I am having difficulty diagnosing the reason that I have so many intrusion attempts logged for Comodo Firewall. I have disabled NetBios, as I was told that that might be the problem, but noticed no difference. I am inside of a network. I have attached a screenshot of the firewall log and of my global rules (if those help). I would like to make sure that there is nothing nefarious going on, and if there is not then I would like to be able to not get thousands of attempts logged each day. This has been going on for a little over a week. Please let me know if more information is required.
[attachment deleted by admin]
Anyone have any thoughts?
It is regular traffic that is getting blocked. Ports 137 and 138 is NETBIOS traffic and port 1900 is from Universal Plug and Play and is regular traffic.
What kind of connection are you on? Do you have a router in your network setup?
I am inside of the Michigan State University network and am not sure if there is a router in the network setup. I believe that I have disabled NetBIOS (see the attatched pic) and shouldn’t I therefore not see any traffic to those two ports? I have never seen this type of traffic until relatively recently. In fact I had never even had an event in my firewall log.
[attachment deleted by admin]
There may be people with laptops who have NETBIOS enabled. I assume it is possible to hook up a private laptop to the university network. Or may be there are machines added that have NETBIOS enabled (sysadmins error)?
Okay, so there is no danger right?
As long as this is so, how do I prevent my log from logging the event each time it occurs?
You are in no danger. The firewall is doing its job.
To get rid of the log traffic we wiil introduce a block rule in the Global Rules that does not log the event.
Here is the drill. Go to Firewall → Advanced → Network Security Policy → Global Rules → Add → fill in the following:
Action: Block
Protocol: TCP or UDP
Direction: IN
Description: Block NETBIOS without log
Source Address: Any
Destination Address: Any
Source Port: Any
Destination Port: a port range 137-139
Apply → now make sure the new rule is somewhere above the basic block rule(s) (with the red icon(s)) at the bottom (you can drag and drop) → Ok.
Now we are done.
Thanks for the advice. It works great. So is it also safe to follow the same procedure and ignore all of the logs for the attempts shown in the attached pic.
[attachment deleted by admin]
You can safely use it for other ports as well. Only use for ports that are logged often. You could end up making lots of rules… and eventually you would get performance problems somewhere down the line…
Another way of getting less alerts is putting a router in between the modem and your computer. Then the NAT and firewall of the router will block instead of CIS.
I found that both the ports being accessed and the IP addresses of the requests keep changing. I therefore cannot merely ignore the requests by ports or IP addresses.
I just noticed something today. If I use ‘stealth ports wizard’ to change alerting me to ‘incoming connections on a case per case basis’ that these attempts are no longer logged. If I switch back to ‘stealth my ports to everyone’ then the attempts begin to be logged again.
Exactly what do these options mean and why am I only alerted when I have my ports stealthed to everyone?
Should I switch from stealth all ports to block on a case per case basis?
Will that lower my security and what is the difference between these two settings?
When you block all ports you will not be alerted instead it will be logged. When you run on a per case basis it doesn’t get logged. These modes are apparently mutually exclusive.
As far as I know the two modes are equally safe. However running on a per case basis introduces the biggest security risk: the person sitting behind the computer…