been opened/created to allow this activity.
| |
| ||
| || (2) did the the port once exist & at that time have an owner,
| || but somehow was closed before the datagram arrived?
| || Therefore, it couldn't get it, anyhow, even if not blocked?
| |
| | If it would have been ALLOWED activity [e.g., without proxy or firewall
| | monitoring or exculsion, or within a hosts or lmhosts, or other]], then
a
| | search would have been made for an available port, and then
| created/opened.
| | Look again at this:
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1026, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1027, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1028, Owner: no owner
| |
| | See the attempt to find or create an open port?
| | Now, should I have stayed online, there would have been continued
attempts
| | [see your prior discussion where I was online longer], though with
| different
| | Shaw addressing and OUT ports, again stepping through IN [local] ports
in
| | attempt to find or create.one.
| |
| |
| ||
| || (3) did the port 29081 never exist?
| ||
| || Do any earlier log entries mention that port? You'd have to log all
| || activity of each "permit" rule to know for sure. But, if there is no
| || rule permitting the activity, then you would have received a Kerio
| || requestor mentioning the port.
| |
| | No we don't need that.
| | Were an ALLOWED program or address using that aspect, then it would NOT
| | have created the denial. Either would have cascaded to find an open port
| for
| | use [as long as it was in the defined rule range].
| | AND you mention Kerio, which MUST have that turned on {requestor].
| | Other firewalls, particularly those that automatically configure
| | themselves, MAY not pop-up anything unless it has been configured that
| way.
| | They also MAY pass through such requests if piggy-backed from or on
| allowed
| | activities/programs. Think "but all I want to know is the user address".
| | Think Microsoft's firewalls, imagine what they are configured by default
| to
| | allow.
| |
| ||
| || Here is a Kerio help page to study...
| ||
| || ......Quote............
| || Filter.log file
| ||
| || The filter.log file is used for logging Kerio Personal Firewall actions
| || on a local computer. It is created in a directory where Personal
| || Firewall is installed (typically C:\Program Files\Kerio\Personal
| || Firewall). It is created upon the first record.
| ||
| || Filter.log is a text file where each record is placed on a new line. It
| || has the following format:
| ||
| || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked:
| || In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner:
| || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
| ||
| || How to read this line:
| ||
| || 1 rule type (1 = denying, 2 = permitting)
| ||
| || [08/Jun/2001 16:52:09] date and time that the packet was detected (we
| || recommend checking the correct setting of the system time on your
| || computer)
| ||
| || Rule 'Internet Information Services' name of a rule that was applied
| || (from the Description field)
| ||
| || Blocked: / Permittted: indicates whether the packet was blocked or
| || permitted (corresponds with the number at the beginning of the line)
| ||
| || In / Out indicates an incoming or outgoing packet
| ||
| || IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule
| || was defined)
| ||
| || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from
| || which the packet was sent, in square brackets is the IP address with
the
| || source port after a colon
| ||
| || locahost:25 destination IP address (or DNS name) and port (localhost =
| || this computer)
| ||
| || Owner: name of the local application to which the packet is addressed
| || (including its full path). If the application is a system service the
| || name displayed is SYSTEM.
| || .........EOQ.................
| ||
| || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner
| ||
| || That one seems to be coming from...
| ||
| || NetRange: 200.0.0.0 - 200.255.255.255
| || NetName: LACNIC-200
| |
| | Yes, that is the key to your Firewall security.
| | Tracking each suspect activity to the originator, if possible.
| |
| | Actually were I to post prior complete TRACKING logs [which I
collect(ed)
| | for specific use], say for one day's normal usage, vast numbers of
| | potentially dangerous attacks/attempts would be shown.
| | The Internet is a cesspool of users, unless you protect yourself from
| them.
| | NO-ONE is completely invisible or invulnerable. There is always a
starting
| | [requesting/receiving] address [yours].
| | If you were ACTUALLY invisible then nothing would reach you you
couldn't
| | receive a web page you couldn't receive email you couldn't do any
| | networking. Whatever is requested MUST have a destination [You]. [Okay,
I
| | know of ways but we're not educating hackers here.]
| |
| | FOR THE GENERAL DOUBTER [not you PCR]:
| | Try it. Block all network and Internet traffic in your firewall. That
| | closes all ports, hence no requesting/receiving address [yours]. It
| doesn't
| | matter that you may have obtained an IP address or have one hard set,
| there
| | is no way to use it {don't try this for long or you will lose access to
| the
| | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if
| | applicable}...] No ports or no address and there is no network.
| | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping
to
| | ANY web address. Notice the addresses? Notice the routing?
| | NOW, exactly how did YOU receive that information? Certainly it wasn't
| | broadcast to the world and you just happened to have ended up with it.
Or
| | was it?
| | --
| |
| | Now what could a hacker, or someone wishing to track you for whatever
| | reason, do with that information?
| | All that is originally needed by that party is the requesting/receiving
| | address e.g. your address, your activity, something you did or allowed.
| | Once this is known then anythng that party wishes to do can be done. Now
| | think about ALWAYS ON connections.
| |
| | For instance, you did go through Sponge's other pages [used because it
was
| | previously referenced] which address advertising and other inoccent
| [cough]
| | inclusions on web pages, or which you may find on the Internet, correct?
| | Such as: http://www.geocities.com/yosponge/othrstuf.html
| | Did you look at his host file, etc..
| | Or perhaps look at ports, packets, formation, and other aspects over on:
| | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives
| |
| | 9X users?
| | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide
| some
| | nice tools for network/Internet use/diagnostics.
| | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be
| careful
| | using it, many servers do NOT like to be scanned, you may be logged and
| your
| | ISP or other agency may be contacted..
| |
| | Another nifty test tool is called *tooleaky*. A little 3k tool to test
| your
| | supposed security [created to test/expose GRC suggestions]. Read about
| what
| | it does and how. You might think twice about what you think you know.
| |
| | If your using 2000 or above, might want to check these older tools:
| |
| | http://www.foundstone.com/us/resources-free-tools.asp - Division of
McAfee
| |
| | Attacker 3.00
| |
| | http://www.foundstone.com/knowledge/proddesc/fport.html
| | fport - find out what is using what port - 2000 - XP/NT
| | Identify unknown open ports and their associated applications
| | Copyright 2002 (c) by Foundstone, Inc.
| | http://www.foundstone.com
| | fport supports Windows NT4, Windows 2000 and Windows XP
| | fport reports all open TCP/IP and UDP ports and maps them to the owning
| | application. This is the same information you would see using the
| | 'netstat -an' command, but it also maps those ports to running processes
| | with the PID, process name and path. Fport can be used to quickly
identify
| | unknown open ports and their associated applications.
| |
| |
| | Trout Version 2.0 (formerly SuboTronic)
| | New in this release
| | Parallel pinging, resulting in a huge speed improvment.
| | Selectable background and text colors.
| | Improved interface.
| | Save trace to file.
| | Improved HTML output.
| | Optional continuous ping mode.
| | Traceroute and Whois program.
| | Copyright 2000 (c) by Foundstone, Inc.
| | A visual (i.e. GUI as opposed to command-line) traceroute and Whois
| program.
| | Pinging can be set at a controllable rate as can the frequency of
| repeatedly
| | scanning the selected host. The built-in simple Whois lookup can be used
| to
| | identify hosts discovered along the route to the destination computer.
| | Parallel pinging and hostname lookup techniques make this traceroute
| program
| | perhaps the fastest currently available.
| |
| |
| | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
| Microsoft's
| | TechNet
| |
| ||
| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no
owner
| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no
owner
| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no
| || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
| || | port received': Blocked: In UDP,
| || | 189.153.168.143:32737->localhost:29081, Owner: no owner
| || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner
| || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
| || | Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no owner
| || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
| || | Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no owner
| || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
| || | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186, Owner:
| || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
| || | port received': Blocked: In UDP, 87.235.125.80:8052->localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
| || | port received': Blocked: In UDP, 69.126.6.107:32338->localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
| || | port received': Blocked: In UDP,
| || | 189.128.113.251:16491->localhost:29081, Owner: no owner
| || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no
| || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027,
| || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
| || | port received': Blocked: In UDP,
| || | 200.117.180.230:22925->localhost:29081, Owner: no owner
| || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no
| || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
| || | [200.117.180.230:22925]->localhost:29081, Owner: no owner
| || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no
| || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
| || | port received': Blocked: In UDP,
| || | 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007
| || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007
| || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007
| || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007
| || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 142.161.209.54:15611->localhost:29081, Owner: no owner 1,[28/Jul/2007
| || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007
| || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
| || | msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no
| || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081,
| || | Owner: no owner
| || |
| || |
| || | --
| || | MEB
| || | http://peoplescounsel.orgfree.com
| || | ________
| ||
| || --
| || Thanks or Good Luck,
| || There may be humor in this post, and,
| || Naturally, you will not sue,
| || Should things get worse after this,
| || PCR
| || pcrrcp@netzero.net
| ||
| ||
| |
| |
| | --
| | MEB
| | http://peoplescounsel.orgfree.com
| | ________
| |
| |
| |
| |
|
|

--
MEB
http://peoplescounsel.orgfree.com
________
 
C

Curt Christianson

Re: firewalls - ZONEALARM - what to block and why - your security at risk

Hi MEB, and all,


I'm actually running a rather old version of ZA v. 3.1.291. My philosophy
is *unlike* AV apps. etc., there just isn't much to improve IMHO. I don't
want or need any additional bells and whistles.

And you were close, I'm running XP Pro, but I keep perusing this group,
because this is where it all started for me. I still have my copy of W98SE,
but it's kind of a pain to install that *after* XP is already there. I was a
die-hard 98 fan, and swore I would *never* switch to XP, but the computer I
inherited already had it on it. I figured I'd give it a try, and if I
didn't like it, well, then back to good ol' 98. The way I have XP set up,
you'd almost think it was 98. I turned off *all* the cutesy eye-candy etc.,
mainly for performance reasons. Besides, I *hate* pastels! This box was
built for W98.
I have to admit that it is extremely stable, but then again so was my 98
install. It's the "junk" we add later that tends to muck things up.

Sorry I digressed.

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"MEB" <meb@not here@hotmail.com> wrote in message
news:%23VgmuJi0HHA.4476@TK2MSFTNGP06.phx.gbl...
|
|
| "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
| news:%23tJUffZ0HHA.1204@TK2MSFTNGP03.phx.gbl...
|| Some real food for thought gentlemen. Thank you.
||
|| P.S. I've been using ZA since 2000.
||
|| --
|| HTH,
|| Curt
||
|| Windows Support Center
|| www.aumha.org
|| Practically Nerded,...
|| http://dundats.mvps.org/Index.htm
|
| We aim to please...
|
| I also used ZA for a number of years on the various 9X boxes and XP. The
| rules aspect of other firewalls always drew me [having a Linux, Zenix, NT
| background] but I thought it wise to use what others might be using [for
| comparison purposes].
| Now however, with the use of highly questionable activities on the
| Internet, and my personal questions related to ZA, and no support from
| Microsoft and ZoneLabs, I thought I would return to something which gave
| considerably more control during my final testing days under 9X.
|
| I have an old ZA version [forgot which version though, and have no
| intention of re-installing it] about 1.4meg which actually seemed to
supply
| MOST of the normal functions required, at least semi-adequately. Sometimes
I
| thought the newer versions were attempting aspects which were not well
| implimented or implimented in a fashion I thought not user friendly. Of
| course there is an ability to setup *rules like* activities within ZA, but
I
| would imagine most users do not do so.
|
| In the spirit of this discussion, which is to include any firewalls [and
I
| hope it eventually does. Note this has ZONEALARM now in its subject
| heading]:
|
| What version and product are you or others using?
|
| Have you or others run monitoring/sniffing programs while using ZA to see
| if it actual performs as advertised?
|
| What settings or other seemed to be the most useful to you or other users?
|
| What advise would users give concerning settings, configuration, etc. to
| other users of ZA, [noting in Curt's case, I think your using it under
W2K,
| so does that offer anything different as far as you know]?
|
| Have you or other users created any similar rules within ZA to the below
| [referencing Kerio PFW rules]?
|
||
|| "MEB" <meb@not here@hotmail.com> wrote in message
|| news:eq0$HgY0HHA.6072@TK2MSFTNGP03.phx.gbl...
|| |
|| |
|| |
|| | "PCR" <pcrrcp@netzero.net> wrote in message
|| | news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl...
|| || MEB wrote:
|| || | PCR and Gram Pappy [among others] have been discussing firewall
|| || | settings and what they can or should be used for.
|| ||
|| || That's right. I installed...
|| ||
| http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW
|| ||
|| || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
|| || later began a 17 year study of what to do with it. But I should have
|| || spoke up sooner!
|| ||
|| || | In the spirit of those discussions, I thought I would post some
|| || | blocked activity from a SINGLE session/contact through my ISP and
|| || | ONLY to this news server and my email accounts [via OE6]. This is
|| || | from the firewall log [several of my normal settings/restrictions
|| || | were specifically reset for this presentation].
|| ||
|| || Thanks for jumping in. So, you wanted to see what would happen just by
|| || connecting to the NET & using OE for mail & NG activity.
|| |
|| | Well, ah no, actually I wanted to let other users who may not have
|| | investigated or understand firewalls.
|| |
|| ||
|| || | No other Internet activity occurred [e.g., no external IE or
browser
|| || | usage or other activity]. All *allowed activity* has been removed,
so
|| || | that the addresses and activities blocked might be addressed for
|| || | perhaps a greater understanding of the function of firewalls, what
|| || | they can and are used for, and other aspects related thereto.
|| ||
|| || Really, it's important to see what was allowed too. Where I thought my
|| || Primary DNS Server rule would be used only by NetZero (they are
NetZero
|| || addresses in there)... really a whole bunch of apps were using it! But
|| || that's in the other thread!
|| |
|| | DNS is used by any program requiring addressing information. The key is
| to
|| | limit to the EXACT DNS server(s) NOT within your system [unless for
| local
|| | network traffic] and the port [53] used by that (those) server(s) with
|| | limited [chosen by previous monitoring] local ports and applications.
|| |
|| | I will NOT post all my rules or what exactly I have configured locally
|| | [that would supply the exact way to circumvent my protection], however
I
|| | will post this contact to retreive the email/news messages [your
| posting],
|| | with a few more inclusions [again, slightly modified rules and rule
|| | logging]. This was ONLY to retreive mail and the newsgroups on
| Microsoft.
|| | Nothing else occurred BUT the logon to the ISP.
|| |
|| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
|| | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
| ONLINE
|| | 7.0\WAOL.EXE
|| | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router
|| | Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver
|| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
|| | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
| ONLINE
|| | 7.0\WAOL.EXE
|| | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router
|| | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner:
Tcpip
|| | Kernel Driver
|| | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router
|| | Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner:
Tcpip
|| | Kernel Driver
|| | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8]
Echo
|| | Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver
|| | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
Echo
|| | Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1026, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1027, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1028, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP,
|| | 207.46.248.16:119->localhost:1072, Owner: no owner
|| | at which point I disconnected having retrieved mail and the news
| messages.
|| |
|| | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip
Kernel
|| | requests.
|| |
|| ||
|| || | For those who do not understand firewalls, these activities would
or
|| || | may have been allowed as they followed either programs IN USE
| [allowed
|| || | activity], or through addressing [broadcast or otherwise] had a
|| || | firewall not been used.
|| ||
|| || That is right. Without a firewall with a good set of denial rules, all
|| || activity is allowed. Hopefully, if a virus or a trojan or a spy can
|| || sneak in that way, a good virus detector will prevent it from
| executing.
|| || Also, there may have been an MS fix or two to prevent some forms of
|| || abuse along these lines (I don't know).
|| |
|| | What would make you think any anti-spyware or anti-virus programs would
|| | check or correct these types of activities?
|| |
|| | Anti-spyware programs MAY block certain addresses and perhaps some
|| ActiveX,
|| | or other. Anti-virus MIGHT catch scripting or attempts to infect
|| something,
|| | or emails or files which contain hacks or other. Host or lmhost files
|| catch
|| | what they have been configured to catch via addressing/name.
|| | These, however, are *network use* activities WITHIN the TCP/IP and
other
|| | aspects of Internet/network usage. Firewalls, proxies, packet sniffers,
|| | client servers, the TCP/IP kernel, and the like, are what handle these
|| | activities.
|| | Of course the above is an overly simplified explanation.
|| |
|| ||
|| || | NOTE: this is contact through a dial-up connection[phone]/ISP
[which
|| || | is indicated via some of these addresses], ALWAYS ON connections are
|| || | even more of a security risk.
|| ||
|| || Uhuh. I am Dial-Up too. That way, you get a new IP address each
| connect.
|| |
|| | Only if that is what the ISP requires or desires.
|| |
|| ||
|| || | Hopefully, this discussion will be useful to those interested and
|| || | provide theory and answers to various issues.
|| || | Rule sets or other settings for various firewalls would naturally
be
|| || | of interest.
|| || |
|| || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no
owner
|| ||
|| || I find I have to guess as to the meaning of that. Looks like someone
at
|| || 67.170.2.174, who is Comcast...
|| ||
|| || http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174
|| || .....Quote...........
|| || 67.170.2.174
|| || Record Type: IP Address
|| ||
|| || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
|| || 67.160.0.0 - 67.191.255.255
|| || Comcast Cable Communications, IP Services WASHINGTON-6
|| || (NET-67-170-0-0-1)
|| || 67.170.0.0 - 67.170.127.255
|| || .....EOQ.............
|| ||
|| || ...sent a UDP datagram to port 29081 on your machine. But I don't
|| || know...
|| ||
|| || (1) did the port exist without an owner, & would it have received
|| || the datagram (except the rule blocked it)?
|| || (The name of that rule suggests the answer is no.)
|| |
|| | The data request would have been received and likely honored.
|| | The port would have been opened/created to allow this activity.
|| |
|| ||
|| || (2) did the the port once exist & at that time have an owner,
|| || but somehow was closed before the datagram arrived?
|| || Therefore, it couldn't get it, anyhow, even if not blocked?
|| |
|| | If it would have been ALLOWED activity [e.g., without proxy or firewall
|| | monitoring or exculsion, or within a hosts or lmhosts, or other]], then
| a
|| | search would have been made for an available port, and then
|| created/opened.
|| | Look again at this:
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1026, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1027, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898->localhost:1028, Owner: no owner
|| |
|| | See the attempt to find or create an open port?
|| | Now, should I have stayed online, there would have been continued
| attempts
|| | [see your prior discussion where I was online longer], though with
|| different
|| | Shaw addressing and OUT ports, again stepping through IN [local] ports
| in
|| | attempt to find or create.one.
|| |
|| |
|| ||
|| || (3) did the port 29081 never exist?
|| ||
|| || Do any earlier log entries mention that port? You'd have to log all
|| || activity of each "permit" rule to know for sure. But, if there is no
|| || rule permitting the activity, then you would have received a Kerio
|| || requestor mentioning the port.
|| |
|| | No we don't need that.
|| | Were an ALLOWED program or address using that aspect, then it would NOT
|| | have created the denial. Either would have cascaded to find an open
port
|| for
|| | use [as long as it was in the defined rule range].
|| | AND you mention Kerio, which MUST have that turned on {requestor].
|| | Other firewalls, particularly those that automatically configure
|| | themselves, MAY not pop-up anything unless it has been configured that
|| way.
|| | They also MAY pass through such requests if piggy-backed from or on
|| allowed
|| | activities/programs. Think "but all I want to know is the user
address".
|| | Think Microsoft's firewalls, imagine what they are configured by
default
|| to
|| | allow.
|| |
|| ||
|| || Here is a Kerio help page to study...
|| ||
|| || ......Quote............
|| || Filter.log file
|| ||
|| || The filter.log file is used for logging Kerio Personal Firewall
actions
|| || on a local computer. It is created in a directory where Personal
|| || Firewall is installed (typically C:\Program Files\Kerio\Personal
|| || Firewall). It is created upon the first record.
|| ||
|| || Filter.log is a text file where each record is placed on a new line.
It
|| || has the following format:
|| ||
|| || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services':
Blocked:
|| || In TCP, richard.kerio.cz [192.168.2.38:3772]->localhost:25, Owner:
|| || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
|| ||
|| || How to read this line:
|| ||
|| || 1 rule type (1 = denying, 2 = permitting)
|| ||
|| || [08/Jun/2001 16:52:09] date and time that the packet was detected (we
|| || recommend checking the correct setting of the system time on your
|| || computer)
|| ||
|| || Rule 'Internet Information Services' name of a rule that was applied
|| || (from the Description field)
|| ||
|| || Blocked: / Permittted: indicates whether the packet was blocked or
|| || permitted (corresponds with the number at the beginning of the line)
|| ||
|| || In / Out indicates an incoming or outgoing packet
|| ||
|| || IP / TCP / UDP / ICMP, etc. communication protocol (for which the
rule
|| || was defined)
|| ||
|| || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from
|| || which the packet was sent, in square brackets is the IP address with
| the
|| || source port after a colon
|| ||
|| || locahost:25 destination IP address (or DNS name) and port (localhost
=
|| || this computer)
|| ||
|| || Owner: name of the local application to which the packet is addressed
|| || (including its full path). If the application is a system service the
|| || name displayed is SYSTEM.
|| || .........EOQ.................
|| ||
|| || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner
|| ||
|| || That one seems to be coming from...
|| ||
|| || NetRange: 200.0.0.0 - 200.255.255.255
|| || NetName: LACNIC-200
|| |
|| | Yes, that is the key to your Firewall security.
|| | Tracking each suspect activity to the originator, if possible.
|| |
|| | Actually were I to post prior complete TRACKING logs [which I
| collect(ed)
|| | for specific use], say for one day's normal usage, vast numbers of
|| | potentially dangerous attacks/attempts would be shown.
|| | The Internet is a cesspool of users, unless you protect yourself from
|| them.
|| | NO-ONE is completely invisible or invulnerable. There is always a
| starting
|| | [requesting/receiving] address [yours].
|| | If you were ACTUALLY invisible then nothing would reach you you
| couldn't
|| | receive a web page you couldn't receive email you couldn't do any
|| | networking. Whatever is requested MUST have a destination [You]. [Okay,
| I
|| | know of ways but we're not educating hackers here.]
|| |
|| | FOR THE GENERAL DOUBTER [not you PCR]:
|| | Try it. Block all network and Internet traffic in your firewall. That
|| | closes all ports, hence no requesting/receiving address [yours]. It
|| doesn't
|| | matter that you may have obtained an IP address or have one hard set,
|| there
|| | is no way to use it {don't try this for long or you will lose access to
|| the
|| | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if
|| | applicable}...] No ports or no address and there is no network.
|| | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping
| to
|| | ANY web address. Notice the addresses? Notice the routing?
|| | NOW, exactly how did YOU receive that information? Certainly it wasn't
|| | broadcast to the world and you just happened to have ended up with it.
| Or
|| | was it?
|| | --
|| |
|| | Now what could a hacker, or someone wishing to track you for whatever
|| | reason, do with that information?
|| | All that is originally needed by that party is the requesting/receiving
|| | address e.g. your address, your activity, something you did or
allowed.
|| | Once this is known then anythng that party wishes to do can be done.
Now
|| | think about ALWAYS ON connections.
|| |
|| | For instance, you did go through Sponge's other pages [used because it
| was
|| | previously referenced] which address advertising and other inoccent
|| [cough]
|| | inclusions on web pages, or which you may find on the Internet,
correct?
|| | Such as: http://www.geocities.com/yosponge/othrstuf.html
|| | Did you look at his host file, etc..
|| | Or perhaps look at ports, packets, formation, and other aspects over
on:
|| | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives
|| |
|| | 9X users?
|| | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide
|| some
|| | nice tools for network/Internet use/diagnostics.
|| | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be
|| careful
|| | using it, many servers do NOT like to be scanned, you may be logged and
|| your
|| | ISP or other agency may be contacted..
|| |
|| | Another nifty test tool is called *tooleaky*. A little 3k tool to test
|| your
|| | supposed security [created to test/expose GRC suggestions]. Read about
|| what
|| | it does and how. You might think twice about what you think you know.
|| |
|| | If your using 2000 or above, might want to check these older tools:
|| |
|| | http://www.foundstone.com/us/resources-free-tools.asp - Division of
| McAfee
|| |
|| | Attacker 3.00
|| |
|| | http://www.foundstone.com/knowledge/proddesc/fport.html
|| | fport - find out what is using what port - 2000 - XP/NT
|| | Identify unknown open ports and their associated applications
|| | Copyright 2002 (c) by Foundstone, Inc.
|| | http://www.foundstone.com
|| | fport supports Windows NT4, Windows 2000 and Windows XP
|| | fport reports all open TCP/IP and UDP ports and maps them to the owning
|| | application. This is the same information you would see using the
|| | 'netstat -an' command, but it also maps those ports to running
processes
|| | with the PID, process name and path. Fport can be used to quickly
| identify
|| | unknown open ports and their associated applications.
|| |
|| |
|| | Trout Version 2.0 (formerly SuboTronic)
|| | New in this release
|| | Parallel pinging, resulting in a huge speed improvment.
|| | Selectable background and text colors.
|| | Improved interface.
|| | Save trace to file.
|| | Improved HTML output.
|| | Optional continuous ping mode.
|| | Traceroute and Whois program.
|| | Copyright 2000 (c) by Foundstone, Inc.
|| | A visual (i.e. GUI as opposed to command-line) traceroute and Whois
|| program.
|| | Pinging can be set at a controllable rate as can the frequency of
|| repeatedly
|| | scanning the selected host. The built-in simple Whois lookup can be
used
|| to
|| | identify hosts discovered along the route to the destination computer.
|| | Parallel pinging and hostname lookup techniques make this traceroute
|| program
|| | perhaps the fastest currently available.
|| |
|| |
|| | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
|| Microsoft's
|| | TechNet
|| |
|| ||
|| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no
| owner
|| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 218.10.137.139:55190->localhost:1027, Owner: no
| owner
|| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 190.46.171.127:41806->localhost:29081, Owner: no
|| || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 190.46.171.127:41806->localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
|| || | 189.153.168.143:32737->localhost:29081, Owner: no owner
|| || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 58.49.103.227:1107->localhost:1434, Owner: no owner
|| || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
|| || | Blocked: In TCP, 219.148.119.6:12200->localhost:7212, Owner: no
owner
|| || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
|| || | Blocked: In TCP, 219.148.119.6:12200->localhost:8000, Owner: no
owner
|| || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
|| || | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186,
Owner:
|| || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 90.20.19.204:46983->localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
87.235.125.80:8052->localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
69.126.6.107:32338->localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
|| || | 189.128.113.251:16491->localhost:29081, Owner: no owner
|| || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 221.209.110.13:49282->localhost:1026, Owner: no
|| || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 221.209.110.13:49282->localhost:1027,
|| || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
|| || | 200.117.180.230:22925->localhost:29081, Owner: no owner
|| || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 74.120.200.92:45097->localhost:29081, Owner: no
|| || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
|| || | [200.117.180.230:22925]->localhost:29081, Owner: no owner
|| || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 88.22.213.173:19033->localhost:29081, Owner: no
|| || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 74.107.240.241:48641->localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
|| || | 221.208.208.95:53699->localhost:1026, Owner: no owner 1,[28/Jul/2007
|| || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 67.81.156.51:20406->localhost:29081, Owner: no owner 1,[28/Jul/2007
|| || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 200.89.49.207:23085->localhost:29081, Owner: no owner 1,[28/Jul/2007
|| || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 221.208.208.90:33490->localhost:1026, Owner: no owner 1,[28/Jul/2007
|| || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 142.161.209.54:15611->localhost:29081, Owner: no owner
1,[28/Jul/2007
|| || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 190.60.89.179:47922->localhost:29081, Owner: no owner 1,[28/Jul/2007
|| || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
|| || | msnews.microsoft.com [207.46.248.16:119]->localhost:1185, Owner: no
|| || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 190.31.24.235:50988->localhost:29081,
|| || | Owner: no owner
|| || |
|| || |
|| || | --
|| || | MEB
|| || | http://peoplescounsel.orgfree.com
|| || | ________
|| ||
|| || --
|| || Thanks or Good Luck,
|| || There may be humor in this post, and,
|| || Naturally, you will not sue,
|| || Should things get worse after this,
|| || PCR
|| || pcrrcp@netzero.net
|| ||
|| ||
|| |
|| |
|| | --
|| | MEB
|| | http://peoplescounsel.orgfree.com
|| | ________
|| |
|| |
|| |
|| |
||
||
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________
|
|
|
 
P

PCR

MEB wrote:
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl...
|| MEB wrote:
|| | PCR and Gram Pappy [among others] have been discussing firewall
|| | settings and what they can or should be used for.
||
|| That's right. I installed...
||
http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW
||
|| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
|| later began a 17 year study of what to do with it. But I should have
|| spoke up sooner!
||
|| | In the spirit of those discussions, I thought I would post some
|| | blocked activity from a SINGLE session/contact through my ISP and
|| | ONLY to this news server and my email accounts [via OE6]. This is
|| | from the firewall log [several of my normal settings/restrictions
|| | were specifically reset for this presentation].
||
|| Thanks for jumping in. So, you wanted to see what would happen just
|| by connecting to the NET & using OE for mail & NG activity.
|
| Well, ah no, actually I wanted to let other users who may not have
| investigated or understand firewalls.

Uh-huh. Naturally, you & I have advanced beyond that point.

||
|| | No other Internet activity occurred [e.g., no external IE or
|| | browser usage or other activity]. All *allowed activity* has been
|| | removed, so that the addresses and activities blocked might be
|| | addressed for perhaps a greater understanding of the function of
|| | firewalls, what they can and are used for, and other aspects
|| | related thereto.
||
|| Really, it's important to see what was allowed too. Where I thought
|| my Primary DNS Server rule would be used only by NetZero (they are
|| NetZero addresses in there)... really a whole bunch of apps were
|| using it! But that's in the other thread!
|
| DNS is used by any program requiring addressing information.

The sole purpose of my DNS Server rule(s)...

Protocol.......... UDP
Direction......... Both
Local Endpoint
Ports........... 1024-5000
Application... Any (but now I've limited it to 5 apps
by creating 5 of these rules)
Remote Endpoint
Addresses.... The entire NetZero range
Port............. 53

.... is to resolve NET addresses? Still, am I right to seek to limit it
to the five apps I kind of have to trust? Otherwise, can't it be
appropriated by some devious app to do ill?

| The key
| is to limit to the EXACT DNS server(s) NOT within your system [unless
| for local network traffic] and the port [53] used by that (those)
| server(s) with limited [chosen by previous monitoring] local ports
| and applications.

Why do I need to bother with ports, if I limit the DNS rule(s) to
trusted apps & to trusted NetZero addresses? Unfortunately, Kerio does
not permit a list of apps in a rule, the way it does with ports &
addresses. So, currently I have coded 5 of them...!...

(1) DNS Server-- EXEC.exe (NetZero)
(2) DNS Server-- ASHWEBSV (avast! Web Scanner)
(3) DNS Server-- AVAST.SETUP (There actually is no program)
(4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
(5) DNS Server-- IExplore

| I will NOT post all my rules or what exactly I have configured
| locally [that would supply the exact way to circumvent my
| protection],

OK.

| however I will post this contact to retreive the
| email/news messages [your posting], with a few more inclusions
| [again, slightly modified rules and rule logging]. This was ONLY to
| retreive mail and the newsgroups on Microsoft. Nothing else occurred
| BUT the logon to the ISP.

OK, limited to mail & NG activities, right.

| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
| localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
| ONLINE
| 7.0\WAOL.EXE

So... WAOL.exe (which was port 1030 on your computer) needed to resolve
an address? And it did so at XXX.XXX.XXX.X, port7427? Is that what that
says?

| 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver

I get lots of those. Here is the last I recorded...

1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8]
Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver

...., but, beginning yesterday, I have chosen NOT to log those anymore. I
have two rules above that blocker. One allows ICMP incoming for...
[0] Echo Reply, [3] Destination Unreachable, [11] Time Exceeded

The other allows it outgoing for...
[3] Destination Unreachable, [8] Echo Request

I think that's probably finalized for ICMP. In this case, specific apps
& ports are not possible in the rules-- only specific endpoint addresses
are. But mine apply to any address.

| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
| XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
| ONLINE
| 7.0\WAOL.EXE

| 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2],
| Owner: Tcpip Kernel Driver

I've never seen an ALL-ROUTERS.MCAST.NET. But this would also be blocked
in my machine!

| 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2],
| Owner: Tcpip Kernel Driver

| 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8]
| Echo Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver

| 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
| Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver

| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1026, Owner: no owner

I used to get these Kerio alert's about Shaw Comm...

Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
port 1027 owned by 'Distributed COM Services' on your computer.

...., but they are prevented now with a rule that specifically blocks
RPCSS.exe (which is Distributed COM Services & which establishes the
port 1027) from using UDP/TCP. Eventually, I hope to remove that block
rule (& 4 others)-- after I have completed my UDP & TCP permit rules for
speific, trusted apps/addresses. Then, RPCSS.exe will be blocked along
with the others by virtue of not being included in the PERMITs-- &
having one single BLOCK after them.

| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1027, Owner: no owner

| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1028, Owner: no owner

| 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In
| TCP, 207.46.248.16:119->localhost:1072, Owner: no owner

I haven't begun to finalize my TCP rules yet. That's probably where I go
next, once UDP is done!

| at which point I disconnected having retrieved mail and the news
| messages.

Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe,
PersFW.exe, & PFWadMin.exe-- which are just some of the ones using it in
here before I recently have prevented them! Well, I guess it may require
the clicking of an URL for those to kick in.

| NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip
| Kernel requests.

What specifically is notable about them?

||
|| | For those who do not understand firewalls, these activities would
|| | or may have been allowed as they followed either programs IN USE
|| | [allowed activity], or through addressing [broadcast or otherwise]
|| | had a firewall not been used.
||
|| That is right. Without a firewall with a good set of denial rules,
|| all activity is allowed. Hopefully, if a virus or a trojan or a spy
|| can sneak in that way, a good virus detector will prevent it from
|| executing. Also, there may have been an MS fix or two to prevent
|| some forms of abuse along these lines (I don't know).
|
| What would make you think any anti-spyware or anti-virus programs
| would check or correct these types of activities?

I do believe an actual executable can be read into a machine through
malicious use of these NET packets, although I'm not sure which precise
protocols can do it. Once it is read in &/or tries to run, one hopes
one's virus/malware scanner WILL catch it, before it delivers its
payload!

| Anti-spyware programs MAY block certain addresses and perhaps some
| ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to
| infect something, or emails or files which contain hacks or other.

It is still quick enough, in the cases when this bad stuff makes it
through the firewall (or the lack of one), for these other apps to catch
them trying to do their ill work-- if they can!

BUT, I'm sure some ill-conceived packet can possibly do ill without
delivering an executable that can be caught in another way. Somewhere in
my 12th year of study I will know what these packets are & the protocols
they use! But I'm hoping to get my Kerio rules solidified a lot sooner!

| Host or lmhost files catch what they have been configured to catch
| via addressing/name. These, however, are *network use* activities
| WITHIN the TCP/IP and other aspects of Internet/network usage.
| Firewalls, proxies, packet sniffers, client servers, the TCP/IP
| kernel, and the like, are what handle these activities.
| Of course the above is an overly simplified explanation.

This isn't the year for me to really want to know every little detail,
anyhow.

||
|| | NOTE: this is contact through a dial-up connection[phone]/ISP
|| | [which is indicated via some of these addresses], ALWAYS ON
|| | connections are even more of a security risk.
||
|| Uhuh. I am Dial-Up too. That way, you get a new IP address each
|| connect.
|
| Only if that is what the ISP requires or desires.

OK. For me, it does happen that way, I'm fairly sure.

||
|| | Hopefully, this discussion will be useful to those interested and
|| | provide theory and answers to various issues.
|| | Rule sets or other settings for various firewalls would naturally
|| | be of interest.
|| |
|| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no
|| | owner
||
|| I find I have to guess as to the meaning of that. Looks like someone
|| at
|| 67.170.2.174, who is Comcast...
||
|| http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174

|| .....Quote...........
|| 67.170.2.174
|| Record Type: IP Address
||
|| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
|| 67.160.0.0 - 67.191.255.255
|| Comcast Cable Communications, IP Services WASHINGTON-6
|| (NET-67-170-0-0-1)
|| 67.170.0.0 - 67.170.127.255
|| .....EOQ.............
||
|| ...sent a UDP datagram to port 29081 on your machine. But I don't
|| know...
||
|| (1) did the port exist without an owner, & would it have received
|| the datagram (except the rule blocked it)?
|| (The name of that rule suggests the answer is no.)
|
| The data request would have been received and likely honored.
| The port would have been opened/created to allow this activity.

I'm still thinking the port has to already be open to receive a packet.
Is there documentation that may say otherwise?

||
|| (2) did the the port once exist & at that time have an owner,
|| but somehow was closed before the datagram arrived?
|| Therefore, it couldn't get it, anyhow, even if not blocked?
|
| If it would have been ALLOWED activity [e.g., without proxy or
| firewall monitoring or exculsion, or within a hosts or lmhosts, or
| other]], then a search would have been made for an available port,
| and then created/opened. Look again at this:
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1026, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1027, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898->localhost:1028, Owner: no owner
|
| See the attempt to find or create an open port?

Looks like Shaw Comm is trying to FIND one. If it could create one, why
wouldn't it stop & just create 1026?

It might still be worthwhile to block these-- but I wouldn't want to
block them on an individual basis per abuser like Shaw Comm.

| Now, should I have stayed online, there would have been continued
| attempts [see your prior discussion where I was online longer],
| though with different Shaw addressing and OUT ports, again stepping
| through IN [local] ports in attempt to find or create.one.

I'll look.

||
|| (3) did the port 29081 never exist?
||
|| Do any earlier log entries mention that port? You'd have to log all
|| activity of each "permit" rule to know for sure. But, if there is no
|| rule permitting the activity, then you would have received a Kerio
|| requestor mentioning the port.
|
| No we don't need that.
| Were an ALLOWED program or address using that aspect, then it would
| NOT have created the denial.

No, I wanted to know... did a PERMIT exist that came from port 29081?
That would prove the port once existed & possibly initiated a
communication with Shaw Comm. But, I'm fairly confident no such thing
happened-- but it was Shaw Comm doing a probe. If it found it & activity
was permitted-- mayhem such as pop-up ads or at least spying may have
ensued, I think!

| Either would have cascaded to find an
| open port for use [as long as it was in the defined rule range].

That's what I think-- it wants to find one that is already open.

| AND you mention Kerio, which MUST have that turned on {requestor].

Oops, that's right. "Kerio, Administration, Firewall tab" has to be set
at "Ask me first". Then, when activity occurs that is not covered by a
rule, an alert requestor will appear. It offers to create the rule,
which later can be fine tuned. Yep, & that's a great feature!

| Other firewalls, particularly those that automatically configure
| themselves, MAY not pop-up anything unless it has been configured
| that way. They also MAY pass through such requests if piggy-backed
| from or on allowed activities/programs. Think "but all I want to know
| is the user address". Think Microsoft's firewalls, imagine what they
| are configured by default to allow.

Yep. Kerio seems to have it all. It's highly configurable!

....snip of Kerio help page
|| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner
||
|| That one seems to be coming from...
||
|| NetRange: 200.0.0.0 - 200.255.255.255
|| NetName: LACNIC-200
|
| Yes, that is the key to your Firewall security.
| Tracking each suspect activity to the originator, if possible.

In the end, I just want to block them.

| Actually were I to post prior complete TRACKING logs [which I
| collect(ed) for specific use], say for one day's normal usage, vast
| numbers of potentially dangerous attacks/attempts would be shown.

By the way, how do you empty Kerio's Filter.log, when you think you've
seen enough? (I've been deleting it in DOS along with Filter.log.idx.)

....snip of stuff not meant for me, but thanks for the additional URLs to
research. And thanks for continuing to contribute to my understanding of
it.

| Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
| Microsoft's TechNet
|

OK, I see here again are the other "no owner's"...

||
|| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no
|| | owner

This is an attempt to send a UDP packet to port 1026. I still doubt it
really needs to be blocked, if the port indeed does not exist. For UDP,
I favor PERMITs of trusted apps from trusted addresses-- & one single
block of UPD afterwards that will cover all others. (But I'm not even
totally set up that way, myself, yet.) And I want to do it that way for
TCP too.

....snip of other In UDP.

1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port
|| | received': Blocked: In TCP, 219.148.119.6:12200->localhost:7212,
|| | Owner: no owner

Ah-- a TCP! Soon, I must do with TCP what I nearly am finishing with
UDP!

....snip
|| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
|| | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186,
|| | Owner: no owner

I don't believe I've seen one of those. Could be I'm just not tracking
the rule that does it. Looks like msnews.microsoft.com was still trying
to communicate after the NET connection was closed. What app controlled
localhost:1186?

....snip of a bunch more of In UDPs & possibly In TCPs.
 
M

MEB

Re: firewalls - ZONEALARM - what to block and why - your security at risk

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
news:ua30J4j0HHA.4184@TK2MSFTNGP06.phx.gbl...
| Hi MEB, and all,
|
|
| I'm actually running a rather old version of ZA v. 3.1.291. My
philosophy
| is *unlike* AV apps. etc., there just isn't much to improve IMHO. I don't
| want or need any additional bells and whistles.

Well, I certainly can't say otherwise, I now use a Kerio PF version, long
ago supposedly left in the dust, yet it seems, so far, to provide what is
needed.

|
| And you were close, I'm running XP Pro, but I keep perusing this group,
| because this is where it all started for me. I still have my copy of
W98SE,
| but it's kind of a pain to install that *after* XP is already there. I was
a
| die-hard 98 fan, and swore I would *never* switch to XP, but the computer
I
| inherited already had it on it. I figured I'd give it a try, and if I
| didn't like it, well, then back to good ol' 98. The way I have XP set up,
| you'd almost think it was 98. I turned off *all* the cutesy eye-candy
etc.,
| mainly for performance reasons. Besides, I *hate* pastels! This box was
| built for W98.

Hey, I tested a XP PRO box for a few years [using ZA], and yeah, to think
that users actually like those glitsy aspects. I turned most of it off as
well, cause it seemed to make everything much more difficult [though I
suppose I can trace that to all those years of command prompt usage]... and
slooooooow.. I felt like I was being dumbed down ...

| I have to admit that it is extremely stable, but then again so was my 98
| install. It's the "junk" we add later that tends to muck things up.

Yeah, and that junk does accumulate... gees, with this last 98SE testing
install I dumped another couple of dozen MORE progs,, I couldn't remember
the last time I even thought about using them... then again I had to dig out
some old testing programs CDs that I hadn't installed for at least two prior
testing installations [old video test stuff]...

|
| Sorry I digressed.

Hey, your still a die hard 98 user at heart, PCR would say that tin foil
hat did some good, still got a few bits of brain matter left <-Q ...

So what words of wisdom for ZA could you give to its users?

|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "MEB" <meb@not here@hotmail.com> wrote in message
| news:%23VgmuJi0HHA.4476@TK2MSFTNGP06.phx.gbl...
| |
| |
| | "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
| | news:%23tJUffZ0HHA.1204@TK2MSFTNGP03.phx.gbl...
| || Some real food for thought gentlemen. Thank you.
| ||
| || P.S. I've been using ZA since 2000.
| ||
| || --
| || HTH,
| || Curt
| ||
| || Windows Support Center
| || www.aumha.org
| || Practically Nerded,...
| || http://dundats.mvps.org/Index.htm
| |
| | We aim to please...
| |
| | I also used ZA for a number of years on the various 9X boxes and XP. The
| | rules aspect of other firewalls always drew me [having a Linux, Zenix,
NT
| | background] but I thought it wise to use what others might be using [for
| | comparison purposes].
| | Now however, with the use of highly questionable activities on the
| | Internet, and my personal questions related to ZA, and no support from
| | Microsoft and ZoneLabs, I thought I would return to something which gave
| | considerably more control during my final testing days under 9X.
| |
| | I have an old ZA version [forgot which version though, and have no
| | intention of re-installing it] about 1.4meg which actually seemed to
| supply
| | MOST of the normal functions required, at least semi-adequately.
Sometimes
| I
| | thought the newer versions were attempting aspects which were not well
| | implimented or implimented in a fashion I thought not user friendly. Of
| | course there is an ability to setup *rules like* activities within ZA,
but
| I
| | would imagine most users do not do so.
| |
| | In the spirit of this discussion, which is to include any firewalls
[and
| I
| | hope it eventually does. Note this has ZONEALARM now in its subject
| | heading]:
| |
| | What version and product are you or others using?
| |
| | Have you or others run monitoring/sniffing programs while using ZA to
see
| | if it actual performs as advertised?
| |
| | What settings or other seemed to be the most useful to you or other
users?
| |
| | What advise would users give concerning settings, configuration, etc. to
| | other users of ZA, [noting in Curt's case, I think your using it under
| W2K,
| | so does that offer anything different as far as you know]?
| |
| | Have you or other users created any similar rules within ZA to the below
| | [referencing Kerio PFW rules]?
| |

--
MEB
http://peoplescounsel.orgfree.com
________
 
C

Curt Christianson

Re: firewalls - ZONEALARM - what to block and why - your security at risk

|
| So what words of wisdom for ZA could you give to its users?

Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR
might claim I don't have any words at all, let alone "wise" ones.

I can only say that if one is running an older machine as I am, and would
like to use a software firewall, you're not stuck with having to use the
newest and fanciest (and usually most resource intensive). Old versions of
ZA, and I imagine other names can be found all over the Internet. The fist
place that comes to mind is http://www.oldversion.com/ . Firewalls and AV
apps. are notorious for causing longer boot times, and resource usage--and
newer usually means even more overhead. I *need* the latest/greatest, most
up-to-date AV, but when it comes to firewalls newer is *not* necessarily
better.
I also encountered a problem between AOL and ZA back in the days. ZA would
block AOL, no matter what kind of permissions etc. I gave unless I dropped
the "Internet Security Zone" from "High" to "Medium", then all was well.
MEB, I believe you are using AOL or Netscape, am I correct?
I finally turned off the "casual" alerts, as they were coming too fast and
furious. I just sat back and let ZA do its' job.
One final note, if one has logging enabled, be sure to occasionally clean
out the old ZA logs--not a whole lot of use for them usually. On old ZA
installations, it's not located in the ZA folder, but rather at
C:\Windows\Internet Logs.

That's more than I've said in the whole time I used to hang out here!


--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"MEB" <meb@not here@hotmail.com> wrote in message
news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl...
|
<snipped>
 
G

Galen Somerville

Re: firewalls - ZONEALARM - what to block and why - your security at risk

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
news:enX73Vq0HHA.4184@TK2MSFTNGP06.phx.gbl...
> |
> | So what words of wisdom for ZA could you give to its users?
>
> Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR
> might claim I don't have any words at all, let alone "wise" ones.
>
> I can only say that if one is running an older machine as I am, and would
> like to use a software firewall, you're not stuck with having to use the
> newest and fanciest (and usually most resource intensive). Old versions of
> ZA, and I imagine other names can be found all over the Internet. The fist
> place that comes to mind is http://www.oldversion.com/ . Firewalls and AV
> apps. are notorious for causing longer boot times, and resource usage--and
> newer usually means even more overhead. I *need* the latest/greatest, most
> up-to-date AV, but when it comes to firewalls newer is *not* necessarily
> better.
> I also encountered a problem between AOL and ZA back in the days. ZA would
> block AOL, no matter what kind of permissions etc. I gave unless I dropped
> the "Internet Security Zone" from "High" to "Medium", then all was well.
> MEB, I believe you are using AOL or Netscape, am I correct?
> I finally turned off the "casual" alerts, as they were coming too fast and
> furious. I just sat back and let ZA do its' job.
> One final note, if one has logging enabled, be sure to occasionally clean
> out the old ZA logs--not a whole lot of use for them usually. On old ZA
> installations, it's not located in the ZA folder, but rather at
> C:\Windows\Internet Logs.
>
> That's more than I've said in the whole time I used to hang out here!
>
>
> --
> HTH,
> Curt
>
> Windows Support Center
> www.aumha.org
> Practically Nerded,...
> http://dundats.mvps.org/Index.htm
>
> "MEB" <meb@not here@hotmail.com> wrote in message
> news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl...
> |
> <snipped>
>
>
I use ZA 6.1.744.001 on my Win98se and have had zero problems with it.

Galen
 
M

MEB

Re: firewalls - ZONEALARM - what to block and why - your security at risk

"Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
news:enX73Vq0HHA.4184@TK2MSFTNGP06.phx.gbl...
| |
| | So what words of wisdom for ZA could you give to its users?
|
| Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR
| might claim I don't have any words at all, let alone "wise" ones.
|
| I can only say that if one is running an older machine as I am, and would
| like to use a software firewall, you're not stuck with having to use the
| newest and fanciest (and usually most resource intensive). Old versions
of
| ZA, and I imagine other names can be found all over the Internet. The
fist
| place that comes to mind is http://www.oldversion.com/ . Firewalls and AV
| apps. are notorious for causing longer boot times, and resource usage--and
| newer usually means even more overhead. I *need* the latest/greatest,
most
| up-to-date AV, but when it comes to firewalls newer is *not* necessarily
| better.

Those are good points. AV of course does require updates constantly to
address new threats, whereas firewalls if they actually provided the
protection needed at some point in their version history, MAY continue to do
so. As long as IPv6 and other newer aspects of net usage can be addressed
within the firewall, their function can still be counted upon.
I would presume though, that protocal/packet changes may make some of the
oldest versions incapable. I seem to remember ZA issuing a few supposed
updates which were more for *visual effects* than for much of anything
else...

I also thought the clickable *server* / two zone aspects were perhaps a bit
weak for control, though useful... since I was previously testing a number
of programs from the net, I can say ZA DID catch [at least] one which would
have been a security threat since it constantly wanted full control and net
contact, and to *phone home* even when supposedly not running [no visual in
crtl/alt/del, though viewable in Process Explorer and other such programs,
and locatable in the registry] which could be blocked via those server/zone
allowances, though those programs were always removed when that was found
if it isn't being used, what right does it have to MY Internet usage or my
network....

| I also encountered a problem between AOL and ZA back in the days. ZA
would
| block AOL, no matter what kind of permissions etc. I gave unless I dropped
| the "Internet Security Zone" from "High" to "Medium", then all was well.
| MEB, I believe you are using AOL or Netscape, am I correct?

YES, in part ...
AOL is used for this: contact name news group contact and
tracking/testing installation.
AOL is *all over the place* in addressing, sometimes one address is used
exclusively for one function, sometimes it appears to be used for something
else... then other servers are added, then not used again,,, I suppose AOL
believes its a private network and its users will not use anything but the
AOL browser, email, and its local network for everything ... AS IF
AOL would force a lengthy discussion all its own, such a mess, so
intrusive... I'm STILL trying to lock down aspects because I hate general
allowances, believing they give too much control to someone else, to many
attackable entry points ...

| I finally turned off the "casual" alerts, as they were coming too fast and
| furious. I just sat back and let ZA do its' job.
| One final note, if one has logging enabled, be sure to occasionally clean
| out the old ZA logs--not a whole lot of use for them usually. On old ZA
| installations, it's not located in the ZA folder, but rather at
| C:\Windows\Internet Logs.
|
| That's more than I've said in the whole time I used to hang out here!
|

But you're still here, AND that is good advise... don't be a stranger, I'm
sure you still remember enough about 98 to participate in the group ... and
we do have the dual booters, so your XP experiance is relevant ...

Though remarkably, many try to run those issues out of here ... as if the
issues aren't relevant in either XP groups or here .... though supposedly
they ARE relevant in those 2000, 2003, XP, VISTA groups, AND even though
some of those same people monitoring this group DO answer those questions in
those groups or other forums, go figure ... guess they must think 98 users
are intellectually incapable, you HAVE to use those nifty new OSs to have
any interest or comprehension ...

But now *I* digress ....
[Let's see if this makes it through, my PCR response has not, through six
attempts]

|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "MEB" <meb@not here@hotmail.com> wrote in message
| news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl...
| |
| <snipped>
|
|

--
MEB
http://peoplescounsel.orgfree.com
________
 
P

PCR

Re: firewalls - ZONEALARM - what to block and why - your security at risk

Curt Christianson wrote:
|| So what words of wisdom for ZA could you give to its users?
|
| Words of wisdom, well, after spending 1 1/2 years under XP's spell,
| PCR might claim I don't have any words at all, let alone "wise" ones.

You had one/two episodes of wisdom once, Christianson. I'm sure we all
would remember them, if we try. But I'm just wondering now... you say
you INHERITED that machine? I'm very suspicious of XP-irradiation being
the reason why!

| I can only say that if one is running an older machine as I am, and
| would like to use a software firewall, you're not stuck with having
| to use the newest and fanciest (and usually most resource intensive).
| Old versions of ZA, and I imagine other names can be found all over
| the Internet. The fist place that comes to mind is
| http://www.oldversion.com/ . Firewalls and AV apps. are notorious
| for causing longer boot times, and resource usage--and newer usually
| means even more overhead. I *need* the latest/greatest, most
| up-to-date AV, but when it comes to firewalls newer is *not*
| necessarily better.

I agree. Until new protocols are added to NET talk, a new firewall
should be unnecessary. And I can't imagine anything being more
configurable than Kerio Firewall v.2.1.5. The only things...

(a) I wish there could be a list of apps in a single rule,
like they allow a list/range of ports & addresses.

(b) It would be nice to duplicate a rule with a click,
just as a template or starting point for a similar one.

BUT, there's a TON to like about Kerio. Very configurable!

| I also encountered a problem between AOL and ZA back in the days. ZA
| would block AOL, no matter what kind of permissions etc. I gave
| unless I dropped the "Internet Security Zone" from "High" to
| "Medium", then all was well. MEB, I believe you are using AOL or
| Netscape, am I correct?
| I finally turned off the "casual" alerts, as they were coming too
| fast and furious. I just sat back and let ZA do its' job.
| One final note, if one has logging enabled, be sure to occasionally
| clean out the old ZA logs--not a whole lot of use for them usually.
| On old ZA installations, it's not located in the ZA folder, but
| rather at C:\Windows\Internet Logs.

Hmm. There seems to be no way to delete Kerio's Filter.log, except to
drop into DOS for it. And I think Filter.log.idx must be deleted too,
then. That's another thing!

| That's more than I've said in the whole time I used to hang out here!

Maybe you're getting giddy of XP-poisoning now!

| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "MEB" <meb@not here@hotmail.com> wrote in message
| news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl...
||
| <snipped>

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net
 
C

Curt Christianson

Re: firewalls - ZONEALARM - what to block and why - your security at risk

LOL! Thanks PCR. That reminds me of the one where "I thought I was wrong
once, but I must have been mistaken".

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"PCR" <pcrrcp@netzero.net> wrote in message
news:ekyxRqu0HHA.3768@TK2MSFTNGP06.phx.gbl...
| Curt Christianson wrote:
||| So what words of wisdom for ZA could you give to its users?
||
|| Words of wisdom, well, after spending 1 1/2 years under XP's spell,
|| PCR might claim I don't have any words at all, let alone "wise" ones.
|
| You had one/two episodes of wisdom once, Christianson. I'm sure we all
| would remember them, if we try. But I'm just wondering now... you say
| you INHERITED that machine? I'm very suspicious of XP-irradiation being
| the reason why!
|
|| I can only say that if one is running an older machine as I am, and
|| would like to use a software firewall, you're not stuck with having
|| to use the newest and fanciest (and usually most resource intensive).
|| Old versions of ZA, and I imagine other names can be found all over
|| the Internet. The fist place that comes to mind is
|| http://www.oldversion.com/ . Firewalls and AV apps. are notorious
|| for causing longer boot times, and resource usage--and newer usually
|| means even more overhead. I *need* the latest/greatest, most
|| up-to-date AV, but when it comes to firewalls newer is *not*
|| necessarily better.
|
| I agree. Until new protocols are added to NET talk, a new firewall
| should be unnecessary. And I can't imagine anything being more
| configurable than Kerio Firewall v.2.1.5. The only things...
|
| (a) I wish there could be a list of apps in a single rule,
| like they allow a list/range of ports & addresses.
|
| (b) It would be nice to duplicate a rule with a click,
| just as a template or starting point for a similar one.
|
| BUT, there's a TON to like about Kerio. Very configurable!
|
|| I also encountered a problem between AOL and ZA back in the days. ZA
|| would block AOL, no matter what kind of permissions etc. I gave
|| unless I dropped the "Internet Security Zone" from "High" to
|| "Medium", then all was well. MEB, I believe you are using AOL or
|| Netscape, am I correct?
|| I finally turned off the "casual" alerts, as they were coming too
|| fast and furious. I just sat back and let ZA do its' job.
|| One final note, if one has logging enabled, be sure to occasionally
|| clean out the old ZA logs--not a whole lot of use for them usually.
|| On old ZA installations, it's not located in the ZA folder, but
|| rather at C:\Windows\Internet Logs.
|
| Hmm. There seems to be no way to delete Kerio's Filter.log, except to
| drop into DOS for it. And I think Filter.log.idx must be deleted too,
| then. That's another thing!
|
|| That's more than I've said in the whole time I used to hang out here!
|
| Maybe you're getting giddy of XP-poisoning now!
|
|| --
|| HTH,
|| Curt
||
|| Windows Support Center
|| www.aumha.org
|| Practically Nerded,...
|| http://dundats.mvps.org/Index.htm
||
|| "MEB" <meb@not here@hotmail.com> wrote in message
|| news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl...
|||
|| <snipped>
|
| --
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| Should things get worse after this,
| PCR
| pcrrcp@netzero.net
|
|
 
C

Curt Christianson

Re: firewalls - ZONEALARM - what to block and why - your security at risk

Thanks so much. I'll be watching for further developments, and putting my 2
cents worth in.

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"MEB" <meb@not here@hotmail.com> wrote in message
news:uYzk%23Ju0HHA.4344@TK2MSFTNGP03.phx.gbl...
|
| "Curt Christianson" <curtchristnsn@NOSPAM.Yahoo.com> wrote in message
| news:enX73Vq0HHA.4184@TK2MSFTNGP06.phx.gbl...
|| |
|| | So what words of wisdom for ZA could you give to its users?
||
|| Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR
|| might claim I don't have any words at all, let alone "wise" ones.
||
|| I can only say that if one is running an older machine as I am, and would
|| like to use a software firewall, you're not stuck with having to use the
|| newest and fanciest (and usually most resource intensive). Old versions
| of
|| ZA, and I imagine other names can be found all over the Internet. The
| fist
|| place that comes to mind is http://www.oldversion.com/ . Firewalls and
AV
|| apps. are notorious for causing longer boot times, and resource
usage--and
|| newer usually means even more overhead. I *need* the latest/greatest,
| most
|| up-to-date AV, but when it comes to firewalls newer is *not* necessarily
|| better.
|
| Those are good points. AV of course does require updates constantly to
| address new threats, whereas firewalls if they actually provided the
| protection needed at some point in their version history, MAY continue to
do
| so. As long as IPv6 and other newer aspects of net usage can be addressed
| within the firewall, their function can still be counted upon.
| I would presume though, that protocal/packet changes may make some of the
| oldest versions incapable. I seem to remember ZA issuing a few supposed
| updates which were more for *visual effects* than for much of anything
| else...
|
| I also thought the clickable *server* / two zone aspects were perhaps a
bit
| weak for control, though useful... since I was previously testing a number
| of programs from the net, I can say ZA DID catch [at least] one which
would
| have been a security threat since it constantly wanted full control and
net
| contact, and to *phone home* even when supposedly not running [no visual
in
| crtl/alt/del, though viewable in Process Explorer and other such programs,
| and locatable in the registry] which could be blocked via those
server/zone
| allowances, though those programs were always removed when that was found
| if it isn't being used, what right does it have to MY Internet usage or my
| network....
|
|| I also encountered a problem between AOL and ZA back in the days. ZA
| would
|| block AOL, no matter what kind of permissions etc. I gave unless I
dropped
|| the "Internet Security Zone" from "High" to "Medium", then all was well.
|| MEB, I believe you are using AOL or Netscape, am I correct?
|
| YES, in part ...
| AOL is used for this: contact name news group contact and
| tracking/testing installation.
| AOL is *all over the place* in addressing, sometimes one address is used
| exclusively for one function, sometimes it appears to be used for
something
| else... then other servers are added, then not used again,,, I suppose AOL
| believes its a private network and its users will not use anything but the
| AOL browser, email, and its local network for everything ... AS IF
| AOL would force a lengthy discussion all its own, such a mess, so
| intrusive... I'm STILL trying to lock down aspects because I hate general
| allowances, believing they give too much control to someone else, to many
| attackable entry points ...
|
|| I finally turned off the "casual" alerts, as they were coming too fast
and
|| furious. I just sat back and let ZA do its' job.
|| One final note, if one has logging enabled, be sure to occasionally clean
|| out the old ZA logs--not a whole lot of use for them usually. On old ZA
|| installations, it's not located in the ZA folder, but rather at
|| C:\Windows\Internet Logs.
||
|| That's more than I've said in the whole time I used to hang out here!
||
|
| But you're still here, AND that is good advise... don't be a stranger, I'm
| sure you still remember enough about 98 to participate in the group ...
and
| we do have the dual booters, so your XP experiance is relevant ...
|
| Though remarkably, many try to run those issues out of here ... as if the
| issues aren't relevant in either XP groups or here .... though supposedly
| they ARE relevant in those 2000, 2003, XP, VISTA groups, AND even though
| some of those same people monitoring this group DO answer those questions
in
| those groups or other forums, go figure ... guess they must think 98 users
| are intellectually incapable, you HAVE to use those nifty new OSs to have
| any interest or comprehension ...
|
| But now *I* digress ....
| [Let's see if this makes it through, my PCR response has not, through six
| attempts]
|
||
|| --
|| HTH,
|| Curt
||
|| Windows Support Center
|| www.aumha.org
|| Practically Nerded,...
|| http://dundats.mvps.org/Index.htm
||
|| "MEB" <meb@not here@hotmail.com> wrote in message
|| news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl...
|| |
|| <snipped>
||
||
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________
|
|
|
 
P

PCR

Just testing to see whether this thread segment died of XP-irradiation
from Christianson's post! MEB has complained he couldn't post here!
 
P

PCR

Re: firewalls - ZONEALARM - what to block and why - your security at risk

MEB wrote:
....snip
| [Let's see if this makes it through, my PCR response has not, through
| six attempts]

Let me go try. But if it won't work there, put it here. There's no
telling which thread segments will perish first, once an XP-machine has
posted to the thread!
 
P

PCR

Re: firewalls - ZONEALARM - what to block and why - your security at risk

Curt Christianson wrote:
| LOL! Thanks PCR. That reminds me of the one where "I thought I was
| wrong once, but I must have been mistaken".

You are welcome. And looks like I can still post to this thread. MEB
must have forgotten his tinfoil hat, is all!

| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:ekyxRqu0HHA.3768@TK2MSFTNGP06.phx.gbl...
|| Curt Christianson wrote:
|||| So what words of wisdom for ZA could you give to its users?
|||
||| Words of wisdom, well, after spending 1 1/2 years under XP's spell,
||| PCR might claim I don't have any words at all, let alone "wise"
||| ones.
||
|| You had one/two episodes of wisdom once, Christianson. I'm sure we
|| all would remember them, if we try. But I'm just wondering now...
|| you say you INHERITED that machine? I'm very suspicious of
|| XP-irradiation being the reason why!
||
||| I can only say that if one is running an older machine as I am, and
||| would like to use a software firewall, you're not stuck with having
||| to use the newest and fanciest (and usually most resource
||| intensive). Old versions of ZA, and I imagine other names can be
||| found all over the Internet. The fist place that comes to mind is
||| http://www.oldversion.com/ . Firewalls and AV apps. are notorious
||| for causing longer boot times, and resource usage--and newer usually
||| means even more overhead. I *need* the latest/greatest, most
||| up-to-date AV, but when it comes to firewalls newer is *not*
||| necessarily better.
||
|| I agree. Until new protocols are added to NET talk, a new firewall
|| should be unnecessary. And I can't imagine anything being more
|| configurable than Kerio Firewall v.2.1.5. The only things...
||
|| (a) I wish there could be a list of apps in a single rule,
|| like they allow a list/range of ports & addresses.
||
|| (b) It would be nice to duplicate a rule with a click,
|| just as a template or starting point for a similar one.
||
|| BUT, there's a TON to like about Kerio. Very configurable!
||
||| I also encountered a problem between AOL and ZA back in the days.
||| ZA would block AOL, no matter what kind of permissions etc. I gave
||| unless I dropped the "Internet Security Zone" from "High" to
||| "Medium", then all was well. MEB, I believe you are using AOL or
||| Netscape, am I correct?
||| I finally turned off the "casual" alerts, as they were coming too
||| fast and furious. I just sat back and let ZA do its' job.
||| One final note, if one has logging enabled, be sure to occasionally
||| clean out the old ZA logs--not a whole lot of use for them usually.
||| On old ZA installations, it's not located in the ZA folder, but
||| rather at C:\Windows\Internet Logs.
||
|| Hmm. There seems to be no way to delete Kerio's Filter.log, except to
|| drop into DOS for it. And I think Filter.log.idx must be deleted too,
|| then. That's another thing!
||
||| That's more than I've said in the whole time I used to hang out
||| here!
||
|| Maybe you're getting giddy of XP-poisoning now!
||
||| --
||| HTH,
||| Curt
|||
||| Windows Support Center
||| www.aumha.org
||| Practically Nerded,...
||| http://dundats.mvps.org/Index.htm
|||
||| "MEB" <meb@not here@hotmail.com> wrote in message
||| news:%23PCFSOm0HHA.1100@TK2MSFTNGP06.phx.gbl...
||||
||| <snipped>
||
|| --
|| Thanks or Good Luck,
|| There may be humor in this post, and,
|| Naturally, you will not sue,
|| Should things get worse after this,
|| PCR
|| pcrrcp@netzero.net

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net
 
M

MEB

Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk

PART 2 of 2

|
| ||
| || | NOTE: this is contact through a dial-up connection[phone]/ISP
| || | [which is indicated via some of these addresses], ALWAYS ON
| || | connections are even more of a security risk.
| ||
| || Uhuh. I am Dial-Up too. That way, you get a new IP address each
| || connect.
| |
| | Only if that is what the ISP requires or desires.
|
| OK. For me, it does happen that way, I'm fairly sure.
|
| ||
| || | Hopefully, this discussion will be useful to those interested and
| || | provide theory and answers to various issues.
| || | Rule sets or other settings for various firewalls would naturally
| || | be of interest.
| || |
| || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no
| || | owner
| ||
| || I find I have to guess as to the meaning of that. Looks like someone
| || at
| || 67.170.2.174, who is Comcast...
| ||
| || http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174
|
| || .....Quote...........
| || 67.170.2.174
| || Record Type: IP Address
| ||
| || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
| || 67.160.0.0 - 67.191.255.255
| || Comcast Cable Communications, IP Services WASHINGTON-6
| || (NET-67-170-0-0-1)
| || 67.170.0.0 - 67.170.127.255
| || .....EOQ.............
| ||
| || ...sent a UDP datagram to port 29081 on your machine. But I don't
| || know...

The Comcast Cable apparently came from an adverti$ement appearing upon the
AOL start page..

| ||
| || (1) did the port exist without an owner, & would it have received
| || the datagram (except the rule blocked it)?
| || (The name of that rule suggests the answer is no.)
| |
| | The data request would have been received and likely honored.
| | The port would have been opened/created to allow this activity.
|
| I'm still thinking the port has to already be open to receive a packet.
| Is there documentation that may say otherwise?

The port has to be free/not in use. [with exceptions such as piggy-backed
activity]..

The ports are already there in the protocol... ports available range from
what to what?
Created is actually somewhat misleading.. when I use that I refer to the
intended use and the port.. Ports supposedly to be assigned/used for
specific purposes CAN be used for other activities... so using external port
53 for example, without a rule it COULD potentially be used for some
nefarious activities. The same holds true for other normally acceptable port
usage such as 67 and 68 [DHCP]...

|
| ||
| || (2) did the the port once exist & at that time have an owner,
| || but somehow was closed before the datagram arrived?
| || Therefore, it couldn't get it, anyhow, even if not blocked?
| |
| | If it would have been ALLOWED activity [e.g., without proxy or
| | firewall monitoring or exclusion, or within a hosts or lmhosts, or
| | other]], then a search would have been made for an available port,
| | and then created/opened. Look again at this:
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1026, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1027, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1028, Owner: no owner
| |
| | See the attempt to find or create an open port?
|
| Looks like Shaw Comm is trying to FIND one. If it could create one, why
| wouldn't it stop & just create 1026?

It would if it was allowed to do so. Once there, its all a matter of time..
..

|
| It might still be worthwhile to block these-- but I wouldn't want to
| block them on an individual basis per abuser like Shaw Comm.
|
| | Now, should I have stayed online, there would have been continued
| | attempts [see your prior discussion where I was online longer],
| | though with different Shaw addressing and OUT ports, again stepping
| | through IN [local] ports in attempt to find or create.one.
|
| I'll look.
|
| ||
| || (3) did the port 29081 never exist?
| ||
| || Do any earlier log entries mention that port? You'd have to log all
| || activity of each "permit" rule to know for sure. But, if there is no
| || rule permitting the activity, then you would have received a Kerio
| || requestor mentioning the port.
| |
| | No we don't need that.
| | Were an ALLOWED program or address using that aspect, then it would
| | NOT have created the denial.
|
| No, I wanted to know... did a PERMIT exist that came from port 29081?
| That would prove the port once existed & possibly initiated a
| communication with Shaw Comm. But, I'm fairly confident no such thing
| happened-- but it was Shaw Comm doing a probe. If it found it & activity
| was permitted-- mayhem such as pop-up ads or at least spying may have
| ensued, I think!

EXACTLY, a probe to see if anything was open it could use... for instance,
even just a monitor of this forum OFF SITE, might be in violation of the Law
unless it is strictly the forum that is monitored, any other tracking [like
users] could be illegal ..

|
| | Either would have cascaded to find an
| | open port for use [as long as it was in the defined rule range].
|
| That's what I think-- it wants to find one that is already open.
|
| | AND you mention Kerio, which MUST have that turned on {requestor].
|
| Oops, that's right. "Kerio, Administration, Firewall tab" has to be set
| at "Ask me first". Then, when activity occurs that is not covered by a
| rule, an alert requestor will appear. It offers to create the rule,
| which later can be fine tuned. Yep, & that's a great feature!
|
| | Other firewalls, particularly those that automatically configure
| | themselves, MAY not pop-up anything unless it has been configured
| | that way. They also MAY pass through such requests if piggy-backed
| | from or on allowed activities/programs. Think "but all I want to know
| | is the user address". Think Microsoft's firewalls, imagine what they
| | are configured by default to allow.
|
| Yep. Kerio seems to have it all. It's highly configurable!
|
| ...snip of Kerio help page
| || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no owner
| ||
| || That one seems to be coming from...
| ||
| || NetRange: 200.0.0.0 - 200.255.255.255
| || NetName: LACNIC-200
| |
| | Yes, that is the key to your Firewall security.
| | Tracking each suspect activity to the originator, if possible.
|
| In the end, I just want to block them.

Oh I agree, just blocking is much easier. But presently i don't like or
accept all this activity, so I block the ones I have finished tracing, and
monitor/log the others til I have sufficient materials. Kind of like
preparing cases...

|
| | Actually were I to post prior complete TRACKING logs [which I
| | collect(ed) for specific use], say for one day's normal usage, vast
| | numbers of potentially dangerous attacks/attempts would be shown.
|
| By the way, how do you empty Kerio's Filter.log, when you think you've
| seen enough? (I've been deleting it in DOS along with Filter.log.idx.)

Right click and delete within the viewer..

|
| ...snip of stuff not meant for me, but thanks for the additional URLs to
| research. And thanks for continuing to contribute to my understanding of
| it.
|
| | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
| | Microsoft's TechNet
| |
|
| OK, I see here again are the other "no owner's"...
|
| ||
| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no
| || | owner
|
| This is an attempt to send a UDP packet to port 1026. I still doubt it
| really needs to be blocked, if the port indeed does not exist. For UDP,
| I favor PERMITs of trusted apps from trusted addresses-- & one single
| block of UPD afterwards that will cover all others. (But I'm not even
| totally set up that way, myself, yet.) And I want to do it that way for
| TCP too.

Its blocked because I have no rule to specifically allow it...

TCP is infinitely harder to rule, blanket rules WILL allow access you
likely will regret.

|
| ...snip of other In UDP.
|
| 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port
| || | received': Blocked: In TCP, 219.148.119.6:12200->localhost:7212,
| || | Owner: no owner
|
| Ah-- a TCP! Soon, I must do with TCP what I nearly am finishing with
| UDP!
|
| ...snip
| || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
| || | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186,
| || | Owner: no owner
|
| I don't believe I've seen one of those. Could be I'm just not tracking
| the rule that does it. Looks like msnews.microsoft.com was still trying
| to communicate after the NET connection was closed. What app controlled
| localhost:1186?

In my *tracking* config, your continuing port concerns are not the primary

issue,
but whether the specific address has been allowed. This address is not
allowed... the PRIMARY point is to track *hack/trace/AD/spyware* attempts,
AND secondary, minimum required addresses for the target application so
ranges can be found.

|
| ...snip of a bunch more of In UDPs & possibly In TCPs.
|
|


--
MEB
http://peoplescounsel.orgfree.com
________


"PCR" <pcrrcp@netzero.net> wrote in message
news:eEz4Oyu0HHA.1204@TK2MSFTNGP03.phx.gbl...
| Just testing to see whether this thread segment died of XP-irradiation
| from Christianson's post! MEB has complained he couldn't post here!
|
|
 
You must log in or register to reply here.

Similar threads

G
Windows snap has stopped working.
Replies
0
Views
527
GrahamGunn
G
M
Windows udpate stuck at "PreRegistering Staged package Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe"
Replies
0
Views
476
Mike.292
M
G
Windows Update Fails KB4579311
Replies
0
Views
574
glezbsg
G
P
Error 0x8007042b - 0x4000d when updating from 1903 to 2004
Replies
0
Views
513
patosar
P
R
After migrating to Windows 10 Build 1809 (from Build 1607), setting up sessions with the same socket (IP and Port) not working
Replies
0
Views
180
RAS Spain
R
Back
Top Bottom