Intrusion detection

ClaudeFrance · July 23, 2010, 1:40pm

Hi, to day intrusion from IP adress 192.168.0.255 that Copmodo detected but none solution to block this attak, else, comodo was unstable for 5 minutes. Reboot the computer and Comodo was perfect

_{Edit by EricJH: unbolded the test}

brucine · July 23, 2010, 7:39pm

Why didn’t you ask your question in the french section (it would have had the advantages for you to write it in french, and for me to answer it in the same language)?

But, writing in the english section, you missed that this very same question was therein recently answered several times.

192.168.0.22 is a private range ip, meaning it is in theory not routable over internet (and therefore not able of whatever intrusion).

It results from your computer broadcasting awareness requests to other computers on your LAN and/or your router, and most often using for that the Netbios protocol; if you globally disable Netbios, you won’t be able anymore to share files and printers on your LAN, and you won’t be able to access your LAN computers anymore.

The only issue could exist with some routers, believing themselves they are part of some “global network” (i.e. part or internet or the whole of it) and broadcasting requests from and to their WAN adress to this LAN adress.

Whatever the situation might be, the answer is always the same: you must set all your computers to static ip in the 192.168.0.n range, and then define this range as network LAN zone.
Now, allow the sensible executables (mainly system and scvhost) for the ports range 135-139 only for this LAN zone (both source and destination), immediately followed by the same rule blocking the same ports for any ip as source and destination (but with no log, you don’t want to be invaded by such logs): end of the story.
If you don’t have any LAN and if your router, if any, supports it, another solution is of course to disable Netbios in your Network card properties, and to disable RPC as a service (the latter does not help that much: port 135 is windows built, and impossible to close; stealthing it should be enough).

Pour ta peine, tu me dois un pot de rillettes…

Edit: correcting misspelling.