My apologies. I completely missed this post. I was going to cover this and a few others in another post, but this one will suffice for these services. This is Universal Plug and Play traffic, specifically UPnP Simple Service Discovery Protocol (SSDP). If your ruleset didn't already contain a blocking rule for IGMP, you probably would have seen an alert for that as well. This is basically communication between devices that allows them to detect each other and create paths for traffic through each other. It makes it possible for applications that function as a server to open ports through a router and other UPnP-aware devices for that traffic. It's called port forwarding. It saves the user the the trouble of manually forwarding ports in their routers, modems etc (and the need to know how). When run as a relay or exit, Tor can utilize these to open a path to its server and directory ports through the router. Other applications like µTorrent can also utilize UPnP in this manner. Several internet worms have exploited it. It's been exploited via Flash Player. Malware that escapes detection, like government malware, can utilize it, especially remote access/control trojans. There's much more info on UPnP and SSDP here, including a small utility, "UnPlug n' Pray" that disables the services it uses. This works a little better than the UPnP function on WWDC. Before you run "UnPlug n' Pray", temporarily disable the rule that blocks IGMP. When you run it, you'll see a prompt like this one. This is IGMP, aka Internet Group Management Protocol. Note the IP address starts with 224. An internet search of the address will lead you to a lot more info regarding IGMP. Kerio cannot completely parse IGMP. It can only allow it or block it. Re-enable the IGMP rule when you're done. The image below shows the services that "UnPlug n' Pray" disables. Note that it's SVCHOST.EXE again, like DNS, DHCP, and many others. This is the problem with global allow rules for SVCHOST. They allow way too much, most of which isn't needed and is either exploitable or hostile to privacy/anonymity. Often the only way to determine what its traffic is for is by using the protocol and port number. It's entirely possible for updates, software installs, and even malware to re-enable these services. Windows updates have a history for changing service settings back to where they want them, a problem that XP no longer has. The XPLite utility can remove enough components to render these inoperative. Not a task for the average user and definitely not something that should be done without a full system backup available. To guard against the possibility of something re-enabling the UPnP/SSDP services, I suggest adding this firewall rule. If desired, you can make this into separate rules for inbound and outbound. If you set the "display alert" option on the outbound rule, you'll be notified almost immediately if something re-enables UPnP. Used in this manner, a firewall has a role in detecting malicious code.
Not to worry, it's understandable with these types of posts. Done. One thing I need to say. Other than for the obvious, like programs trying to call home, or go out on the net that don't need to, or those that do, like the browser, I still don't know whether to allow or disallow something or make a rule for it. I'm going by the only dumb question is the one you don't ask.... What should have I done with Kerios alerts like on your first screenshot. I checked in services first, to see if it had been changed as I remember this was one of the first things I disabled. I was annoyed to see it was enabled but had manual for startup type. I'm sick of seeing this word and "parsing" it by..... (sorry I couldn't resist that) Time to look it up. For those in the same boat as me... http://www.businessdictionary.com/definition/parsing.html I'll leave this one well alone. Done. Where should I place these in the ruleset? Now, backtracking a bit. I couldn't get online after booting this a.m. I reverted the last thing I did yesterday... that was the "M$ networking" Tab which was initially enabled and you had me disable it. After I enabled it this a.m. I had to reboot to get online. From post #75... All I have is my PC connected via ethernet (I don't like wireless) to a router/modem (one unit). It has 4 ethernet inputs for other devices to connect up if I want. As to who owns it, is a bit complicated. When I went onto BB I had a deal where they supplied the modem for free if we stayed with them a year, then it was ours. Anyway within a few months I had THREE of them and none worked properly. Others had the same complaint. My ISP had me get a 3rd party one which they reimbursed me for. Now it's outside the year and I take it, it's ours. Not sure what you mean by who controls it. As much as it's in our house it's under our control. I can log into the interface and change settings. When it was initially set up I did it manually and with a phone call rather than installing the bloatware. It does produce a small log. I've also disabled UPnP in it.
When the prompt is from using a utility like "UnPlug n' Pray", allowing it that one time is sufficient. Making a rule is basically taking the answer you gave on a prompt and making that answer permanent. With services, if denying the prompt causes no problems and everything works as it should, make it permanent with a rule. If denying a prompt causes connection issues or causes apps or features not to work, the issue has to be sorted out before a permanent rule is made. Those rules are specific in regards to process and port. Nothing else uses those ports, except for possibly a few trojans. In general, those type of rules go near the top of the ruleset. Could you either post or send a screenshot of what's contained in that tab? That's what I needed to know, whether it was you or your ISP that controlled if you could use static IPs on your local network or if you were stuck with DHCP. I've had problems with ISP supplied modems too. This might be a long shot, but did any of them start acting up immediately after you accessed their interface? If yes, were you running NoScript at the time? On quite a few brands, the interface relies heavily on javascript. On a couple of the ones I had, accessing it with Proxomitron filtering javascript caused it to lock up, not just the interface, the whole thing. It took several reboots to make it function correctly. As far as I can tell with the limited number of DSL modems I've worked with, quite a few are vulnerable to altered javascript. If its interface is accessible from the web, (most ISP supplied modems are) altered javascript can be used for denial of service attacks, possibly to the point of causing damage to the device.
Because I'm so unfamiliar with what ip addresses belong to who, I've blanked this out but if you need it, I'll PM it to you. The only difference I made in this tab is check/uncheck. This is how it is now.... OK I hope I'm not confusing the issue here. Im not sure about what you're saying. I remember complaining to my ISP in the last year, about a static address as when I was on good ol dial-up (wow did I say that) it was dynamic. I really liked that. So my understanding is my ip address is static. Whether I can actually change that I'm not sure. I'm VERY green when it comes to routers and how they're configured etc, but you can be sure I've had a good look around the settings to try and make sense of it. The one I have now, has quite a lot of configuring options you can do, but that is beyond me. If it helps I can also PM you some info on it if you like. I knew somewhere along the line the router would have it's part to play in all this. Wow. Well that's a thought. I can't be certain but I'm pretty sure I was using NoScript. It seems weird that 3 were bad. A tech guy came out and tested them and deduced they were all duds. I couldn't believe it until I heard there was an unusual amount of issues with them from heaps of people. I literally spent hours on the phone and of course you'd get a different help desk person every time, and thus have to repeat your issues every time, and get a different fix every time. Anyway, I'm seeing someone I know early next week who may still have one. Last time I spoke about it, they said they had issues as well. I'd seriously doubt if they are the types who would know about NoScript etc, but you never know. I'll ask. Anyway, I actually still have the last one. They told me to keep it, so it's sitting on my desk. After what Ive recently heard about ISP's and their own routers/modems, I'd be dodgy about using it.
It is the IP addresses that I need. If you know what they are, that info would work as well. I'm not certain of it, but I think that changes made here may require a firewall restart to be made effective. Regarding static and dymanic IPs, I think I've confused you. I'm not referring to your internet or WAN IP. That's largely determined by your ISP. Most home services use DHCP and dynamic IPs. I'm referring to the IPs of your local network (LAN), everything on your side of the modem. Even if it's just your PC plugged into the modem, it's still a local network of 2 devices. The modem converts your internet IP into private IPs used by your local network. This is Network Address Translation (NAT). It's the method routers use to connect multiple PCs to a single internet IP address. Local networks or LANs use private IP ranges which are reserved for this purpose. These IP ranges are not used on the internet itself. The actual IP of your PC (not your internet IP) will fall within one of these private ranges. They are: 192.168.0.0 - 192.168.255.255 172.16.0.0 - 172.31.255.255 10.0.0.0 - 10.255.255.255 See https://en.wikipedia.org/wiki/Private_network for more details on private networks. Whether it's a simple home network or a business network with 1000 internet devices connected together, those devices, PCs, etc will have IPs that fall within these private ranges. On a large network with hundreds or thousands of devices, many of which change or move (employees laptops) DHCP is almost a necessity. On a home network where the same few devices stay connected to the same place month after month, dynamic IPs and DHCP aren't necessary.
@Reality, Re: what IPs to display. At least don't obliterate the first two octets of the IPs, show something like 192.168.x.x Very simplified view of a router: internet -----(WAN side IP)--ROUTER--(LAN side IPs)---->> 4 eth LAN ports + a bunch of radio IPs are on this side.
Thanks guys for your explanations. That helps make things clearer. A fresher head helps too. The ip is 169.254.0.0/255.255.0.0. How long that entry has been there I have no idea, so it's impossible to know what caused it to be there. Perhaps you guys will know. Anyway, I did a Startpage search to find out what the address means and according to poster "oldsod" (2nd post from the first link) at: https://www.zonealarm.com/forums/sh...etwork-detected-cannot-get-access-to-internet With all the changing of settings Ive been doing on this venture, in the last few days, every time Ive booted, Ive had to reboot to get a connection to internet. As I said, I have always powered up my modem/router AFTER boot. Today, when I booted I powered the device up just before entering BIOS PW. That worked. I didn't have to reboot to get online. It's not a problem to power up before boot but I'd still like to figure out what actually has made this change.
The easiest way to explain 169.254.x.x is that it's the address that Windows assigns itself when DHCP fails to get an address. I suspect that with the changes made to your services, Windows is trying to get an IP via DHCP sooner than it used to, before the modems DHCP components are ready. In general, the more services you disable, the faster your PC boots, just from having less to do. Using a static IP will eliminate any issues with your PC getting an IP from the modem. Depending on how fast your modem negotiates its internet IP with your service provider, it's entirely possible that your PC will be internet ready before your modem is. I don't think there's much gained by shutting down a modem at night. Its power demands are minimal.
why not concentrate on tweaking the OS itself instead of loading up on for example browser addons/plugins? Yes, some may be needed, but the more things you add the more your increasing your attack surface and you could run into compatibility issues as well. As far as I know you can backup the Windows registry to another location (avoid location of where OS is installed) using the registry itself. Have a reliable image backup before making changes. Some things to consider: Secure IE browser and don't use it. (go through all the Internet Option settings) Disable unnecessary Windows services. (careful on what you disable) Setup and run as a limited user. (LUA) Run the admin.account when you need administrative rights. Make sure you have DEP turned on for all programs and services. Force XP to unload DLLs in memory. Disable User Tracking. Disable simple file sharing. Disable or delete unnecessary accounts Harden the TCP/IP Stack for Denial of Service Attacks. Stop windows from altering its route table in response to ICMP redirect messages. Disable autorun.inf on all drives. Disable Recent Document History. Clear Windows pagefile at shutdown or see if you have enough available ram and not use one. Use netstat commands (e.g. type into cmd prompt: netstat -a (displays all connections & listening ports) Control what's loading at startup. Control DLL Search Path Algorithm. Keep RpcSs from binding to all interfaces. Use software restriction policies (SRP) index.dat files Shellbags MUICache Device Manager Cache Programs to Consider: LastActivityView - scans system and displays a log of actions made by the user and events occurring on your computer. CCleaner - can expand cleaning with winapp2.ini and can also be used with Sandboxie secure delete command NOTE: If using Sandboxie I would change default settings
With the exception of a software firewall and a couple of extensions, most of this thread has been about tweaking the OS and services with the intent of hardening and reducing the attack surface. The items you mention under "Some things to consider" are some of the details that need to be addressed. That's one of the problems with XP, there's an awful lot of details. Information for all of them is scattered everywhere. Without a comprehensive checklist, how many users would think of half of them? IMO, that's what's missing for users of XP and other unsupported operating systems, a comprehensive list of what can be tightened, removed, disabled, etc. There are some that do a good job with OS security. I have yet to see one that ties security, privacy, and anonymity together. What I'd like to see is this thread used as a collection point for all of these with the eventual goal of rewriting it as a comprehensive manual. As far as IE is concerned, it will prove to be XPs biggest liability for a long time. IMO, the best solution when possible is remove it completely. I generally agree regarding browser addons. That's one reason that I prefer Proxomitron over NoScript and wanted to tie DropMyRights in with its usage. Being separate, it adds nothing to the browsers attack surface. Because it sits between the browser and the internet, it largely replaces the browser in the attack surface. Some browser addons are worthwhile. There's very little that can rival Request Policy for its ability to control connections to other locations, or PrefBar for its ability to put everything in easy reach and the ability to enable plugins, java, flash, JS, etc with a single click. Unfortunately, with Google having so much influence/control over Chrome and FireFox, I fear they will become as hostile to privacy as Windows, no matter what extension developers do. Regarding the registry, I don't believe that the registry on XP and newer will export complete registry hives, especially the security section. If I recall, restoring whole sections of the registry with the registry editor works more like merging the hives than replacing them, which could be leaving usage tracks and MRUs in place. On my 98 unit, I restore the registry with batch files on each reboot. I'm quite sure that the same could be done and automated from a bootloader using a small command line OS and a modified set of the same batch files. As much as I like apps like CCleaner, Privazer, and others, they don't solve the underlying problem, the collecting of all those records to start with. IMO, the focus should be on preventing the collection of those records to begin with. If your adversary is a 3 letter agency or hostile government, it's too late to get rid of usage tracks when they're at your door.
No worries on the power consumption, but I'm rural and dirty power is pretty much par for the course. My last dial-up modem was my 3rd one, thanks to electrical storms and forgetting to unplug. Im not sure if it's true, but I heard that adsl modems don't have the same vulnerabilities. I have a smart-ups with 8 inputs but none for my phone jack, which still provides a way in to get your mainboard/components fried. Unplugging is engrained. I'm still trying to fathom all this out even though Ive looked at those wiki links, this part is pretty complex. In the meantime Ive taken your option here at post #40 ... .... entering the 2 DHCP rules and a block rule. Because I couldn't get online after following recommended actions in Kerio, I disabled the changes I made. Since plugging in modem/router before boot, Ive been able to re-enable those things and I now have no trouble getting online. I'm going to do what I haven't got around to doing yet and that's do your ruleset in post #65 for the 2 proxomitrons and TOR. The apps like Word, and so forth, will just go under those entries you've displayed right?
Rules for individual applications are generally towards the bottom of the ruleset. Any global blocking rules such as that Google blocking rule referenced in post #39 go at the top. Follow that with service blocking/control rules (includes DHCP), then the browser/proxy/Tor rules. DNS rules next. Then your apps. At the risk of creating more confusion for you, the Google, FaceBook, etc blocking rule will prevent you from connecting to those directly. It will not interfere with your reaching them through Tor. Regarding a static IP, if you want you can PM me the make and model of your modem. I'll try to dig up screenshots of where the changes need to be made. I know what you mean about dirty power. I don't have a dirty power problem. The last year, reliability has been my problem. I've lost power more in the last year than in the last 10 before this combined.
Like firewalls and classic HIPS, Proxomitron is only as good as its filters. I put together a filter set that can serve as a starting point. It's a combination of the default filterset, ProxBlox, and a few extra filters that block other tracking mechanisms like ETags. When tested at Panopticlick, it blocks inquiries regarding flash, java, plugins, etc, even when they're enabled. When visiting https://check.torproject.org/ , it reports that you're using the Tor Browser, even if you're not. It doesn't report javascript enabled even when it is. This filterset is not a finished product. It's a starting point that can be made better as we go. The configuration file is in a 7z archive. Back up your original default.cfg, shut down Proxomitron, then extract the file to your Socks launched Proxomitron folder. Restart it. Feel free to change the obnoxious default color scheme. Edit, link removed, archive incomplete.
@Compu KTed Thanks for your input. Not sure if you've followed this thread from the start, but you'll see how this is a work in progress, not only getting my questions answered and a package put in place, but as a collation of data for as many as possible as well. It is indeed as noone_particular has said... Really, that is a great goal for this thread. Theres a plethora of utilities I use like ccleaner, privazer, last activity etc, but noone_particular has a point. Prevention is better than cure. If I was proficient in writing batch files or had more understanding about that, I most certainly would take that approach. In the meantime I use what works the best. Could you give a quick tutorial on how to do these please...
Thanks for the recap on that. It's my next job. I don't care how confused I get about facebook cuz I don't go there anyway and never have plans to. For the sake of youtube, is there a kind of work around with this setup if I wanted to access it non TOR? Thanks. The aging power grid is a bit of a concern. Power cuts are a very frequent occurrence where I am, hence a decent UPS is a wise choice with under/over voltage, nasty transients, spikes, brownouts, dips, sags etc.
The list can include whatever you want, all of the Google IPs, Facebook, Twitter, known adservers and trackers, etc. I'm not sure how much you can allow YouTube without allowing Google at the same time. You might try doing a capture of the Kerio status screen or use TCPView when you go to YouTube to get a list of all of the IPs being connected to. Then load each IP into an internet utility package like Sam Spade. For each IP, it can give you the IP range used by that server and tell you who owns or controls it. Sam Spade is an amazing set of tools in one package. The more you learn, the more it can do. Major Geeks has it. I hear you regarding the power grid. That's about the only time my internet IP changes, when I lose power and the modem has to get a new one. Normally I wouldn't care but the way my system is set up, the apps on my PC can't determine my internet IP, including Tor. When my IP changes, I have to change it manually in the Tor configuration file. With the number of power outages I've been getting, it gets old. I've thought about getting a UPS, but I'd need one that could power 4 separate devices for at least 6 hours to make any difference. A bit out of my price range right now.
There's a couple good threads for Privazer and LastActivityView that not only covers what they find, they cover the mechanisms that create these records and some of the ways they can be disabled. On the Unofficial Proxomitron Forum, I ran into this tweak for eliminating Flash cookies permanently. See post #4. When time permits, I want to test that idea on Index.dat files and see if XP will tolerate such a tweak for them.
@noone_particular @Reality As the saying goes "An ounce of prevention is worth a pound of cure". I agree that preventing the collection of these records in the first place should be the focus. I've also used good old Proxomitron with Firefox way back when and also Request Policy. (minus whitelist) Removed Firefox though and have no interest in Google Chrome. I prefer to load browser with as few addons as possible and only use a small number of third-party security apps. Not exactly fond of security suites that try to do everything. Tweaking the browser settings and running it sandboxed with a custom filter list seems to work well. Always though room for improvement. The Windows XP registry for example if you have set SRP rules does back them up, however I don't think it backs up entire registry even if 'All' is checked. You can also make XP not open .reg files automatically with registry editor. On the context menu you'll usually see 'merge' listed, but now you'll see 'open with' registry editor or Notepad. Best to use whatever the OS gives you, but trying to get security/privacy/anonymity together like you said. Is that even possible nowadays? And don't get me started on IE browser integration and activeX...What was Microsoft thinking? The reason or one of the reasons I use CCleaner is to remove unnecessary stuff like language files and temp files and if a program happens to writes log files to main OS drive. I list many files in (advanced users only). For me it's a worthwhile program. Make sure you have DEP turned on for all programs and services. - This is setting in System Properties -> Advanced -> Performance settings -> Data Execution Prevention Force XP to unload DLLs in memory. - Harden the TCP/IP Stack for Denial of Service Attacks. Stop windows from altering its route table in response to ICMP redirect messages. Disable Recent Document History. Clear Windows pagefile at shutdown or see if you have enough available ram and not use one. Control DLL Search Path Algorithm. Keep RpcSs from binding to all interfaces. These are registry settings for example clear pagefile at shutdown: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management REG_DWORD key is ClearPageFileAtShutdown Set value data at 1 Should take longer for computer to shutdown Be careful when editing registry MUICache Device Manager Cache Use CCleaner winapp2.ini for these 2: Device Manager Cache - WARNING: This cleans cached drivers of connected devices. As soon as you connect a new device with your computer or restart the PC the Windows OS will rebuild this file! MUICache - When starting using new apps, Windows OS automatically extracts the application name from the version resource of the exe file, and stores it for using it later, in the Registry key known as 'MuiCache'. Even if your delete MUICache items, they'll reappear the next time that you run the application.
Or, better to have the ambulance at the top of the cliff than the bottom... I also think it's good to minimize the addons as much as possible as well as other security apps and Ive never run a security suite like Nortons ...perish the thought. I love Sandboxie but am yet to fully utilize what it has to offer as I'm busy putting this together but it will come in good time. I feel its a brilliant program and offers a great layer of protection for what it is. Well I think we've got to try and what noone_particular has brought to the table regarding how vista upwards are getting harder and harder or impossible to lock down, I'm all for seeing what I can do with XP/Kerio and utilizing other tools to compliment those 2. I haven't used IE for so long. When you said "Secure IE browser and don't use it. (go through all the Internet Option settings)" I took that to mean, even though you're not using it at all, it can still be a security risk or phone home or something. Mine is outdated and unused. Other than gettting rid of it altogether, what are the settings you'd recommend to lock it down so tight it would pretty much suffocate? Thankyou for that. I missed that one. I thought I'd omitted that one. It's cleared on shutdown and yes it does take a little longer.
I can't decide for certain what they might have been thinking. I'm torn between total stupidity and a deliberate weakness. One only needs to look at IE6 for proof that you can't patch your way to security. If it were possible, IE6 would be the most secure software on the planet. Even if you leave ActiveX out of the picture, it's still the stupidest thing that they could have done, integrating the operating system with the most targeted attack surface application. If you exploit Internet Explorer, you've exploited the OS at the same time. Exactly. The risk isn't just from iexplore.exe. It's the rest of its components as well, many of which are used by Windows Explorer. Folders that display their contents as web pages use it. Anything involving active desktop uses it. Desktop and start menu shortcuts can specify its use even if it's not your default browser. Example created by OpenSSL: Code: C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.slproweb.com/products/Win32OpenSSL.html Lock IE out by every means possible, SRP, classic HIPS etc. Make a specific firewall rule for it that both blocks its internet access and alerts you if it tries. Put the rule above the DNS rules. Others will be better able to explain how to lock Internet Explorer down. I just remove it.
@noone_particular @Reality Someone can weigh-in on whether or not to use the pagefile on XP. I wouldn't recommend disabling it though if you don't have sufficient physical ram installed. Then again are we talking 32-bit or 64-bit version of Windows XP? As for IE browser noone...Did you use nlite to remove it? As for locking IE down there are several things you could do. An SRP rule and/or firewall rule as noone mentioned. In Internet Options -> Internet Properties -> Security tab adjust all zones to high or custom level for starters. The last version of IE you can use on XP is 8. There are some changes in settings available between version 6 and 8. I definitely would not recommend using version 6. Even version 8 is questionable. Remember were talking about an unsecure/unsupported OS. That includes the IE browser! If you plan on installing Sandboxie you could sandbox IE, (forced program) give it no Internet Access, Drop Rights from administrators and power user groups and a little firewall like tweak (Sandboxie.ini) BlockPort=*,80,443 which prevents IE from connecting to the Internet even when launched sandboxed. Sandboxie by default already blocks ports 137, 138, 139 & 445.
There's another possibility if you've got enough RAM. Create a Ramdrive and put the pagefile on it. A Ramdrive is also a good place for a sandbox, both in terms of speed and data deletion. I've never tried nlite. XPLite has worked well for me. It's not free but its flexibility for removing services is quite impressive.
Just popped in and before I get onto my Kerio ruleset. I see suffocating IE will be first. Just looked and my version is 7. So is WE vulnerable as well? A long time ago I'd heard there were suitable replacements. What do you use or does WE work OK with components missing when you uninstalled Internet Exploder? Done, well, altered what I already had which is 3 rules. Could I just incorporate them all into one rule denying in both directions and UDP and TCP? @Compu KTed 32bit here. No I wouldn't have enough RAM. Ive opted to clear it on shutdown. There was a recent thread containing posts about this somewhere. Done. Yes Im using Sandboxie. Thanks for the tips. ...yes I certainly hear you on the browser, but the alternative is worse for upgrading OS past XP, like if you can't close ports. When you come down to tin tacks either that is true or it's not. If it's true, then all the updating and support mean zero, if that same support doesn't give a person real security from certain agencies getting inroads into your system. This thread is as much about that as anything. I would even go as far to say certain 3 lettered agencies are WORSE than some hacker in some backstreet somewhere. It's not a far stretch to conclude that most vulnerabilities and breaches are caused by them in the first place. If a person wants to trade bells and whistles for privacy/security breaches that's their choice. I don't mind a chunkier look if it means my privacy/security has a better chance of staying intact. To me, because Im on XP and use Kerio, noone_particular has made some extremely interesting comments about all this that's got my interest. I hope it gets other XP users interest as well. If there's other OS's and associated packages that can do the same, then lets hear it. Again Compu KTed, thanks for your tips. They all help.
Your welcome. Another area which you might want to address if not already mentioned is Alternate Data Streams (ADS) and the NTFS file system. There is plenty info on the subject.
If this is an area that needs locking down, (the very term alternate stream says yes) a breakdown or overview of what you need to do to would be great.
