Results 1 to 7 of 7

Thread: CONSTANT FWALL ALERTS SINCE UPGRADE

  1. #1
    jjimbo Guest

    Default CONSTANT FWALL ALERTS SINCE UPGRADE


    i get a medium fwall alert no less than every 10 mins.The details are usually...ip source 24.64 etc, source dns s01060003250cd0,whilst defense advisor assures me
    im safe and it was probably
    a background noise i feel that
    for my fwall to be blockin so regularly is concerning or am i paranoid.? Trying to understand
    whois and arin and ripe etc is
    way over my head it might as well be maths equations. one thing i notice is that clicking on the hacker id map the source is always canada or china. but
    it means nothin to me.can anyone shed some light for me please.p.s . since installing the upgrade iin fwall zones i have 1 dhcp server but 2 dns servers showing
    ( ip similair) is this normal?
    i trust zone alarm totally but
    i feel sometimes u need a degree in maths to understand all this
    any help is greatly appreaciated

    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    watcher Guest

    Default Re: CONSTANT FWALL ALERTS SINCE UPGRADE

    Dear jjimbo:

    You are talking about the entries located in the Alerts and Logs panel, Log Viewer tab. If Alert Type=Firewall, you are looking at connection attempts to your PC from the Internet. In the Action Taken column, all of these will show Blocked so you are safe. Like you, I became concerned about the number of entries but not for the same reason. My concern was that it is hard to identify actual attacks from hackers when you have to wade through all those entries. Hacker activity is unpredictable. Some days I would have hundreds of entries over like a 6-hour period and then other days I would have only a few. Here is what I did.

    First, harden your computer against attack by preventing exploits against common vulnerabilities on a PC. You can block a LOT of traffic(multiple IP addresses) merely by creating an expert firewall rule that blocks any traffic attempting to connect to a specific port on your computer. Expert firewall rules are enforced prior to Zone rules. Close the following ports using expert firewall rules: 135, 137, 139, 445, 1026, 1027, and 1028. This is assuming you don't use these ports. Then set the rules not to log this traffic. You will reduce the size of your firewall logs greatly. This allows you to concentrate on the remaining entries. This method is useful in a DDoS attack in which the attacker uses a botnet to attack your PC. I had it happen to me. I knew it was a botnet because the source IP addresses were from Class A, B, and C categories so it could not be from a single entity. What they all had in common was they were seeking to connect to a specific port on my computer. I looked at the socket addresses(IP address/colon; port) listed in the Destination IP column to confirm. One expert firewall rule set to block the specific port would take care of this.

    Second, find the attacker(s) who generate the most log entries. Use the Source IP column to identify those with the same IP address. Click on one of them and then click the More Info button in the lower right of the Log Viewer tab and the online SmartDefense Advisor launches. Go right to the Hacker ID tab, find the name and IP range of the offender, write it down, and use to create an expert firewall rule to block the entire IP range. You will find a lot of Chinese, North Korean, and even Iran web sites that are obviously malicious. Then set these not to log. You should do only 1 of these per day. Otherwise, it seems like a monumental task.

    Third, create expert firewall rules for IANA-reserved IP ranges. Hackers like to forge these addresses as they are well known addresses and they can't be traced back to them. IANA has Class A reserved range of 10.0.0.0 - 10.255.255.255, Class B reserved range of 172.16.0.0 - 172.31.255.255, and Class C reserved range of 192.168.0.0 - 192.168.255.255. Also, set these to block and not to log any more.

    Currently, I have 32 expert firewall rules set to block and not log any more. The result is a much smaller firewall log which I can review far easier than before.

    If you decide to do nothing, you are still protected. ZAISS blocks all unsolicited inbound connection attempts by default, using stateful packet inspection(SPI). However, each of these blocked attempts is then logged, creating the large firewall logs.

    Hope this helps.

    WATCHER

    Message Edited by WATCHER on 12-11-2007 06:43 PM

  3. #3
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: CONSTANT FWALL ALERTS SINCE UPGRADE






    Or is this one better, with the ICMP controlled in the ZA Custom of the Firewall?



    As for blocking off the private network ranges, that is not neccessary. Firstof all, none of the address from two of the three are even getting to see to the PC- if there is no 10.x or 176.x on the LAN, the 192.x PC will not respond. Yes there is ARP spoofing, but most "hackers" do not waste time on home users and most hackers that will attempt to wrap the lan packets around the regular inbound will make these connect to all nodes of a LAN. In other words, the connection attacks will not be seen from some unusual LAN IP, but directly to the correct PC from the router itself.

    I find it easier to block off the specific ports in the router (along with the entire port range 5001-65535). This works for me. Disabling services and certain window features and aspects will alos close the previously mentioned ports.

    Besides which the ZA can be set to block ARP, check the gateway security and block fragmented packets (TCP) in the Advanced of the Firewall. Plus any unusual inbound attempts will always be seen and blocked by the ZA firewall from both the Trusted and Internet Zones.

    Cheers, Oldsod
    Best regards.
    oldsod

  4. #4
    watcher Guest

    Default Re: CONSTANT FWALL ALERTS SINCE UPGRADE

    Dear Oldsod:

    ZAPRO misclassified your images as ads but even when I attempted to view them, the hostnames for all of them are the home page of photobucket.com, not the images you probably wanted to show jjimbo.

    I block the private IP ranges out of habit. I did the same at school using the Cisco 2600 routers. I agree with your statement about them. However, I have experienced attacks from hackers forging IANA-reserved IP addresses, attempting to connect to my PC.

    WATCHER

  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: CONSTANT FWALL ALERTS SINCE UPGRADE

    Thank you WATCHER.

    The home page of photobucket was definitely not what I had intended. Odd the ZA Pro is doing that. I have a well setup Privoxy chained to well setup Webwasher Classic before the Opera browser's filtering and have no issues with the images (using the ZA AntiSpy).

    Hmm hackers attempting connections with your LAN IPs? Somebody is after you? Perhaps it is time for double NAT or a hardware firewall before your router? That will fix them just like that. Even a proxy server for your LAN will do the trick.

    I use a dedicated hardware firewall (alphashield) before the 1st router and both routers are doing SPI/NAT. Plus the second router doubles the original block port list. If I had a free and spare PC, I would definitely set up a proxy server - that would definitely put a stop to those kind of attempts you have experienced. The routers have the ports listed in your above post blocked , plus others (ident; 5001-65545 range; some basic worm, phishing, troyans ports; lower IRC (194); telnet; chargen; time of day; snmp; etc). I did not stop at 1024, 1026-28 ports - I block the entire 1020-1029 range.

    I should further add the Protowall on the desktop being used does have the Iana Reserved ranges of 223:223.0.0.0-255.255.255.254 blocked off. Plus it has many selected ranges and IPs for asia, russia, africa, pacific, south and central america, carribean, ads, troyans, cws, trackers, various akamai servers, counters, corps/gov/mil, etc.

    The Trusted Security and Internet Security Zones sliders set at HIgh should help, so should check the ARP feature. The very nature of the ZA is always provide stealth and have all ports closed by default - and the ZA does the job well.

    Some internet providers by default block the epmap, all of the netbios and microsoft ds ports. Mine does. The online port scan will show these as being stealthed even when there is not any kind of firewall in place if this is the case.

    Port scanners and http probes could also be checking these typical ports:

    23 80 1024(include ICMP) 1025 1075 1080 1397 1596 1598 1666 1668 1669 1672 1674 2048(ICMP) 2426 2280 2745 3127 3128 3380 5490 5491 6129 6588 7040 8080 29992 38884

    but not limited to these list. If you had a server or IIS, the list would naturally be larger. But these should all be bounced by the router.

    Tip. [This does cover uninstalling the msmsgs (which does appear as "how do I uninstall the msmsgs" in this forum) and others (you will see)].
    Open the WINDOWS\Inf\sysoc.inf and remove the "hide" from all listed under the [Components]. Reboot. Open the "Add/Remove Windows Components" of the "Add or Remove Programs" of the Control Panel. You will see what I mean.

    Tip. [I do think this does directly apply to windows fw, but I do suspect it does have wider implications. The desired ICMP types can be seen and edited/added as desired]
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\IcmpSettings
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\IcmpSettings
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\IcmpSettings
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\IcmpSettings
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\IcmpSettings

    Tip [this one you may know. Note the netmeeting on my desktop is uninstalled and completely purged, as are the igames, both messengers, etc. But this does completely disable those services and a few others]
    Open Component Services tree of the Administraive Tools. Disable componenst in the properties -upnp, netmeeting, etc. But carefully.

    Cheers, Oldsod
    Best regards.
    oldsod

  6. #6
    watcher Guest

    Default Re: CONSTANT FWALL ALERTS SINCE UPGRADE

    Dear Oldsod:

    Thanks for the info. Most of this is repetition for me but may help someone else out.

    ZAPRO's ad-blocking feature isn't perfect but what other firewall, browser, or antispyware utility is. Ad makers are like spammers, always trying to circumvent any control over them.

    I've been attacked many times, the scariest was a DDoS attack. I had multiple Class A, B, and C IP addresses (probably a botnet)trying to connect to a registered port on my computer. ZAPRO blocked them all. It's very good. I just like to reduce the amount of entries that show up in my firewall log so I create expert firewall rules to remove malicious traffic that targets vulnerable ports, enemy country traffic from China, North Korea, Iran, etc., and other offenders that generate enough log entries to become a nuisance. Then I set these not to log any more. Now, I can look at the new threats that show up without having to wade through the repeat offenders. The expert firewall rules will always be a work in progress as the threats change with time and I'll end up adding new ones and removing old ones.

    I'm on dialup so I'm not too concerned right now. I connect at random times each day. When I finally get broadband, I'll definitely get a router, a good one, not the sub-$100 ones. You are right about AlphaShield. I've read a lot of good reviews on it. I knew nothing about it until I read one of your posts about 6 months ago.

    Thanks for posting about IANA reserved IP ranges. The Class D and E ranges I was familiar with. I've found additional ones looking at my logs and checking with the online SmartDefense Advisor, Hacker ID tab. They are obviously forged. IANA doesn't perform port scans, so far as I know.

    Take Care,


    WATCHER

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: CONSTANT FWALL ALERTS SINCE UPGRADE

    Hi WATCHER

    I did suspect you know those and many more!

    An older router that did work with dialup- SMC 7004BR broadband Barricade router (with dialup fallback). Never tried this so I cannot vouch how good it actually works (maybe very slow or slower).

    An alternative for the time being is smoothwall (it becomes the server for the LAN). Ok, you knew already that too.

    Yes you are correct - IANA does not do port scans on home users. Some mischief is happening.

    Cheers, Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •