Firewall Assistance Question

Printable View

Show 40 post(s) from this thread on one page

August 17th, 2002, 01:07 PM
LisaDarln

Firewall Assistance Question

Ok, I'm a complete newbie, so I suppose this is the proper area for me to post. If I'm wrong, my apologies in advance.

Next, let me say that I did a search in an attempt to find the answer to my question, but I'll probably be reading for years on this subject (port scan), AND in addition to having just jumped into this with both feet, I'm failing to understand probably 75% of the content already posted. I'd like someone to either point me to a complete newbie section/thread/website that explains in laymen terms or take the time to pm an explanation or post one here. Also, I'd like to thank you in advance for your help. Now, for my experience and questions:

After using the firewall for 2 days, this is the first time this has happened. My firewall dinged, chimed, and posted a message of:

Quote:

Blocked Port Scan Attack!

I can't recall now what I clicked, but I guess it was right. Then again I recieved that same message, only moments later, and clicked whatever again. I figure I've either goofed now and let what ever port scans do do, or the port scanner has moved on.
Out of curiosity I checked the alert in my log and it reads:

Quote:

...blocked an attempt to attack your machine using a "Port Scan" attack. The remote address associated with the traffic was... (IP address here)

(IP addresses I recognize because of my dabblings with spam tracing).
I looked up the address thinking maybe it was mine, but it belongs to a server out of Colorado called Inflow.net.

So, was someone attempting to or maybe succeeded in getting into my computer? Did my firewall do what it was supposed to do? What exactly is a port? How many do I have? What information from my computer can be accessed through a port? How does one scan a port? Meaning, is it a software thing you buy at any computer store? What are scans supposed to be used for? And I'd better leave it at that for now because my questions are near endless at this point, as seemingly is this topic.

Again, thank you for your time and I look forward to your reply/ies.
August 17th, 2002, 01:48 PM
powertoad5000

Just wondering... what firewall are you using? I think it is a little paranoid for a firewall to be calling a 'port scan' an 'attack', even if it is somewhat malicious. Anyway, in answer to your questions:

-There is a slight chance that someone was attempting to access your computer. Most likely you were simply one IP address among many hundreds that they were scanning.
-From the information you have provided, it seems there is almost no chance that anyone gained access to your system.
-And from your firewall responses, it sounds like it was doing its job.

Basically, ports in your computer transmit and receive information from the Internet. For example, port 80 is the default port for web pages on a computer. So, when you go to http://www.yahoo.com, you are connecting to it through port 80. Telnet is port 23, ftp is port 21, etc. http://www.iana.org/assignments/port-numbers is the place to go to check port number assignments.

Port scanning is something anyone can do from their home computer. Just google 'port scanner' and you should come up with several programs you can use. I have never used linux, but I think nmap is pretty much the first and last word when it comes to port scanning on that OS. Although you can buy commercial port scanners, for personal or educational use a free one should suffice. The main function of a port scanner is to check for vulnerabilites presented by open ports. afaik, there is no legitimate reason for port scanning a computer which you don't own or which you don't have permission to scan.
Once you have started your scanner, it is as simple as entering the IP or range of IPs which you wish to scan. Depending on how it is set up, your scanner will return a list of open ports on each machine.

If you want more information on the topic, there is a hugely in-depth TCP/IP tutorial at Black Sun. Although it is quite long, it is worth reading and will give you a good grounding in the concepts that the Internet works on.

Hope this helped you out a bit. If I made a mistake somewhere, please someone tell me, I am pretty n00b myself :)

-toad
August 17th, 2002, 01:52 PM
the_adairs

I can feel your pain on this one, when I first downloaded zone alarm, I had it configured for the highest settings possible and was getting people trying to connect to port 80, 21, 139 ect. First of all, if your firewall is allerting you, its doing the job. From what I understand people all over the internet send you little packets of information all the time, its just part of the package for being online. Ive heard that dsl and cable are worse. Ive tracked some of the port scanners that I have had hit me and found them to be korean websites, Russian, even had one in france. I came on here as well and asked the same questions, and found that you dont have anything to worry about as long as its not the same ip address doing repeated hits. I have windows xp firewall setup with a log, and zone alarm as well set for loging "hits". I periodically will review them and check to see if there are any ip's that are repeadilly trying to gain access to my system. I have yet to find one, but if I did, you better believe an email to that persons isp is going to take place (basically, a repeated ip trying to connect to your system could mean that someone is trying to gain access to your comp). Now..port scans, there is software out there that is called a port sniffer. Matter of fact, there is alot of them, what this software does is scan a range of ip's to find what ports are open. Now, what the heck is a port? There are two different types, hardware ports and software ports. Hardware ports are the plugs on the back of your computer like usb, serial, printer port, ect. Software ports are little..."doors" that different things. For example, when you open Internet explorer and connect to the net, port 80 gets opened. Port 21, I believe is assighned to telnet. So..a port sniffer is like someone on the other side checking to see wich " doors" are open. Now a firewall will keep all the ports basically locked, or pulls a curtain over all the doors to make sure no one sees them. That way when the person trys to sniff your ports (I know sounds vulgar doesnt it), he sees the curtain and moves on.

*Takes a deep breath*

If you want to go to a site to check how secure your system is...go to

Shields up
https://grc.com/x/ne.dll?bh0bkyd2

This site will try to optain your ip address, then try to connect to your system to see what type of information is available. The cool thing is they post the results back to you. They also have a port sniffer button that you can click on. I beleive its "check my ports" or something like that. This is cool because it actually will tell you how well your firewall is working.

Well...I hope all this information helps you out.

If you think this topic has alot of info....try researching anonymous proxies. Ive been reading for about 3 weeks on it, and just now starting to put the puzzle pieces together.

The_Adairs
August 17th, 2002, 02:41 PM
Bohogg

You can see exactly whats coming in and out of your computer with a packet sniffer...AnalogX has a free,easy to use one,called Packetmon.....It shows all traffic in plain text...Youll find,as I did,that the bulk of the traffic are pings from your own ISP,cookies or spyware,even incoming e-mails......Also there are sites that will test for open ports and other vulnerabilities on your machine,such as blackcode.com and grc.com....Those sites also have easy to understand explanations about whats going on,(I need that LMAO)...Many of the sites at TechTv.com com nice little.easy articles on firewalls,security along with windows and mac tips.....For more depth and detail this is the best site Ive found..
August 18th, 2002, 07:05 AM
darkes

It does depend a lot on which firewall you are using (and how it is configured).
In my experience, I've found ZA tends to give alerts for requests that are perfectly valid. Nothing wrong with ZA doing that of course, as it is rejecting requests that might be invalid.
Personally I've found Sygate to be better in this respect, as most of the time it just quietly logs requests it doesn't like (which includes sites you have explicitly blocked).
However, if your PC is being port scanned (i.e. someone is methodically going through all the ports on your system), then it does produce an alert in the way you described. It also has the option of logging packet data when this happens.
August 20th, 2002, 02:44 PM
bowlfreak

Newbie Firewall Question

It sounds as if the firewall is doing the job it is designed for. To follow-up on a previous posting, a firewall is a program/device that allows you to specify what kinds of information is allowed to come and go to your computer. It allows you to specify which ports, or doors, that traffic is permitted to come through. For example, Web traffic comes and goes through port 80. Secure transactions for buying stuff online goes through another port. Downloading files via FTP through another port.

Port scans could be as simple as a ping sweep of an entire subnet, or a port scan could be a dedicated, concerted effort to gain information about your machine. The purpose of the scan is to find out what ports are open/running, and the information returned will help the malicious individual in planning future attacks against your machine (if they should do so). The firewall was alerting you to the fact that the computer ports were being scanned at that time, and attempted to track which computer was performing that scan. You can feel somewhat secure in the fact that the firewall did catch the activity and alert you to it.

Ports 1-1024 are on your computer, and ports 1025 - 65000+ are on the server side. There are certain port numbers that will always be used by certain applications/programs. Also, there are programs/applications that will use a range of port numbers (called dynamic port assignment). Hope this helps.
August 20th, 2002, 03:35 PM
problemchild

Quote:

Ports 1-1024 are on your computer, and ports 1025 - 65000+ are on the server side.

Could you clarify that a bit? I may be misreading you, but it sounds like you're telling her that her computer has no ports above 1024, which of course it does. Low ports are privileged and high ports are unprivileged, but they are all on her computer.
August 20th, 2002, 03:48 PM
Troy11277

Good call Problemchild. On the same token, it also sounds like he is saying that "the server side" won't listen on ports below 1025, which it most cetainly does. Need to clarify. Ports 1-1024 are the well known ports. 1025+ are the random or dynamic ports that most boxes use to handle subsequent traffic flow (and other pre-designated traffic). A workstation or client initiates an http request on port 80. The server listens on that port to receive the initial requests then will randomly assign a different port to send the response back through, in order to free the original well known port for other requests. Once that server has assigned a random port to send his response back , the client/server communication takes place on that random port until the connection is broken and must be re-established.
August 21st, 2002, 02:05 AM
LisaDarln

Sorry I've taken so long to reply. I started to post again several days ago, but got side tracked with my daughter, and had to just give it up until now.

Thank you all for the various information you've given me about port scans. I understand much better now.

Quote:

powertoad5000 What firewall are you using?

I'm using McAfee now.

I've had a rather interesting morning with them. On two occassions I've been alerted to a Newtear attack, one came from out of Japan, and the other I think was out of Florida. I'm thinking neither of those are right because that's quite a big jump between different parts of the world. And since the attacks were done so close together in time frame, surely it had to be the same person, wouldn't you think?

I've been trying to find out exactly what newtear is now. I've read it has something to do with attacking DOS, which I think is the basics for any computer isn't it? And something else about if successful you'd get the "blue death" screen, but the link that explained what that is, was dead.

My curiosity just continues to grow. :) Thanks again.
August 21st, 2002, 02:18 AM
problemchild

Quote:

And since the attacks were done so close together in time frame, surely it had to be the same person, wouldn't you think?

Not at all. Port scans and simple attacks are quite common.

Quote:

I've read it has something to do with attacking DOS, which I think is the basics for any computer isn't it?

Erm...... well, sort of. But not really. It's kind of hard to explain in a short post. :rolleyes:

Basically, DOS is the foundation of Windows 9x and Me. If you're using Windows 2000 or XP, you have no DOS in your system, so you have nothing to fear from that attack.

BTW, I know nothing about the particular attack in question. I'm just speaking generally. I recommend a good Google search for your attack to find out more.

Show 40 post(s) from this thread on one page