Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: netBios scans

  1. #1

    Question netBios scans

    I recently networked my new win98 machine and my older win95 machine, and since then my zone alarm firewall reports that im only receiving netBios session scans from various IP addresses. I'm on a cable modem, and prior to networking, I received all kinds of scans, HTTP, TCP, etc...

    I have internet connection sharing set up on the win98 machine, which is the only machine that can connect directly to the internet. The other one connects through a proxy which is running on the win98 machine, since my 13 year old seems to have discovered the wonders of internet porn...

    Any info on why all the scans seem to be netBios now and what if anything I need to do about it would be greatly appreciated

    javac,
    Agent Johnson

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Well, this is just a guess. do you have file and print sharing enabled? if so disable it. also disable netbios over tcp/ip. Microsoft networking depends rather heavily on NetBIOS. Why are you seeng all of the scans on it???? probably cuz its wide open! are you sharing any files b/w the computers? if so protect them with strong passwords. Need any more help?
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #3

    thanx

    thanx for the advice hogfly, but i still have a few questions...

    i disabled netbios over tcp/ip on both machines, and i disallowed file sharing from my win98 to his win95 machine, but i still allow print sharing since i only have the one printer. i want full access to everything on his machine so i allow file sharing on his.

    zone alarm still reports only netbios scans, which i thought would end once netbios over tcp/ip was disabled, but i'm relatively new to networking and even newer to security issues, so i just don't fully understand it yet.

    another question - when im sitting at his machine and look in his history or temporary internet files folder, i can see eveywhere he's been on the net, but when i access the same folders from my computer over the network, i see different files. is there something missing from my network setup?

    since you're much farther ahead of me in security knowlege, if you could help or point me toward a good source of info i would truly appreciate it

    agent johnson

  4. #4
    I read your post Agent Johnson, and your observations about ZoneAlarm being very selective about what it reports once ICS is installed seems to match my experience very closely.

    As well as the firewall only reporting NetBios name scans, I have found that since I enabled ICS I can no longer use the 'stealth mode'. Even with file and printer sharing turned off hasn't affected this behaviour.

    I've probably forgotten to set something up properly but can't shake the suspicion that ICS is somehow circumventing the firewall - GRC's leak detector didn't even cause Zonealarm to blink when I tried it on the client ICS machine. This puzzles me..

    I am still tuning the ICS setup, so if I stumble across anything of any use I will be happy to share it but would still welcome any suggestions for workarounds.


    A trick I use to review the internet cache of networked machines is to use Windows "find" and search from the temporary internet files folder of the target machine, leaving the criteria fields empty. I'm afraid it doesn't work with the history folder though - I still have to visit the machine or trawl through it's registry to view it's history..

    Regards

    Village Idiot

  5. #5
    ZoneAlarm Can be great, But it can also be a pain in the ass, You have to go to the security tab and then click advancded. You have to give it the IP of the computer you want to allow a netbios connection, I had the same Problem

  6. #6
    Thanks for your suggestion Limp,

    I have made Zonealarm aware of the networked machines, and have no trouble with sharing resources between the machines.

    However, all of the netbios scans are originating from outside of my private IP range.

    What troubles me is that since ICS was installed, Zonealarm has not reported a single HTTP, FTP, Ping or any other type of connection attempt (except netbios) on my machines that are connected to the internet virtually 24/7.

    I think Windows ICS has managed to find a way around the firewall - any ideas?

    Cheers

  7. #7
    well i have a couple suggestions, if your only running an HTTP and/or FTP locally on ur network, set zone alarm to block all internet servers, and if thats the total opposite make it block local servers

  8. #8
    When i originally networked the two computers, zone alarm told me that its security level should be set to medium, or else the other networked computer might not be able to connect. Since then, i've set the security level back to high, and the other computer can still connect to the internet just fine. With the security level on medium, all the scans are reported as netbios, but with security on high, i get the ftp and http scans like im used to seeing.

    Maybe the other computer can still connect because it's going through a proxy?? I'm not sure...

    One issue i've just discovered... when zone alarm security is on high, i can't telnet out to anywhere, i have to reset it to medium.

    limp said it best...
    "ZoneAlarm Can be great, But it can also be a pain in the ass"

    AJ

  9. #9
    well it could be that it's run through a proxy, there are no proxy settings in zonealarm. i know recently i have had it set to medium and get warnings of netbios connection attempts A LOT!

  10. #10
    Junior Member
    Join Date
    Aug 2001
    Posts
    3
    zonealarm sucks. Get conseal:
    www.consealfirewall.com

    Best PC firewall available

    Always disable unnecessary shares to prevent intrusion, remember cable modem will make your neighborhood its own segment on the network so in theory other cable users have access to your LAN. Knowing this, several security precautions should be taken.

    hope this helps
    \" Does anyone ever ask you if you\'ve got a case of the \'Mondays\'? \"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •