hi,
shouldnt he add his modem as trusted network before at all?
Mike
That’s only needed in some cases (usually wireless) where computers/resources cannot communicate across a LAN/WAN as they need to be able to.
Dailyfree, I’m glad you’ve gotten such an improvement there. That’s Great! Especially considering where you came from at the start…
If you’re looking for some defensive/forensic tools, you may check out Foundstone and Insecure.org to see what free tools they have available. Both places provide tools to assess security risks; most of which are built from a hacking standpoint (not necessarily with the common usage of the word “hacking” - but that’s a different conversation) and may be of assistance. However, just personally, if you want to try to take proactive/offensive measures, I advocate great caution… regardless of the business’s activities, yours will land you in hot water with the law - no doubt.
LM
Thanks LM ;D
Does anyone know why ports 135-139 and 445 have the most uninvited guests?
If these guests are uninvited, should they be considered hostile in any nature?
Those are the ports to the Windows LAN services, and so are the most direct way to take over a Windows machine. This gets into a whole bunch of abbreviations that let programs across machines share information: RPC, DCOM, DDE, OLE, and so on. If you will, these ports are the switchboard that tell where those functions are accessible.
From hard experience, any attempt to access these ports made by machines outside your LAN can be considered to be extremely hostile. And it is also completely unrelated to your LAN, in that there are scanning programs that do nothing but search for these ports being unprotected. The scanners want to find a machine, any machine, anywhere.
The *ix/BSD machines here, in their firewall logs, show that these ports are the most heavily scanned of all ports, by at last one to two orders of magnitude above all other scanned ports.
Not all very good news, is it?
Let’s just say that I’ve already disabled Netbios and LM Hosts lookup and blocked 135-139 and 445 completely with Comodo FW, does this mean these unwelcomed guests have no access to my machine?
Advice from LM, has been put into practice and I dont get the alerts from Comodo FW about any applications trying to send/receive actions on those ports anymore. Yet, out of curiousity, are there any other ports on Win OS that allows Remote connections? Invited or otherwise?
I’m coming into this topic a bit after the fact. I had to go back to the first post to get myself in the proper context.
On the IP address 209.0.72.7. Doing a little bit of digging, I’ve found that http://support.microsoft.com/kb/262680 lists this address as a time server named nist1.datum.com. Datum Corp is (or rather, was) a manufacturer of precision and atomic clocks. It seems that one of their competitors, Symmetricom Corp, bought Datum and another competing company TrueTime. According to the Symmetricom press release I saw on their web site, the acquistion was completed in December 2002. The host name nist1.datum.com today resolves to a different IP address. I suspect that Symmetricom is rerouting all the time queries to the old server address to their current server address.
A time server query is one of the very first things you’ll see after a system connects. Some things don’t work if system clocks are too far apart.
Regarding which ports are scanned, I’ll refer you to a definitive source at dshield.org. Dshield is an Internet community effort to identify “attackers” by examining user-supplied firewall logs. To see which ports are most sought after today you should check http://www.dshield.org/portreport.html?sort=targets, and then click the target column to sort in descending order. Target ports are the ports tried by the probes in order to gain entry into your machine. You can click the port number in the report to get a description of proper, and improper, uses for that port.
Keep in mind that the vast majority of attacker machines are in fact compromised hosts that have been infected by some worm/virus/trojan/malware/badness that is trying to find a new host. Experience has found that it is more efficient to find a new host that is “nearby”, meaning it has a similar IP address. Such a machine is likely to be in the same LAN, behind the same router and the same firewall, and to be trusting of the now infected host. The definition of “nearby” will expand the longer the infected host remains infected. After enough time, “nearby” will become the entire Internet.
As an aside, I’ve seen an address x.x.200.0 attack a host x.x.202.0. One was a machine in Thailand. The other was some 5000 km away. “Nearby” does not consider distance, only the IP address, and in this instance 200 was near 202.
While I have no experience with your ISP, I am aware that all ISP’s have a common problem: they are all “near” their customers. The ISP host machines themselves are under effective denial-of-service attack by their own infected customer machines. Where you may see a dozen probes an hour, they will see Nx1000 that number, and sometimes, depending on the ISP, with not much better equipment than what you may have. That is particularly true with small ISP’s, less so with larger ISP’s. But the larger ISP’s have different constraints to what they can do.
I gather that you are experimenting with a DMZ host configuration, so that you can understand what kind of probes are being made against your systems. While such an activity can be very educational, and sometimes rather entertaining, it can also be very hazardous. A single missed configuration setting, or a missed security patch, can lead to the DMZ host being compromised. And then, because it is behind the router, it is “near” to the other machines on your LAN. Without having the same security configuration as the DMZ host, those machines will in turn be infected by an infected DMZ host, because the LAN is in reality a DMZ LAN.
A simple and very effective way to protect the other machines, and still have a DMZ host machine, is to use a second router. It doesn’t need to be particularly capable of much. A NAT/firewall should be adequate. To use it, you would arrange your LAN to look like this:
Internet ----| modem |------- DMZ host
| router |-----+
|
±--------| NAT |------- PC1
| router |--------PC2
In this configuartion, PC1 and PC2 can talk to the Internet and to the DMZ host. The DMZ host can talk to the Internet, but not to PC1 or PC2.
Just make sure that the modem/router and the NAT/router have strong admin passwords (not the manufacturer default passwords), and you should be good to go.
Thanks Grue.
Looking into what you wrote. (:CLP)
Thanks.
Dailyfree
Thank you Comodo forums and moderators for letting me post here about matters not entirely related to your Firewall.
Not a problem. I think we’ll keep the thread together in the interest of keeping it all concise and cohesive. At a later date we may split out the non-Comodo stuff and put it in one of the non-product-specific security threads.
Is nmap continuing to prove useful?
LM
Thug-like ISP Streamyx port probers IP.
Don’t bother to trace as it’s Dynamic.
[attachment deleted by admin]
Help!!! (:AGY) Router Firewall breached again!
Some IP’s managed to slip through but easily taken care of by Comodo Firewall. It just simply denied access with my Network rule ID No 142 or Comodo standard network rule, Block IP in/out where IP Protocol is any. Does anyone know why this leak occured on my Router’s Firewall?
Am to understand that Router FW and Comodo FW operate on different wave lengths or what?
Dailyfree
hi,
a little software in router is meant protect self, like dhcp most of.
it cant do like a huge pc firewall.
Mike
PS: this a rough description hope you get the idea …
They’re two different beasties, that’s for sure. If your router is being bypassed, they’re probably exploiting some weakness (either firmware or configuration) to ■■■■■ that nut.
You’d need to open it up (the router config), be sure to set a new login/password (as long/complex as possible) and do some in-depth settings-changes. You’d have to check what your router’s capabilities are, and how to set those for maximum protection. You may have already done this, but they’re apparently getting thru anyway…
LM
It could be something along the lines of a “DNS rebinding” attack (DNS rebinding - Wikipedia) which is a real tough thing for a firewall to defend against. The first line of defense though, is not to use the router default passwords. There are some other things that can be done, but that gets into LAN reconfiguration that most folks at home don’t need. A business on the other hand, needs that kind of reconfiguration to help lock things down. You subnet things, and firewall the subnets.
I get the idea, thanks.
Comodo is set to block all nbios ports in/out, but not the router. Is this a wrong config? Does contact with the Router’s 135-139 or 445 translates to contact with my OS’s similar ports too? Comodo does not report any in/out of these ports since nb and dcom disablement ages ago. If port 22 or 5900 were in unauthorized use by Router, will Comodo block these incoming if the standard 6 network rules were in place? If all ICMP protocols blocked, what are the expected consequences?
Anyone?
I’m signing up for courses…
Quoting myself, and a short digression. Rather than physically subnetting things for security, this is another instance where “per user” rules would be useful. Admin accounts can get to routers, limited users don’t, accounting users get to accounting servers but can’t get to the Internet, and it all runs on one machine, rather than several machines spread over several subnets.
Returning now to our proper topic…
To Grue155,
Great info. Understand. (:WIN)
Thanks,
Daily