They seem to come from every user logged to the (wireless) router (this is a shared router), in the nbdgram and upnp-mcast ports. I’m not sure what this is or why it happens, but could this mean that the network is compromised?
I also noted the following log that looks stranger:
The source in the above message sounds unfamiliar to me.
Finally, the following appears with less frequency (20 minutes or so):
Description: Inbound Policy Violation (Access Denied, IP = 200.184.42.69, Port = 1306)
Protocol: UDP Incoming
Source: 200.184.42.69:dns(53)
Destination: 192.168.1.102:1306
Reason: Network Control Rule ID = 5
This is the only one that includes a real ip, and looking up a bit i found out that (200.184.42.69) is one of my dns servers (from my ISP).
Can anyone make out anything out of this data? I am worried that this is something serious. But otoh I can’t know when this started, since i don’t have older logs.
Well well,
maybe you should add this to your signature (S) (:WIN)
Seriously a misconfigured wifi router poses a major security treat, so its settings should be inspected by administrators of the network segment.
One clear thing is that comodo is blocking some or partof services in your network.
Is this an issue?
It could be the case if you’re relying on UPNP (universal plug and play) or Network file and printer sharing.
New rules should be created in the network monitor section of comodo to block completely or enable completely these services in you network segment and block them on the WAN side.
I could say that the icmp HOST UNREACHABLE (and many others) is blocked by default from comodo and this icmp packet does not represent a treat by itself.
The interesting thing should be instead the source address (10.3.12.254) which represent a private ip like yours, but considering that the ip range of your network segment should be 192.168.1.1 to 192.168.1.254 (the .0 and .255 have special meanings) should be reported to your network administrator.
From your pont of view you could make a network rule blocking all packets originating from 10.0.0.0 to 10.255.255.255 and log them.
Regarding
Description: Inbound Policy Violation (Access Denied, IP = 200.184.42.69, Port = 1306)
Protocol: UDP Incoming
Source: 200.184.42.69:dns(53)
Destination: 192.168.1.102:1306
Reason: Network Control Rule ID = 5
this is strange indeed because DNS queries are UDP Outound packets directed to port 53…
this packet should not have reached you without a a router rule mapping the port 1306 to your ip…
This is an inbound packet directed to port 1306 so act accordingly and create a rule to block tcp and udp inboud traffic on port 1306 and log it. you should check for application services opening this port…
This an “open” router shared by many neighbors and the security is really weak, that’s why i like to have the firewall monitoring everything tightly.
One clear thing is that comodo is blocking some or partof services in your network.
Is this an issue?
It could be the case if you’re relying on UPNP (universal plug and play) or Network file and printer sharing.
No, I’m pretty sure I’m not relying on UPNP nor i use network file and printer sharing. I don’t use any kind of sharing at all. I am suspecting that this could be one of my neighbors (or some attacker) messing around (or infected by some kind of trojan/worm/backdoor)
The interesting thing should be instead the source address (10.3.12.254) which represent a private ip like yours, but considering that the ip range of your network segment should be 192.168.1.1 to 192.168.1.254 (the .0 and .255 have special meanings) should be reported to your network administrator.
From your pont of view you could make a network rule blocking all packets originating from 10.0.0.0 to 10.255.255.255 and log them.
Yeah, I found that strange too. I created that rule, thanks for the tip.
this is strange indeed because DNS queries are UDP Outound packets directed to port 53...
This is an inbound packet directed to port 1306 so act accordingly and create a rule to block tcp and udp inboud traffic on this port and log it.
Done that too. But i’m still curious about the cause of all this…
I am also curious why Comodo blocked all those attempts in the first place, since there was no rule disallowing TCP/UDP in (is that assumed by default unless stated outherwise by a rule?)
The wifi link is encrypted? the router broadcast its ssid? who has the password?
Seriously, this could be a problem. A malicious user could read all your info (email, credit card password, monitor which sites are you visiting, which pages…) if the router security settings are bad.
Legit users to the router may able to do that…
If the router is poorly secured almost anyone is able to do that…
Wifi should be used in trusted environments…
The following rules do not prevent reading your wifi traffic.
Disable destination ports 135,137,138,139,445,593, in network monitor
disable SSDP Discover Service and Universal Plug and Play Device Host and
read this Microsoft Support
block tcp/udp in/out on destination ports 1900 2800
search internet about the wifi router for known admin password.
Description: Inbound Policy Violation (Access Denied, IP = 200.184.42.69, Port = 1306)
Protocol: UDP Incoming
Source: 200.184.42.69:dns(53)
Destination: 192.168.1.102:1306
Reason: Network Control Rule ID = 5
this packet should not have reached you without a a router rule mapping the port 1306 to your ip…
The last rule in network monitor will block and monitor everithing (not only tcp or udp) unless it was allowed by previous network rules.
Watch out for ports scans!!!
To mantain privacy use at least https and ssl options when provided by internet services.
Very open (:SAD)
It is NOT encrypted; i don’t know about the broadcast.
It is intended for the whole building.
Seriously, this could be a problem. A malicious user could read all your info (email, credit card password, monitor which sites are you visiting, which pages...) if the router security settings are bad.
Wifi should be used in trusted environments...
Legit users to the router are able to do this...
I know, that’s why i never use this connection for serious stuff; and only check my email through ssh/htmls.
By the way, i have ssdp and upnp services disabled
