NIS help needed? - Spyblocker keeps port 80 open!

Discussion in 'other firewalls' started by SpongeBob, Mar 29, 2004.

Thread Status:
Not open for further replies.
  1. SpongeBob

    SpongeBob Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    24
    Can any NIS Pro 2004 users please explain how to configure firewall rules for spyblocker so that it stealths port 80 instead of keeping it open.

    After trying many, many things and spending weeks on this problem, I've been advised by many people on various forums including spyblocker forum, pc answers internet security forum, broadband reports security forum. But nothing works. Many people say to get rid of NIS it's an overcomplicated resource hog and to install Sygate firewall/AVG AV combo which is much better. I like NIS though, if only it worked properly.

    I suspect that NIS Pro 2004 firewall doesn't like Spyblocker. But before giving up for good, I've been advised to ask on Wilders. So in the hope someone here can help me, here goes...

    Program Versions: (NIS) Norton Internet Security 7.0.6.17 - (SB) Spyblocker 7.63

    Problem: Port 80 is not stealthed when SB is running (which is obviously all the time).

    This problem was brought to my attention after many alerts were popping up saying that someone was trying to access the spyblocker.exe program on my system. Maybe I'm being paranoid, but it seems like port 80 were increasing in frequency posisbly due to someone noticing that my port 80 was responding to port scans?

    Port scans from various sites, including GRC confirm that all ports are stealthed except for port 80 which is OPEN! Tests revealed that if SB was shut down, port 80 became stealthed, but obviously I want to keep it running as it catches lots of stuff norton misses. SB's author explained because SB sits on port 80 filtering everything passing through it, it acts as a web server and keeps port 80 open. But it only filters spyware, etc, I've discovered other things get straight through the firewall open port 80 direct to the spyblocker.exe program, which is not too good.

    NIS only stealths blocked ports, therefore it won't stealth port 80 as it isn't blocked - it's in use by SB. This is where Sygate wins over NIS, it apparently stealths all ports whether in use or not.

    I've tried creating program rules for SB to block incoming traffic on port 80, block outbound traffic, even blocking both ways. I've tried creating general rules for port 80 as well, but nothing works. I do manage to get port 80 stealthed by blocking inbound connections to spyblocker.exe, but this causes problems with spyblocker not working properly.

    The only solution I've found so far is to use the Windows XP built in firewall (ICF) in addition to NIS. This then stealths port 80. I thought if the simple ICF could stealth port 80 then surely NIS could, but apparaently not. It seems I am asking too much of it.

    I know I can show stealth with both firewalls running, but I see people saying not to run 2 firewalls together as it causes problems, but what else can I do if NIS won't play ball?

    Any help, advice, information, solutions, would be *really* appreciated.
     
  2. RedLobster

    RedLobster Guest

    Bob

    You don't have a problem. Just a failure to understand possibly due to having people advise you that themselfs did'nt understand.
    But to keep this simple. Doesn't spyblocker have a feature that prevents connections to spyblocker? While I have never used spyblocker there are people I know who have. An I've never heard of spyblocker being hacked...have you?
    Bob, do yourself a real favor an don't use any computer program until you understand how the program works. Your confusion has much to do with your not understanding that not all firewalls are the same. Try this with a program other than spyblocker an you may just find yourself getting a morning wakeup call from a nice script kiddie telling you its time to get up. We are taking here of programs that connect to the internet not not programs that don't.
    Stick around. Someone will pop by with time enough to explain more on firewalls.
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi SpongeBob

    If XP's ICF stealths your port 80 and SpyBlocker still functions properly, then this would suggest to me it only needs to listen (act as a server) locally. In which case NIS should stealth this port.

    Is the firewall setting configured to High?

    You mention in other posts creating a permit all rule, which is something you usually do not want to do, and trying several other rules combinations. You might want to check all your rules (including general, program and trojan) for anything related to your previous attempts and remove them.

    Then wait for NIS to prompt and select the manual rules creation option and create a rule permitting outbound access for remote service HTTP only. Make note of any other access it may prompt for as this may help determine what other rules may be required.

    If it is listening/filtering on localhost, this should be covered by the default loopback rules (unless you have removed them).

    Regards,

    CrazyM
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Approach 1:

    Do you have security level in NIS set to 'Medium'? If so, change it to high and see if the problem goes away.

    Approach 2:
    Leaving Security set at high, disconnect your computer from the Internet (certainly!) and from any local LAN (if that can easily be done).

    Open the NIS User Interface, go to Personal Firewall | Configure | Programs tab.

    Find the rules listing for SpyBlocker and delete it. (Not to worry, it's going to get re-created below.)

    Reboot your system.

    When the reboot is finished, start SpyBlocker (if it doesn't started automatically).

    Somewhere, right around here (maybe after the next step or two) the NIS Rules Assistant should pop up and tell you that "SpyBlocker is attempting to access the Internet? What do you want to do?" Look at the options available (there may be as many as six! ;)
    "Permit All"
    "Block All"
    "Permit this One Time"
    "Block this One Time"
    "Automatically Configure Rules for SpyBlocker"
    "Custom (manually) configure Rules for Spyblocker"

    If you are offered the 'automatically configure' option, go with that (for the moment).
    Do not select "Permit All" under any circumstances -- indeed that might be the source of your problem as it allows something like Spyblocker to listen on Port 80, probably by default -- if I correctly understand what SpyBlocker is supposed to be doing.

    Come on back and let me know how these two work out and we'll go from there.
     
  5. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Joseph,

    Have you any guidance regarding specific "program" settings for NIS 2004 firewall programs, such as LuComserver, CCPROXY.EXE, iamstas.exe, NMain.exe, and ccApp.exe?

    I've been working to tighten up all of the rules associated with these .exe's, but this sometimes leads NIS 2004 Rules Assistant to come back (at the next Internet connection) and ask for rule creation again.

    In addition, NIS seems to build/accumulate copies of individual rules for some of these firewall .exe's (such as Lucomserver); for example, creating copies of the HTTP rule, or the DNS rule. I go in and remove the copies, and a couple of days later, when I go in and check them again, I have additional copies. My suspicions are that the "live update" process is auto-majically" creating rules.

    Any thoughts?

    Best regards,
    Little Mike
     
  6. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    No, unfortunately, I can't help you here, I've cleared NIS off all my boxes (different versions, also). But, there's one thing you need to be clearly aware of: the functionality of the executables you mention is different in different releases of NIS/NPF, so be sure before you take anyone advice you're talking about the same version and on the same OS.

    First question of course is "Have you disabled automatic firewall rule creation?"

    Second question (well, point, really) is that I think LUCOMServer has gone through repeated updates recently due to the fiasco that started happening with different users (like me! :rolleyes: ) starting back in mid-January. In other words, it could be legitimate.

    If neither of the above, then you may well be confronted with the dreaded "corrupted rules" problem -- and that's not easy to fix in NIS 2004. You guessed it -- I doubt that there's anyway to fix it outside of uninstalling all Norton products, re-booting, and re-installing. All I can say is best of luck. (It never worked for me and I went off.)
     
  7. SpongeBob

    SpongeBob Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    24
    Here are my Custom Firewall Settings:-

    Personal Firewall: High
    Java Applet Security: Medium, prompt each time
    ActiveX control security: Medium, prompt each time

    I currently have 118 program rules. Mainly for Microsoft (it seems like virtually every MS program is in there), but with a lot of Symantec stuff and Sun Java stuff. These rules were all auto created by NIS after I did a program scan. NIS doesn't let me copy these rules to a text file and there's far too many to copy into a text file myself, so I'll not post them here.

    I have been told to delete all of these auto created rules, but make sure that I don't remove any specific blocks. Surely if I just remove all of the program rules, it shouldn't make any difference or will it? Possibly NIS will stop working if I remove the Symantec rules? Is there a way to reset the firewall rules back to how it was when installed? There sure seems to be a lot of MS stuff that needs internet access, I just counted 62 prog rules for MS and 42 rules for Symantec. A lot of stuff seems to have two or three rules for the exact same program, but don't know why.

    Regarding the stealthing of port 80, I've discovered that NIS only stealths blocked ports, but I tried blocking port 80 and spyblocker malfunctions.

    As I mentioned on the broadbandreports forum, I chose NIS because I thought it was a no-brainer. Symantec stuff is usually pretty simple to setup, but it seems that their firewall is the exception to the rule.

    Thank you very much for getting back to me. Maybe with you experienced guys on the case, this problem could be sorted. I sure hope so :)

    --Bob--
     
  8. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Joseph,

    Yes, automatic everything is disabled; basically all automated rules are manually tweaked to restrict to bare minimum required for functionality. (That is, I go in and restrict ALL automatic rules; or I build them manually from the start.)

    Security is set high (with prompts). All non-Internet essential applications (such as MS Word, Excel, etc.) are "Block All". All applications that upgrade/update via the Internet are restricted to specific IP addresses and specific protocols/ports (including NIS 2004). All rules are re-sequenced to put the "specific blocks" first in order; all rules are logged. All intrusion attempts are recorded, re-traced back to source with "WhoIs", and the IP addresses of the source are then added to "Block Access From Known Intruders Rule" (Block All from all IP addresses in this particular rule.)

    However, you may sense that this requires a lot of lot of daily maintenance; and it does, so in light of the "squirrelly behavior" of NIS 2004, and the fact that the user interface is the proverbial "boat anchor", making it a real chore to perform daily maintenance, I'm considering changing over to another firewall product. Something secure; but easier to interface with from a systems maintenance perspective.

    So if you (or anyone else) would like to share your preferences, then I'm all ears. Any firewall that I install would need to be fairly user-friendly in terms of tight rules management, and easy to review logs and maintain daily.

    Best regards,
    Little Mike
     
  9. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    SpongeBob,

    NIS is targeting a broad, novice computer market, and their "user-friendly" product is only user friendly if one does not attempt to tighten up the firewall rules; that is, if one leaves the door ajar. By default, NIS 2004 (and earlier) opens the firewall doors with all kinds of (relatively) unrestricted rules for general (non-specifically-defined) access by Internet-enabled known applications, such as the applications within Microsoft Office. (I'm probably not telling you anything new.)
    I currently have just under 300 rules. The reason for this is that I have built specific, tight (restricted) rules for each application that needs Internet access; and I have (in essence) replaced all default rules with restricted rules. This requires a lot of work over time, and a moderate amount of daily maintenance, but I'm convinced that I've got a pretty good handle on what traffic goes through the firewall. (Realizing that nothing is 100% certain.)

    NIS will ask prompt you for a rule if it cannot find one. This allows you to build a rule manually; and restrict it.

    Yes; NIS 2003/2004 requires a re-installation; there is no easier method that I'm aware of (and I've looked on their support site.)


    I have implemented the following administration working procedures:

    1. Disable all unneeded or unused services (such as DCOM, MS Messenger, UPNP, etc.), and create "Block All" rules associated with unused services (such as Internet access to lsass.exe)

    2. In NIS, all rules are renamed to specifically identify the rule, so that I can associate all connections/log entries back to a rule.

    3. All rules have an indicator in the rule name to identify a) protocol - TCP/UDP/ICMP, b) port(s), c) inbound and/or outbound - In/Out, d) the "location", such as "Home" or "Default".

    4. All "default" rules are disabled, and then re-enabled as each application requires the rule; then the rule is build manually, and edited to apply restrictions.

    5. In NIS, all rules are "logged", including high-usage rules.

    6. Logging of high-usage rules is turned off after I'm certain of the rule, and trust it. Internet Explorer HTTP access (port 80) is an example of this category.

    7. A third-party application is also always monitoring the ports, from computer startup; so that I can view all connections, and "listening" ports.

    8. Logging is always enabled for third-party applications, as they typically are not high-usage. TDS-3, Port Explorer and various application "updates" are examples of this category.

    9. All intrusion attempts are recorded and traced back using "WhoIs", and the IP Address of the intruder is entered into a "Block Access From Intruder -Home" (or Dflt) rule, which blocks all access for any IP address within the rule. (I also have a commercial application that stores the whois information in a file, which allows me to be fairly certain of who is an intruder over time.)

    10. The "Block Access From Intruder -Home" (or Dflt) rules have "Alert" enabled, so that I can determine the "repeat offenders".

    11. Specific "Block" rules are "moved up" to be first in rule sequence (including the "Block Access From Intruder -Home" (or Dflt) rules.)

    12. General "Block" (i.e., "catch-all") rules are "moved down", but always follow specific, restricted "Permit" rules.

    13. Rule "Alert" is turned on occasionally to help identify where/when rules are used, to support adding or relieving restrictions.

    14. Schedule the additional security-oriented programs to perform daily checks of the computer or viruses, worms, trojans, etc.

    The above is a lot of work to put in place, but I'm of the opinion that it's probably required to maintain any firewall (with minor differences.) There's also daily maintenance; but with discipline in naming of rules, and reviewing logs, this has settled down to manageable amount of time and effort.

    Additional Information

    NIS 2004 has four default "locations": "away", default", "home", and "office"; and it builds redundant rules in at least "default" which is active when the computer is not connected to the Internet, and "home", which becomes active when the computer is connected to the Internet. I have tried to get these locations down to one, so that I have one set of rules, but NIS does not allow deletion of any of the four. (But, "away" and "office" have NO rules in them; and I keep it that way.) However, the bulk of your rules (but not all) are only needed when you are connected to the Internet ("home"), but some rules are used in "default" specifically by the operating system (such as svchost.exe during boot up).

    Also, If I establish my Internet connection first, before starting a web browser or Outlook, then when I subsequently start the browser or Outlook, these applications use the rules in the "home" location. Contrarily, if I start the web browser or Outlook prior to connecting to the Internet, then the rules in the "default" location are used, requiring redundant rules in the "default" location.

    So, for tracking (logging) purposes, and to help me identify the essential from the non-essential, I've re-named every rule to include either a "Home" or a "Dflt" indicator in the rule name; and, by carefully monitoring the logs, I have found unused rules that I have then deleted (especially for Word, Excel, Internet Explorer and Outlook.) (If I delete too much, NIS will ask for a rule when needed; then I manually build the rule.)

    Domain Name Service

    In addition, just about every Internet-enabled application needs to go out to a DNS server (Domain Name Server) to resolve IP addresses. So, these applications typically each have a rule that uses UDP port 53, usually "Inbound and Outbound", unrestricted IP address. So, you see a lot of duplication with the DNS rule (although the various DNS rules are not necessarily labeled "DNS" - you have to look for port 53 to identify these rules. These DNS rules are for "Any Computer"; but, I've tweaked and restricted all DNS rules to "Outbound" only, UDP, Port 53, for two IP addresses associated with the DNS server provided by my ISP (with one additional DNS server in Europe, provided in the NIS-provided DNS rule in "Home" location.)

    Presuming that you do not need applications such as Word, Excel, Acrobat, etc. to access the Internet, then change their default set of rules to "Block All" (This will not prevent and "Office Update" from occurring, as the update can occur through Outlook or Internet Explorer rules.) If an application, such as NIS 2004 LuComserver (Live Update) needs access, then edit the installed (relatively) unrestricted rule so that it can only allow certain IP addresses and protocols/ports. (You can determine which addresses/protocol/ports are needed by turning on logging for the rule, performing and update, then reviewing the "Connections" log; then go back into the rule, and restrict it to the specific IP addresses; and specific ports.)

    Short of finding a complete list of restricted rules somewhere, and I haven't, I've pursued the above method to get my firewall rules down to only the essential, and very tight; although it's a lot of work.

    Close

    It seems to me that all of the rules can be tightened up and restricted; it just requires time and effort, and ongoing maintenance; but, once one connects to the Internet, time and effort to maintain security should be expected. If you wish information on specific rules, I'll pass on what I can, but I'm certainly just learning this myself, and am no expert.

    Best regards,
    Little Mike
     
  10. SpongeBob

    SpongeBob Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    24
    There is no program rule for spybocker (SB), Joseph.. I deleted it a short while ago.. It doesn't make any difference to SB at all, which still functions perfectly.

    SB is auto started at bootup, but it doesn't popup any rules assistant or anything. I can even launch IE and browse the web, SB is doing it's thing blocking ads etc, but still no NIS popup alert.

    I'm sure someone else told me to turn off the auto configure option, apparently NIS is not too good at auto configuring the rules or something. So I switched this option off.

    I've spent hours copying down the general rules, I will post the relevent ones here shortly, just in case they mean something to anyone, as they don't mean much to me. :)

    Rgds, Bob
     
  11. SpongeBob

    SpongeBob Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    24
    My NIS Firewall - General Rules are shown below.

    There is no rule for spyblocker in the program rules, so there's no point posting anything from program rules.

    Anyway, I am going to delete virtually everything from the program rules, once you guys confirm that it's ok to do so, and also after you confirm that the following general rules are all ok.


    Default Inbound ICMP - Permit ICMP connetcions from any computer

    Default Outbound ICMP - Permit ICMP connections to any computer

    Default Inbound DNS - Permit UDP connections from any computer on remote domain port 53

    Defualt Inbound NetBIOS Name - Block UDP connections from any computer on local netbios-ns port 137

    Default Inbound NetBIOS - Block UDP connections from any computer on local netbios-dgm port 138

    Default Outbound NetBIOS - Permit TCP & UDP connections to other computers on:
    Remote netbios-dgm port 138
    Remote netbios-ns port 137
    Remote netbios-ssn port 139


    Default Inbound Loopback - Permit TCP & UDP connections from any computer on any local or remote port

    Default Outbound Loopback - Permit TCP & UDP connections to computer with address 127.0.0.1 on any port

    Block Access to Secure Sites - Block TCP connections to any computer on remote https port 443

    Default Block Inbound & Outbound ICMP - block ICMP connections to/from any computer on all local/remote ports

    Block Windows File Sharing - block TCP & UDP connections from other computers on local netbios-ssn port 139

    Default Inbound BOOTP - Permit UDP connections from other computers on local bootpc port 68 & remote bootps port 67

    Defualt outbound BOOTP - Permit UDP connections to any computer on local bootpc port 68 & remote bootps port 67

    Default Block Microsoft WIndows 2000 SMB - block TCP & UDP connections from any computer on local Microsoft-ds port 445

    Default Block EPMAP - Block TCP & UDP connections from any computer on local epmap port 135

    UPNP Port 5000 Block Rule - block TCP connections to/from any computer on local port 5000

    UPNP Port 1900 Block Rule - block UDP connections from any computer on local port 1900

    Default Digital Signature Verification - Permit TCP connection to crl.verisign.com & crl.microsoft.com on remote http port 80

    Inbound UDP - block UDP connection from 81.49.207.165 on local port 3943

    Inbound UDP - block UDP connection from 217.128.149.216 on local port 3943

    Inbound UDP - block UDP connection from 195.131.4.164 on local port 1

    Inbound UDP - block UDP connection from 80.71.71.3 on local port 1026

    Inbound TCP - block TCP connection from 195.131.4.164 on local port 54062

    Inbound TCP - block TCP connection from 195.131.4.164 on local port 138

    Inbound TCP - block TCP connection from 195.131.4.164 on local port 1080

    ---cut---

    These inbound block rules for individual computers go on and on... Many entries. I assume they relate to port probes etc which NIS has blocked, so I'll not post them all here :)

    Does anything here look obviously wrong?

    Will I need to delete any of these rules or are they all ok?

    --Bob--
     
  12. SpongeBob

    SpongeBob Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    24
    Mike, I agree about norton's target market, that's one of the reasons why I chose NIS. Based on reviews I've read, NIS blocked everything and performed perfectly. There was no mention of it "leaving the door ajar". I agree about all the MS apps getting auto access rights. As I mentioned b4, there's loads of em'.

    You sound like you are very dedicated. I just want to have internet access without having to become a security expert. For many years I ran without any firewall on dialup, but since going on cable modem, I was advised to install a firewall. Not having the time to mess around with configurations, etc, I was advised to go for NIS, which was totally secure and simple to use with virtually no user input required... Install and leave it to do it's own thing. Sounded like just what I was looking for. Since then it's been the opposite! :doubt:

    I was astonished at the amount of effort and time you must put into internet security. You appear to operate a very strict security regime.

    I have mine set to "away", when I first installed it, ISTR being told that this is the best/most secure mode to use. But apparently it doesn't seem to make much difference which location is used.

    My cable modem is never switched off and my internet connection is on all the time. So I ssume only the away location is used all the time.

    I noiced this behaviour of apps having to look up names my ISP's DNS server, so I thought of the solution... Put both of my ISP's DNS servers into the trusted zone, that way they will automatically get access rights without duplicating in each program's rule. It seems to work.

    Btw, talking about DNS... I noticed in my windows services that the DNS client service is disabled. I assume that this service is redundant/not used for anything? I have two ISP's and I'd like to add the second ISP's DNS server to my name lookup as well, so that when ISP one's server goes down, I' ve got ISP 2 as a backup, but I assume on cable that sort of thing can't be done?

    Thanks for the tip, I didn't think the log was that specific... I shall make use of that one.

    Btw, I've seen a v.good freeware log tool for NIS, but unfortunately it's not for NIS2004 :(

    You seem to have picked up quite a lot, NIS must have a very steep learning curve.

    Thanks & Regards, Bob
     
  13. SpongeBob

    SpongeBob Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    24
    Hi Guys,

    Just to clarify something, from what's been said I assume it's better to switch NIS automatic program control off and configure everything manually?

    For the inexperienced, the problem with creating NIS firewall rules manually is:-

    1: Not knowing what all the terms and expressions mean.

    2: Not knowing if the servers & ports the app is trying to connect to are genuine.

    3: Not knowing which local ports to allow connections to/from.

    4: Not knowing which comms mode to allow TCP, IDP, ICMP, etc

    5: The symantec site is of very little use and the user manual is not very good.

    This is why most (inexperienced) users run in automatic program rule creation mode, but apparently NIS isn't too good at creating these automatic rules.... No?

    Many people (including inexperienced/new users) recommend Sygate firewall which they get up and running without a problem. So are other firewalls better than Norton at creating auto rules something?
     
  14. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    SpongeBob,

    I'll take a stab at answering your questions, based upon my limitations, of course.

    Meantime, I recommend that you implement NIS rules changes in a step-by-step manner, always keeping a record of what rule changes you make, and testing them for proper operation. This methodology will provide you with some benefits, not the least of which are:

    1. Bulk changes that tighten up rules all at once tend to go awry in NIS, to my experience; and NIS's user interface makes it slow to make any changes. A step-by-step approach will help avoid confusing NIS; and any confusion can be readily repaired.

    2. If your system doesn't like a change, it's easier to back the change out. (I had one of these yesterday.)

    3. You will see the affects of each change on your system; this is where you'll learn a lot regarding firewall interaction on your system and applications.
    In my opinion, the problem is that the rules are general; they are typically set to All Computers by default. I read on one security site that the out-of-the-box default installations tend to catch the well known attacks, but would not necessarily catch some sophisticated , lesser-known attacks. This makes sense (from a business perspective) to me. Basically, out-of-the-box, NIS appears to be trusting applications, and the general sense on these security forums is that one must get to tight "rules based" (or something like that) rather than trusting applications.

    My sense (again based on reading these web sites) is that from a security standpoint, all are about equal, if the rules are tight and sound. But NIS' tedious manual user interface, and the "squirrelly" (unexpected) behavior seem to make too much work to maintain tight rules. But, others herein with more experience can probably answer this more accurately.
    Definitely yes. However, the manual rules creation comes at the price of a high level of maintenance, similar to that which I described above. This is where you must decide to what extent want to work at maintaining the firewall. Automatic controls allow almost no maintenance; but, every opinion that I've read says to turn it off, as it lessens security.

    By turning off automatic rule creation, and creating manual rules, you have the opportunity to grant only the attributes of a rule (IP address, protocol, port, etc.) that are required, rather than a general (open) rule, such as "All Computers".

    Also, many applications are Internet-enabled, and although they try to connect "home", from an operating standpoint, the connection is not necessary; so, if you allow the connection, that's just one more connection (doorway) into your computer. My opinion is that keeping your connections to a minimum will contribute to a higher level of security.
    This is my experience also. My detailed query regarding a specific alert and certain associated internal system behavior was essentially ignored; their untimely reply did not address my query, and was worthless.

    Looking at your rules list above, I've got some feedback, which I'll post after this post.

    Best regards,
    Little Mike
     
  15. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    SpongeBob,
    Correct. Every attempt to connect into your computer will generate one of these rules. Notice that 195.131.4.164 attempted to access your computer from at least three ports. NIS will generate each of these rules for each port access attempt, regardless of whether the attempt came from the same IP address (195.131.4.164) or not. Notice that NIS puts these block rules in the last position on the rules list, rather than in the first position. NIS processes rules in a top-down manner, and executes the first rule encountered on the list which satisfies execution criteria. This means that the last thing that NIS checks, Nis' last priority, if all other criteria (port, protocol, etc.) cannot be satisfied, is the "Inbound TCP - block TCP connection from …" rules. Because these are known attempts, they should be first on the list; not last.

    Part of my daily maintenance routine is to enter each of these IP addresses into a "Block Access From Intruder -Home" rule. This rule blocks all ports, TCP and UDP, to or from any IP address in the rule. Then I delete all of the individual "Inbound TCP - block TCP connection from …" (at the end of the list.) I then keep the "Block All…" rule as the first rule in the list, so that it has priority in the rule set. I turn on "Logging" for this rule, and also "Alert", so that further intrusion attempts from a single IP address already in the rule will be flagged with the alert. This rule has a lot of IP addresses in it, but that's okay, as all are intruders.

    At this point, if you turn on the "Alert when unused ports are accessed", and "Enable Access Control Alerts", the you will get an alert every time your computer is probed. This will afford you the opportunity to see in real time, when and how often you are being probed, and see the details of the probe. (I do this so that I can immediately do a "WhoIs" and capture information regarding the source of the probe. Lots of ISP have "abuse" reporting email addresses, which is listed in the WhoIs information returned, thereby enabling a follow-up to the ISP.)
    127.0.0.1 is the universal IP address for your computer (and mine). The "Loopback" is your computer establishing a connection to itself, which (best to my knowledge) is necessary. You can tighten up these rules by restricting the IP address in ("from") and out ("to") to 127.0.0.1 only. So only your computer can use these two rules to talk to itself.
    These are necessary to resolve digital signature (encryption) "certificates" with both Microsoft and Verisign. Just keep them restricted to the two crl. addresses currently listed therein. If you wish, turn on logging so that you can review the behavior of the rule. (I've renamed this rule to: "Rstrctd Digital Signature Verification Out TCP Prt 80 (Home)", so as to make the name more descriptive.)
    Restrict this to Inbound DNS to your IPS' DNS addresses. Then test this for proper operation with your email applications and web browser. (I found out yesterday that my ISP and computer must have an inbound DNS rule here; however, all of my applications, such as Outlook, only have outbound DNS rules.)

    Note: If you attempt to add an address to the "Computers" screen while modifying rules, NIS will not allow you to add the address in the domain name form, such as "crl.microsoft.com", unless you are currently connected to the Internet, because NIS must interrogate a DNS (domain name server) to resolve the domain name into its IP address. However, NIS always accepts IP addresses when adding computer addresses.

    I'll look at your other rules in detail later tonight, and get back to you.

    Again, I suggest that you proceed in a step-by-step manner, so that you can back out any unworkable changes with some grace.

    Best regards,
    Little Mike
     
  16. SpongeBob

    SpongeBob Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    24
    Yes I thought that was happening, the address mentioned above has many more rules/port blocks created for it, as do other IP addresses. It's easy to see why people think they are being targeted when many alerts popup and lots of block rules appear one after the other.

    Yes, it does put these rules at the end.. Maybe NIS assumes that the same IP address will move on and not try again if they are not successful, so doesn't think it important enough to give it priority.

    Now that is a good idea Mike. Thanks for the tip. I think that's something I will start to implement. It will be much easier to create a general block all in/out communications rule for these persistant IP addresses, than to have to wade through a great big long rule list of single port specific rules for each IP address, much neater. 2 questions:-

    1. What is the maximum number of IP addresses I can specify in a rule?

    2. My ISP allocates dynamic IP addresses.. What happens if the rule blocks a dynamic IP address which is reallocated to an innocent person? This may lead to problems, but nothing that can't be sorted I suppose, and it's better being on the safe side :)

    Where are these options controlled from?

    I find the visual trace IP address from the alert assistant is total cr*p! It's very rare that it actually works, when it does it very rarely shows the visual (world map) overlay... The java app runs ok, the whois seems to work ok, but it usually shows an error and won't show the map... Just an error message saying it couldn't connect to the server or something like that. Possibly visualware server is always offline and symantec can't reach them... very poor service though.

    This is something that SpyBlocker uses.. I've seen 127.0.0.1 mentioned in every entry in the hosts file. I assume Spyblocker redirects adverts and spyware to this address or something like that. Anyway, if I change this loopback so it's restricted to myself only, will this have any effect on spyblocker?

    I have entered my ISP's two DNS servers addresses into the trusted zone. I was also going to enter the mail server address but I didn't get round to it yet.

    I was told some time ago it's best to avoid using IP address numbers wherever possible as they tend to change from time to time, but the domain names don't, so will always be redirected to the corect IP. I've noticed this behaviour myself with websites for which I just had an IP address.

    Thank you very much Mike, your help is very much appreciated.

    Regards, Bob
     
  17. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    I have no idea; but, this is a good question. I wouldn't be surprise if there is some limit.

    I believe the dynamic allocation is only to your computer (as with my ISP and my computer); so I doubt that there would be a problem, unless some intruder's IP address was from the pool of addresses allocated by your ISP, then subsequently allocated to your computer. I haven't run into this problem yet; although it probably would cause problems. But, if it happens here, then the "Alert" would be going off until I got a new IP address allocated (a new dial-in).
    NIS main window, "Personal Firewall" - Configure, "Firewall" window, "Custom Level...", two checkboxes at the bottom of the "Customize Level..." window. (These two checkboxes are directly below the Java Applets and ActiveX Control selection list boxes.)
    Yep. This is why I use a third-party application for "WhoIs" (SmartWhoIs); there are several applications available.

    I get a lot of timeouts also, due to heavy net traffic; But, a retry usually returns the whois information.
    True. But, if you're always connected, then you always have access to your DNS, so NIS could always resolve the IP addresses automatically. (I know that I am doing this the hard way, but that's okay, as I'm also getting an education ;) )
    I didn't do this merely because the trusted zone connections are not logged (or so I think.) With specific rules, I can control logging and alerts.
    Best to my knowledge ALL hosts files should have 127.0.0.1 (mine does.)
    I'm unfamiliar with SpyBlocker; but, none of my security applications (nor any other) are affected by restricting inbound and outbound Loopback to 127.0.0.1. The best thing to do for SpyBlocker, is to make one change, then test the system for proper operation. If SpyBlocker (or anything else) breaks, then you can back out the change.

    I've got a cattle drive tomorrow, so I won't be able to review your other NIS rules, nor pass on other restrictions I've put into place until the weekend.

    But, as the man said: "I'll be back..."

    Best regards,
    Little Mike
     
Loading...
Thread Status:
Not open for further replies.