Block an IP range in CIS ver5

Hi;

Lately I have seen a big rise in firewall intrusions since yesterday :o (normally I’d just get 3 max).

Checking it at http://whois.domaintools.com I’d get a whole new IP Location that I haven’t seen before from:

116.55.226.131 IP Location - China Tianjin Chinanet Yunnan Province Network (NetRange:116.0.0.0 - 116.255.255.255) ???

Application - Windows Operating System
Action - Blocked
Protocol - UDP
Source IP - 116.55.226.131
Source Port - 5060
Destination IP - mine
Destination Port - 5060
Date - just earlier

to,

89.137.69.172 IP Location - Romania Bacau Astral Bacau Docsis Network (inetnum: 89.137.68.0 - 89.137.71.255) ???

Application - Windows Operating System
Action - Blocked
Protocol - TCP
Source IP - 89.137.69.172
Source Port - 1530
Destination IP - mine
Destination Port - 445
Date - just earlier

to,

95.71.62.235 IP Location - Russian Federation Moscow Jsc Central Telecommunication Company Belgorod Branch (NetRange 95.0.0.0 - 95.255.255.255) :o

Application - Windows Operating System
Action - Blocked
Protocol - TCP
Source IP - 95.71.62.235
Source Port - 3427
Destination IP - mine
Destination Port - 445
Date - just earlier

to,

80.14.63.47 IP Location - France Paris France Telecom
inetnum: 80.14.63.0 - 80.14.63.255

Application - Windows Operating System
Action - Blocked
Protocol - TCP
Source IP - 80.14.63.47
Source Port - 3428
Destination IP - mine
Destination Port - 23
Date - just earlier

I’m getting a lot from China now…tsk…tsk…

94.176.102.122 Romania Bacau Sc Telecablu & Net Srl
219.148.38.154 China Beijing Chinanet Hebei Province Network
61.191.188.255 China Hefei Chinanet Anhui Province Network
124.237.155.60 China Beijing Chinanet Hebei Province Network

to name a few of the 50+ intrusions… :o Almost all are trying to get to 445 but I have already disabled it through regedit.

Now this is a surprise to me(got jittery also…) CIS did block them all…he he:) :-TU. But a couple of questions please:

a) How can I have additional security settings to permanently block their IP Ranges?

b) Are there anything that I should observe or do or create an additional rule or something to be safe(or is it needed besides CIS settings —my CIS settings can be seen here https://forums.Comodo.com/firewall-help-cis/cis-ver5-system4-listening-port-on-445-question-t67464.0.html)…?

c) Are there any additional tips you guys can give me due to this sort of “rise up in intrusions”…?

d) How can I log those events-intrusions? Where can I find them? (I clicked “More” at the bottom of the window and got to the Firewall Events display. I have also exported it to a folder of my choice. Is there another way…?)

Thanks!

In addition please see my PCFlank results for Advanced Port Scanning. (Stealth test results is all “stealthed”).

In TCP Connect (Standard) - typical trojan ports I am stealthed except ports 135-139 which are “closed”. Selecting just 135-139 also gave a “closed” result so it means I am not “stealthed” just “closed”. Kindly see attached images.

In TCP Syn - I am all stealthed. 135-139 are stealthed. Selecting just 135-139 also gave me a stealthed result.

(In GRC ShieldsUP. I get TruStealth either in “Common Ports”/ “All Service Ports” / User Specified Custom Port Probe" for 135-139.)

Additional queries please:

a) What may I ask is the difference between TCP Connect Standard and TCP SYN…? Which is more effective? I get a different result from both tests by PCFlank.com

b) On the TCP Connect (Standard) which shows that I am just “closed” rather than “stealthed” how can I close those ports…? Which is which here…? Hmmm am I “closed” at 135-139 or “stealthed”…? I have Application Block rules for 135-139 in place. I’d see an occasional “Listening at 135” but I have stealth ports settings.

Most of the ports that are targetted are 445 (disabled it), 135. I see also Code(0)…what’s that…? and some 23, 21, 31337, 55635, 46126, 54108, 11576, 80, 1080, 3128, 27374,1, 960,978,928,896,865,832…etc. Now as I am writing this I see that the intrusion went up to 228 now.

China again most of it. :o

Or I don’t need to worry about it…?

A “rise in intrusions” from 3 max to 40+ now at 228 and counting :o…Is this an attack or something…? ???

Thanks again:)

[attachment deleted by admin]

I suggest you look those things at virustotal and at ipvoid, make a scann with Malwarebytes and with superantispyware.

Regards,
Valentin N

port scanning is the art of locating and testing ports for possible vulnerabilities. Depending on the scanning method used a port may respond, hence there are many different ways to try and get a port to respond. If you wish to understand these methods, you would do well to read Nmap: The Art of Port Scanning

b) On the TCP Connect (Standard) which shows that I am just "closed" rather than "stealthed" how can I close those ports...? Which is which here...? Hmmm am I "closed" at 135-139 or "stealthed"..? I have Application Block rules for 135-139 in place. I'd see an occasional "Listening at 135" but I have stealth ports settings.

Are you using a router? If not your configuration may be wrong, or the site is misreporting.

Most of the ports that are targetted are 445 (disabled it), 135. I see also Code(0)...what's that...? and some 23, 21, 31337, 55635, 46126, 54108, 11576, 80, 1080, 3128, 27374,1, 960,978,928,896,865,832...etc. Now as I am writing this I see that the intrusion went up to 228 now.

China again most of it. :o

Or I don’t need to worry about it…?

A “rise in intrusions” from 3 max to 40+ now at 228 and counting :o…Is this an attack or something…? ???

Thanks again:)

The reason you’re seeing so many intrusions is probably because you have enabled logging on your Global rules. Whilst it’s useful to have this facility for troubleshooting and for checking specific rules, it will also inundate you with Internet ‘noise’, which from the list or ports you have mentioned , is exactly what you’re seeing. If you want to know which services a port relates to, take a look at Port Numbers

The “Code(0)” entry is only part of the log entry, most likely the other part is type 11. These are ICMP types and codes. You can block quite a few of these inbound ICMP packets but you need to allow some. Here’s a simple list of types and codes ICMP types

Hi guys :),

Thanks very much for the reply.

[at]Valentin N;

“I suggest you look those things at virustotal and at ipvoid, make a scann with Malwarebytes and with superantispyware.”
– Thanks for the tip on virustotal/ipvoid…nice:) My system is clean. Have scanned earlier (full scan) with both Mbam and SASpy Pro.

On virustotal, this is my first time I checked a URL (entered the IP address instead…that is correct right?) --have virustotal uploader ver2 also. Thanks for reminding me about it.

At IPVoid am now checking now(together with virustotal).

Most of the sites are " clean" both from VT/IPVoid. Still checking my list.

To name a few:

There were Suspicious IP’s.

a) 84.159.190.157 Germany Freiburg Im Breisgau Deutsche Telekom Ag - IPVoid - Clean
URLVoid - Suspicious 1/ 18 (My Wot)

b) 113.230.73.139 China Liaoning China Unicom Liaoning Province Network
IPVoid 1/26 : Backscatterer

c) 116.55.226.131 China Tianjin Chinanet Yunnan Province Network
IPVoid 1/26: MyWot

Dangerous IP:

a) 210.213.97.90.pldt.net Philippines Ipg
IPVoid - 3/26 : CBL Abuseat / SpamCop / Spamhaus

I cant scan this “10.139.130.243” at IPVoid though…it says, Wrong IP Format…at VT it says, it’s clean but all VT scans are clean. It was IPVoid that identifies suspicious/dangerous.

For the sites judged as “suspicious”/dangerous, how can I block the IP range in CIS?

[at]Radaghast;

Thanks for the explanation and the links. Have printed all in pdf and will start reading later.

I used a dial-up when the 200+ intrusions where blocked by CIS.

I use both a dial-up and a mobile dsl for internet connection so mostly I use the dsl in downloading/uploading or whenever I am in a hurry. I use dial-up when I just check mail and forum posts.

The Code(0) I have found out is from my ISP but I am suspicious why my ISP is doing that so I think I’ll let CIS block it in the meantime. Correct? or you have a better suggestion as to how I may deal with it?

About the PCFlank results in contrast to GRChieldsUP results…no need to worry about it? ???

Really appreciate the sharing of ideas guys. This is by far one of the best forum site to assist me on firewall usage as compared to other firewall apps I’ve used in the past.

Thank you

voltron

Addresses in the range 10.0.0.0 - 10.255.255.255 are one of the reserved non-routable addresses as are

172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

This is probably the address block used by your ISP. Are you on cable?

For the sites judged as "suspicious"/dangerous, how can I block the IP range in CIS?

If you have a block rule in your Global rules, they are already being blocked. Disable logging and you won’t see the events. Perhaps you should post a screen shot of your Global rules…

use both a dial-up and a mobile dsl for internet connection so mostly I use the dsl in downloading/uploading or whenever I am in a hurry. I use dial-up when I just check mail and forum posts.

Do you use a router with the DSL?

The Code(0) I have found out is from my ISP but I am suspicious why my ISP is doing that so I think I'll let CIS block it in the meantime. Correct? or you have a better suggestion as to how I may deal with it?

It’s not uncommon to receive ICMP packets from DNS servers hosted by ones ISP. With out knowing more detail, such as the other part of the code I mentioned in my previous post, I cannot say more.

About the PCFlank results in contrast to GRChieldsUP results...no need to worry about it? ???

Apologies, I don’t understand the question?

Thanks for the reply.

@Radaghast;

“This is probably the address block used by your ISP. Are you on cable?”
– No I am not on cable. Checking that IP address with VT was “Clean” but with IPVoid it cannot be scanned…hmmmm…makes me wonder how can I rely on VT on that particular issue…seems I have to check both by VTand IPVoid or use IPVoid only.

“Perhaps you should post a screen shot of your Global rules…”
–Kindly see image attached. My rules are also posted in https://forums.comodo.com/firewall-help-cis/cis-ver5-system4-listening-port-on-445-question-t67464.0.html)

“Do you use a router with the DSL?”
–No just a pure-plu-in type mobile dsl modem.

“Apologies, I don’t understand the question?”
–Sorry I got you confused. I was asking again on the basis of the results I had using GRCShieldsUP and PCFlank. With GRCShieldsUP I had a “TruStealth” result --all tests done. With PCFlank I was confused to have a “stealthed” results then when I had used the Advanced Port Scanning it gave 2 different results (as mentioned previously…It seems as you stated earlier PCFlank may have misreported… ???

voltron

[attachment deleted by admin]

The link I posted explains why you’re seeing the 10… address. You won’t find anything useful, on these ‘scanners’ as it’s a non-routable addfress and only valid on private networks.

The last rule you have in Global, blocks and logs every incoming packet not authorised by one of your application rules. If you don’t want to see these in make the logging more precise or turn it off.

Some modems have a router like capability. However, if you’re seeing different results, for the same type of scan, on different test sites, what does that tell you about the tests…

Hi Radaghast;

Thanks for the reply.

The logs I’ll keep on for a while. Becoming intrigued abot who wants to intrude my pc but after I had my fill I’ll de-activate the logs. After all CIS is doing a good job blocking the “intruders”.

The results if I surmise is above all “stealthed”. I’ll ask the PCFlank guys about it and post it here…info may be usefull.

Cheers:)

voltron:)