Kerio (Sunbelt) 4.3x warning incoming ...

Discussion in 'other firewalls' started by HandsOff, Feb 25, 2008.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    ...incoming connection to port 53. My problem is that I don't know what steps I am supposed to take. I could block the instance, I could make a rule to never allow such a connection, or I could come here and ask some advice :)

    The real problem is that I have just started using a wireless USB adapter to connect to the internet and I don't understand in this scenario who or what is trying to connect. The fact that warning has a big red bar got my attention though.

    I know very, very little about wireless connections. What I use is a wireless USB adapter made by Hawking. It is actually a tiny dish looking directional antenna and I guess it has the wireless adapter in its base. (It works surprisingly well, I think). Anyway, I have no clue what ports the USB adapter is inclined to use. I would have thought maybe just the same as my old cable modem, but it seems like I get a different set of connections that the ones I had with comcast.

    I'm about the take a look at the log, but should I be able to identify this? Is wireless going to be pulling this sort of thing in all the time? The old problem surfaces: What good is the firewall if I have no idea what the requests for access represent.

    Can anyone advise how to deal with these, (this one in particular).

    I will add that I am slightly worried that last time something like this came up on port 53, I told the firewall to make a rule blocking this type of connection, and it shortly became quite a bit harder to connect to the internet. Sooo, I may have shot myself in the foot on that one.

    Thanks a lot! -

    HandsOff!

    Here is a copy of the warning:
     

    Attached Files:

  2. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Check to see that the remote address is your DNS server. This is the response to a DNS query, so if you deny it, you can only see the sites you have already cached.
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I am not sure as to why you have received such an alert, the DNS is allowed via one of the predefined rules (Network security~ predefined~ Domain name system)

    Personally, I would block all inbound against svchost from the Internet. (Network Security~ Applications~ Generic Host Process for Win32 services) select deny Internet in. Set the rule to log in case of any problems.
     
  4. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Thanks for your suggestions.

    When I referred to the inherent firewall dilemma of the firewall blocking traffic followed by not knowing whether to allow something, I forgot to mention that I guess the way that most of us deal with them is, "is it something new?", or "Oh, yeah, I see that all the time" (which doesn't necessarily make it harmless, but let's face it...).

    I've only seen this one 2 or 3 times.

    Another thing that I neglected to mention was that "It came from out of nowhere!" Meaning I was not actively doing anything that would seem to have any connection to DNS. It is sort of a suspicious circumstance. Normally, wouldn't my computer initiate the traffic with DNS?

    As far as my being able to understand the flow of what is happening browsing with the internet, my understanding seems like it gets vaguer and vaguer. Browsers now do a lot of pre-loading images and following links on pages before you even click them (I think). Since my wireless connection is sometimes very slow, I wonder if what is happening is that the DNS is responding to a request made that might have been dropped if there was no response given within some unknown time limit?

    As far as the rule against svchost, I've heard that that is OK to do, however, might not that block the DNS? I'll try to see if I can get this logged, I have not really been very happy with that aspect of Kerio, but that may be lack of familiarity. Mosty, I am pretty happy with the way Kerio (Sunbelt) is working out.


    -HandsOff!
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    A lot of sites do have embedded re-directs, for such as loading images from external sites, loading adverts(popups) from external etc.
    There is that possibility, but as I have not actually checked to see if there is a timeout on reply to DNS, I cannot say for sure.
    Did you check that the IP in the alert was your DNS server?

    No, the predefined rule for DNS should allow this.
    I did set up on VM before my first post on thread to check, and to see if I could recreate the alert.
     
  6. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    The incoming connection is to port 1045. I suppose that this could just be an ordinary unfriendly port scan. If you turn on logging of packets to unopened ports, you will see more of those - so don't do it. ;)

    The interesting thing is that SVCHOST has opened port 1045. I don't know much about that. Can't find any quick and simple explanation.

    Cheers
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Just for example of this:

    I make many setups, on VM or guest, then monitor connections (mainly to see what various software may be doing,.. possible phoning home etc).
    An example of default connection by IE from my location (UK) made to "UK.MSN.COM"

    The top IP is the website, all others are re-directs made due to site:-

    connections.jpg

    each one of these connections needs DNS lookup.

    (above is order of connection)
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,892
    This happens every now and then for me too. I choose to block every time.
     

    Attached Files:

  9. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Stem -

    thanks for your answers. I don't know about checking that it is my DNS because I thought that it automatically finds a DNS server, and therefore the one that I have at the present time may not be the same as the one I had when the request that was possibly dropped was made. I wish I did understand this better, but at least I am more comfortable with blocking the generic host services thing...Also, maybe I misinterpreted the original warning. I thought originally that this was an incoming, but if it was svchost, then it was my outgoing request? Confused, but, hopefully I'll get there!

    Yes, and 1045 has been associated with a virus, rasmin, however, I guess quite a few ports have bad associations. Still, it is interesting as you pointed out.




    Tarnak-
    Your example seems suspicious to me, too. Shouldn't yours be the computer initiating the connection. They are a server, not you!



    Thanks for all the help. This is something that is really starting to bother me. I think I will block the connections, and make rules against them, and I will have to see if anything I use is effected. I hate doing that because sometimes I do not connect cause and effect right away, but this seems worth finding out!
    -HandsOff!
     
  10. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Yes it is. Any potential attack should be investigated. You should find out which ports are opened by your svchost. Kerio will show that, or you can use Sysinternals Process Explorer, which will show open ports and services for each instance of svchost. Maybe you have some service that uses this port.

    Cheers
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,703
    Hello,

    Tarnak, yes you can block those safely. I'd even write an advance rule to block the common ports 1024-1200 or so and reduce the Internet noise.

    HandsOff, the only DNS server you need to communicate is your own ISP. So make sure you block all others - inbound (and maybe also outbound).

    Stem, correct me if I'm wrong.

    Mrk
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is still unclear if the IP within the warning was the DNS servers.

    Caution is needed, as blocking this range of ports could cause problems, as many browsers (certainly IE) do use this port range for connecting to the web, so timeouts/no connections could happen. (It can depend on the firewall/application making this closure, and how)

    This does depend on if your ISP uses the same IP`s for its DNS servers.
    Creating specific rules are certainly a good idea for this, but ensure any blocking rule is set to log, so if the DNS servers do change, then at least you will have logs to show you the problem.

    No correction, just interaction.
     
  13. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    I used few months Sunbelt and my advise would be to block all inbounds towards "svchost.exe" or "Lssas.exe"(fro lsas block all out and in).That port is for DNS but in same time its a trojan port.
    Inbounds may also show that the file its infected so aditionally use Virus Total service and check it for viruses.
     
  14. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I have not used this service. I suppose you email a copy of...actually...of what? svchost.exe and Lsas.exe? I'll take a look though.

    Now about Lsass.exe, now it's interesting you say to block traffic. I thought it had to run for my internet to work. I guess I can try and see. I'm not sure why it needs to be blocked, other than, why not, since I don't know what it is transmitting!

    Interesting comment, I'm sure I will be learning something new!


    -HandsOff!
     
  15. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    An incomming UDP datagram to port 1045 can be a response to a DNS query. The fact that the firewall didn't recognized that it's a response could mean one of the 3 things: the firewall has no SPI and treats the packets independently, the SPI is malfunctioning or there was indeed a packet not related to DNS. If that IP is one of your DNS servers, you may allow the packets from it.
    Normally, nothing should be listenning on UDP on that port (1045) so if there is a packet sent to a closed port, there is no real danger. My advice is to check what opened ports are on your computer too...
     
  16. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Its very easy to test, block the inbounds and watch if you can conect to internet with firefox or some other programs like updating manually your antivirus.Anyway this firewall has also some general rules, look in the pdf manual to see how aplicatin rules are treated against the general ones( i dont remember exactly this thing) but anyway there is no need when using Sunbelt for any inbound to those Windows services(svchost & lsas).
    And of course seting this is at a one click distance (questionmark-block- alow,simple and efficient).Also Sunbelt has a good paket filtering module,search for more in the pdf manual.I liked this firewall to bad they dont want to develope it more.At this moment i m adicted to Jetico :))
     
  17. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    The Virus Total service is www.virustotal.com. .Usually the country short name is added to the end after the ".com" thing.
    You just put the file into the upload and the file is checked against 32 antivirus software including AVAST,Avira,BitDefender,KAV and many more.
    If the file appears to have been already checked do the check again you have the option.
    Nice and easy at least for under 10mb files.
     
  18. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Thanks for the details on virustotal.com. I did run both svchost.exe and Lsass.exe. Both had already been submitted. I elected to rescan both. I did not specify a secure connection. Would that be going too far? Nah! Next time i will :)

    Anyway, it was pretty painless. They didn't include Trojan Hunter 5, but I did :)


    -HandsOff
     
Thread Status:
Not open for further replies.