Results 1 to 8 of 8

Thread: ZA constantly blocking intrusions

  1. #1
    caliber Guest

    Default ZA constantly blocking intrusions

    Hi all.
    Yesterday I got ZA Pro after not using a firewall for many years.

    The problem is, ZA is constantly blocking "access attempts". I reset the counter and counted them, in 1 min it blocked over 1000 access attempts. I also get a couple of "high-rated" blocks every 5-10 min from the same IPs.

    The source IP shifts between 83.255.249.10:53 (Source DNS: resolver2.comhem.se) and 83.255.245.10:53 (Source DNS: resolver1.comhem.se).
    The destination IP is 192.168.2.92:xxxx (where xxxx varies) and all connections are made through UDP.
    My IP is 83.248.***.*** and my ISP is comhem.

    I'd like to know if these are real intrusion attempts or "false alarms". And if they are safe, how can I stop them showing up?

    Thanks in advance

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Jun 2004
    Posts
    320

    Default Re: ZA constantly blocking intrusions

    Since they are being blocked you are safe in any case. It may be that some of them are your ISP checking that you are on line by pinging your IP address. There are also legitimate sites that sweep the internet to collect data on traffic, connections, etc.. Then, of course there are also hackers trying to get in, but all is being blocked. I don't think you can stop them showing up in the log, short of disabling
    event logging altogether. However, you can stop the alert window from popping up for them (Alerts and logs, Main tab, set 'Alert events shown' to off; you will then only get popups for program alerts).

  3. #3
    caliber Guest

    Default Re: ZA constantly blocking intrusions

    Thank you for your reply.

    I'm really starting to suspect it's my ISP. The same two IPs have made access attempts the entire last three days (1000 times/min). I doubt anybody would put that much effort into hacking my computer, I'm not that important.. =)

    When clicking for more info on the IP, I get this:

    <blockquote>The Internet Assigned Numbers Authority (IANA) has reserved this address for its own use. Unless you are on a network that is actively involved in the development of the system for assigning IP addresses, this address was probably forged in order to hide the identity of the sender.</blockquote>
    Not sure what to make out of that.

    Anyway, since it's constantly logging and writing to the hard drive (about false positives) I think it's putting unnecessary strain on the hard drive. And if I turn all logging off the FW feels kinda useless.
    Not sure what to do about it, but I'll turn ZA off until I figure it out.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: ZA constantly blocking intrusions

    Hi Caliber

    These appear to be very safe and it seems the ZA is not configured properly.
    Hence the "intrusions".
    You maybe seeing connections, by UDP to and from the remote port 53 of the DNS and between 67-68 between the PC and the router/nat enabled modem (again by UDP).
    These are very normal and very much needed - even the incoming connections from the DNS and the DHCP are needed.<hr>

    Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

    1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
    2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
    3. Click OK and Apply. Then do the same for the DHCP server.
    4. The localhost (127.0.0.1) must be listed as Trusted.
    5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
    Plus it must have both Trusted and Internet Access.

    LIKE THIS:

    Open the Run.



    Type in command and OK the Run.



    Now the command prompt will appear.
    In the command type in ipconfig /all, then press the Enter key of the keyboard.



    Ok mine is relatively simple, as I have pared down windows and disabled many thing, leaving just what I need and no more than that,

    So examing the results of my own ipconfig /all we see the following details:

    Physical Address : 00-13-20-C2-7A-DE

    This is information is presently irrevelant and we can disregard this is the exact MAC of my networking device (Intel Pro/100 ve). All and each and every networking device using TCP/IP needs a MAC. This includes computer, router, server/internet devices and networked devices such as printers, gamess, canners, etc. Sort of like the VIN for an automobile. Each MAC is unique to every individual device and there are no duplicates in the entire world.



    IP Address : 192.168.0.12

    This is informationthat is needed. This is the actual IP of my PC. Yours is different. Either way, you do not need this for configuring. Your assigned IP will appear in the ZA Logs and sometimes in the alerts.


    Subnet Mask : 255.255.255.0

    Subnet Mask means my PC is part of domain of the router. In other words, my PC belongs to the router's domain. The router by internet rules is allowed to assign up to 254 domains. Or in other words, I could have 254 PC connected to my router.
    We can ignore this for the most part, but we must always remember to include the subnet mask when using the router IP.

    Default Gateway : 192.168.0.3

    OKAY! This we need as the default gateway is the DHCP server IP.
    Enter this into the Zones of the Firewall of the ZA.
    Open the ZA.
    Open the Firewall.
    Open the Zones.
    Click the Add button or just click any one of the lines in the center.
    Select Subnet.
    In the drop down of the Add Subnet windows, select Trusted.
    In the IP address, type in the Default Gateway address as seen in your own ipconfig /all. (do not use mine as it is for me and nobody else).
    In the Subnet mask, type in 255.255.255.0
    [In the Description, type in router or dhcp server (or what ever you like) .
    Or perhaps you are using modem with a builtin NAT/SPI firewall.]
    Click OK.



    DNS Servers : 208.67.222.222
    208.67.220.220

    Some providers will only use one DNS Server and some will use two DNS Servers.
    Either way it does not matter.
    Just be sure to enter both of the DNS Servers as Trusted in the Zones, almost in the same way as you just did for the Default Gateway address.
    Now, use the IP Address option found in the Add button for each of the individual dns server. Do not use the Subnet Mask. Just make a seperate entry for each one of the DNS Servers.
    Your DNS servers should be verified as 83.255.249.10:53 (Source DNS: resolver2.comhem.se) and 83.255.245.10:53 (Source DNS: resolver1.comhem.se). <hr>

    The Generic Host Process (svchost.exe) should look like this in the ZA:



    The Generic Host Process needs to allowed for the Trusted Access and for the Internet Access and for the Trusted Server. No Internet Server is needed or required.
    <hr>
    The Logging can be reduced in the Logs and Alerts of the ZA.

    Best regards.
    Oldsod.
    Best regards.
    oldsod

  5. #5
    Join Date
    Jun 2004
    Posts
    320

    Default Re: ZA constantly blocking intrusions

    I don't wish to confuse matters, and of course OldSod is right if you have a router.
    But it may be that, like me, you don't, and then, depending on circumstances, you should not add the default gateway/subnetmask entry.
    I have a USB ADSL modem, no router. The system does
    not connect to the internet on boot, it needs manual connection when I want to get on to the internet (it is listed as a dial up connection in the Network connections applet in Control Panel). I also have a dynamic IP address (i.e. my ISP assigns a different IP address to my PC each time I connect). This is quite a commonly used setup for stand alone PCs in the UK.
    With such a setup, whilst the subnetmask is fixed (in my case 255.255.255.255), the default gateway changes to the newly assigned IP address each time I connect. When I do so, ZA automatically adds the following entry:
    Name: Internet ADSL
    IPaddress/site: [currently assigned IP address]: 255.255.255.255,
    i.e. [current default gateay:subnetmask]
    Entry type: Network
    Zone: Internet
    That entry is automatically removed when I disconnect, so there is no accumulation of entries corresponding to previous connections with different assigned IP addresses.
    Clearly for my system, it would not be useful or advisable to manually add the default gateway/subnetmask entry, since the default gateway changes each time I connect.
    As for the DNS servers, although these tend to be the same over periods of time, my ISP does occasionally change the DNS servers it uses to handle my connection. Whether it is useful in my case to add them to the trsusted zone is moot. I haven't found any difference in performance with or without them added.

    Message Edited by JRosenfeld on 06-05-2008 04:17 PM

  6. #6
    caliber Guest

    Default Re: ZA constantly blocking intrusions

    Thanks a lot.
    I do have a router, and I followed those steps. I haven't had an &quot;intrusion&quot; since =)

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: ZA constantly blocking intrusions

    Actually the 255.255.255.255 is not used for a subnet but a broadcast to your assigned IP. Not just a IP but an IP with a broacast to find and re-establish the connections to your IP (from your providers point of view). Also used for the icmp and others things to initate and re-establish connections to your providers network.

    The dhcp servers of your provider may often change, but these should still be added as Trusted into the Zones. Your assigned IP should not come into play in regards to the dhcp and dns servers IPs.

    DNS is really an outgoing and incoming connection to and from the PC and the domain name server (and in also reverse direction). More often than not although the connections and lookups are successful without an open port to the dns, the PC does actually need an incoming connection from the dns servers to give an immediate re-connection (or re-establish existing connections) instead of initiating a brand new dns connection. A little smoother and faster and better results in less traffic between the PC/dns if the incoming connection are allowed.

    Oldsod.
    Best regards.
    oldsod

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: ZA constantly blocking intrusions

    You are welcome.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •