Can someone tell me what these protocols mean?
And how should i answer to that network that is trying to join my PC?
[attachment deleted by admin]
You should tell what your network specifications and isp dns are.
The only “weird” thing i see is 2 local ip different groups (192.168.0 and 192.168.1), and dhcp bootp requests (ports 67 and 68), most probably useless if your local network is set to static 192.168. LAN ip.
The broadcasting requests on port 1900 is not a security threat by itself, it is due to Upnp windows service, disable it if not needed.
224.0.0.1 is a normal broadcast request.
echo request (8 to 0) is probably from your isp: check the ip; even if it is, you should want to disable it altough it is not a security threat in these conditions: make a global firewall rule blocking echo request.
The same goes with netbios requests on port 137: not a threat on a global point of view if from your isp, but my opinion is that netbios ports 137 to 139 should be disabled everywhere on the wan side, including your isp: make a firewall rule blocking these ports, but make it followed immediately by the same rule allowing the same ports if source and destination are your lan zone as, if not, you shall deny yourself access to your lan.
There’s nothing wrong with those port lists, except for the 137-139 request.
If you receive a request/incoming connection on these ports (137-139) from the Internet, 99% of the time its probably a virus (Tanatos/Bugbear/Sality) trying to inject itself to your machine.
More info on these ports & the virus:
http://www.grc.com/port_137.htm
No.
As i said, netbios ports are a very high security threat.
But (even if i have blocked them as every wan netbios request), it is not unusual, and not malicious from your isp to probe the netbios ports of the users.
This being said, there’s no use for netbios outside a lan and if you don’t use windows files and printers sharing: in these conditions, the corresponding services and NIC tcp/ip should be disabled.
It it also not true to state that “there’s nothing wrong with this port list”.
You are at risk both with port 1900 and 67-68 if anything else then broadcasting to your lan and isp is used.
What I’m trying to say is: It’s normal to have port 67-68, and 1900 activity on any normal PC.
You’re just being a paranoid if you’re trying to block 67-68 with no apparent reasons.
And remember, the guy’s running Comodo Security.
That goes, everything’s malicious will have to go through Comodo’s tight defence system.
And from my experience, the only port that will have the potential to wreck havoc on today’s system, is that 137-139 ports. Because I’ve been there (infected by Tanatos/Bugbear/Sality across network; 350 PC), and will not forgot how ugly is that Tanatos/Bugbear/Sality when plugged to port 137-139.
I know that sometimes ISP’s will try to probe 137-139 lines.
And that’s why I stated it as 99%. Not 100%.
It’s just to risky to open those ports on the WAN side.
And so, it’s just a repetitive words by you and me; “Better block those 137-139 ports unless you know you’re ISP’s need it”.
You're just being a paranoid if you're trying to block 67-68 with no apparent reasons.
e pur si muove…
Ports 67 and 68 are well-known doors to denial of service and remote execution.
UDP Port 67 BOOTP Server The Bootstrap Protocol server is used by Dynamic Host Configuration Protocol (DHCP) servers to communicate addressing information to remote DHCP clients. You will need this port open on the internal interface if you use DHCP on your home network, but you should disable it to ensure no DHCP server is running on the external interface. Why? Hackers can use another computer, namely yours, as a slave computer to make illegal activities seem as if they originated from your computer. Further, a hacker could waste your computer's disk space, CPU power, and bandwidth by installing a peer-to-peer server for instance.UDPT Port 68
BOOTP Client
UDP Port 68, the bootstrap protocol client, is used by client machines to obtain dynamic IP address information from the DHCP server. Tightly administering DHCP permissions can help keep DHCP ports from being used for malicious attacks. Obviously, UPD Port 68 should be disabled just as its partner Port 67 if DHCP is not being used in your network to dynamically assign IP addresses. This is especially important with wireless routers where someone outside of your house could gain an internal IP address, and hence, internal access to the machines and services you have running internally.
The same situation arises with port 1900: whatever your personal (and wrong) opinions are, these ports should definitely be closed on the wan side, and if not possible because of a routers activity AND dhcp, be restrained to a single authorization for scvhost (udp out, destination ip 255.255.255.255, destination port 67).
well here is the problem, i do not know how to close them or make rules for them can you advise me of how, please?
also, where can i look up IP addresses?
well here is the problem, i do not know how to close them or make rules for them can you advise me of how, please?One needs for that to know what cis version is used, and what is the network configuration, aparently a lan, but with ip in 2 different groups: what is the local range of ip, do the computers have fixed local ip, is there a router or other connexion type?
also, where can i look up IP addresses?A lot of tools (e.g. whois) can report where a ip comes from and who owns a domain if any, but that is globally not speaking for what you want to do: you only need to know in a first time the 2 dns of your isp, and you shall find them in the documentation of this isp, or online (google "isp dns"); more empirically, it is enough to set Comodo to ask permissions for your mail (not webmail) client: the ip shall be reported. You don't need to know ip for each application; as an example, you don't care a single second where your browser shall connect to, as long as it is only tcp out, ports 80 and 443 only (if no proxy is used).
I have a ummm Linksys wireless thingy, and a modem
Idk if that would be a router(Wireless thingy)
And also now i get connections from China Unicom Hebei Province Network? Why?
can you assist me with this, it’s like 192.168.0.1 Type( 8 ) Destination:70.245.155.175(Code0)
—I am on CIS V4
can you assist me with this, it's like 192.168.0.1 Type( 8 ) Destination:70.245.155.175(Code0)
Seems to be your provider:
Texas?
Nothing unusual in a echo reply (to your isp code 0 to from your local ip type 8) from your isp: if you don’t want it, deny in your firewall global rules icmp in, any ip to any ip, message echo request. (and icmp out, echo reply).
Coming back to your other questions, i am not the best one for answering you, as we don’t know what OS you are using (xp pro sp3 for me), and as i am using cis v3 and not v4, but waiting for someone else to bring you version appropriate comments, i shall make general ones.
The first thing i would do would be to set my computer(s) to fixed local ip.
Assuming 192.168.0.1 is your routers local ip (check either with the router manual, or typing http://192.168.0.1, or typing in a dos windows ipconfig /all : note on a piece of paper the local ip, gateway, mask, and both dns).
Look at the administration of your router, and deny ping if there’s some item for it.
Now go to the tcp/ip properties of your connecting card, uncheck dhcp, and set a local ip in the same group (e.g. 192.168.0.10), mask 255.255.255.0, gateway 192.168.0.1, dns, those of your isp.
Reboot and connect to google or wherever: some routers or isp forbid fixed ip configurations; if it does not work, revert to the previous situation.
Now disable windows useless and risky services (including dhcp if the said fixed ip configuration works, and ssdp as far as port 1900 is concerned) refer to:
Set your firewall and defense+ to ask for the connexions and uncheck the default behavior (i don’t remember the settings, i don’t use v4, it is documented in this forum) so it does not allow outbound by default: now, you shall get warned for the connexions, and you are ready to write your own firewall rules.
The global rules should at least be:
ICMP out, any to any, icmp protocol unreachable, deny
and, if you want to deny ping, 2 rules as i said previously.
Very basic rules should be:
Mail client:
allow tcp out, any ip to your isp ip, source ports any, dest ports pop/smtp ports (25,110)
deny everything else
Browser:
allow tcp out, any ip to any ip, source ports any, dest ports http (80,443)
same rule for dest ip localhost (127.0.01) if using firefox, dest ports any
ask or block everything else
System:
block udp out, ip any, any, source any, dest ports 135-139 (netbios)
block and log ip in any ip, any protocol
svchost:
allow tcp and udp, out, source ip any, dest ip: your isp dns, port 53
if wanting to allow bootp:
allow udp out, source ip any, dest ip 255.255.255.255, source port any, dest port 67
In common usage, you have to block everything else, but particularly:
block tcp in, ip any, any, source port any, dest port 135-139 (netbios again…)
block icmp out, any, any, any ICMP message
And the same goes by trial and error with every application you want to allow or deny, but remembering that Comodo is quite stupid in this regard: if you deny and remember a tcp in request “on the fly”, comodo only makes the rule for the concerned ip and port, you have to extend it in terms of ip and ports.
If you don’t want to be logged with one of the rules, block but do not log, so you won’t know that someone is making some connexion attempt from China or planet Mars.
whooaaa, i will do as you said, but for the moment am i safe? or what?