wish to block incoming IP addresses with kerio 2.1.5

Discussion in 'other firewalls' started by ejames82, Aug 10, 2008.

Thread Status:
Not open for further replies.
  1. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    my help file kpf.chm is missing from my kerio 2.1.5 firewall programme (don't know how).
    there are a few IP addresses i would like to block with this firewall (incoming). could someone advise me as to the procedure. thanks.
     
  2. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If you're not using the custom address group, you could add the IPs to it, then make a rule that blocks all incoming from it. The custom address group is found by clicking advanced, then the miscellaneous tab.
    custom adress block.gif

    If you want to block both incoming and outgoing traffic to these addresses, you could add them to the hosts file using the same format as the ad-blocking hosts files.
    Ex:
    127.0.0.1 unwanted.com
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
  5. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    i am going to investigate the info.
    i hope i don't lose either of you, as it is clear both of you are knowledgeable, and i could benefit from that knowledge. please keep an eye on my thread because i may have more questions.
    from a quick glance, there's no doubt that this is alot of info. i'll probably be busy long after i have stricken doubleclick.net and a few others from my computer.:thumb:
    thanks
     
  6. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    this is the point i have arrived at thus far. is this what i need to do?

    right-click icon @ system tray
    administration>advanced>miscellaneous>custom address group

    put the number 216.239.122.193 in the huge white box
    click "add"
    i can't see whether there is an "apply" or "ok" at the bottom of the page, so i assume there isn't either there. there is not a "minimize" option available.



    will this action disallow them from my computer?
    there are other actions i have in mind as well, but i wanted to try this first.
    thanks
     
  7. timcan

    timcan Registered Member

    Joined:
    Dec 15, 2005
    Posts:
    213
    Location:
    USA
    Hi, yes there is an 'apply' and 'ok' at the bottom of the window. You can resize by placing your pointer on the window border and left click & drag
    Hope this helps, tim.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    New entries are made using the "add" button. This gives you several options.
    add custom address.gif
    Use single address if it's just one IP. For a range of addresses like: 200.200.200.0 to 200.200.200.255, use network/range. The network/mask option doesn't always work properly in Kerio 2.1.5 and shouldn't be used without verifying that it gets applied correctly. It's a bug users should be aware of.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
  10. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    thanks timcan and noone_particular.
    with that info i will be able block IPs with kerio 2.1.5. all the info given to me has been saved and put into a folder. i have also installed kerio 2.1.5 on my sisters computer, so this info will be emailed to her and used there as well.

    i would be interested on info explaining the procedure regarding making entries in the hosts file as well. i have heard it can be done with notepad. could i trouble you for help making entries into hosts file as well? again, many thanks. the guys here at wilders are great.
     
  11. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    noone_particular,

    here's a screenshot where i am blocking an annoyance. it's a good thing i knew about those other "apply"s and "ok"s at the bottom.

    is this done correctly?
     

    Attached Files:

  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You never said what you were trying to prevent this IP from connecting with. I'm assuming it's the browser, media player, or something similar. Assuming it's one of these, I'd change the rule to both directions. With web pages and many types of media, the initial or first connection is usually outbound, initiated by the browser. The page you receive, including all the ads and junk on the page, are sent in response to your outbound connection request. The thing to remember about the direction in a firewall rule is that it applies to the first connection. In the rule you posted the screenshot for, that rule will prevent that IP from initiating a connection to you, but won't stop you or your browser from connecting to it and receiving a response.

    I'd also set the protocol to TCP and UDP, which would allow you to specify individual applications that are blocked from connecting to the IP(s). Most all internet content is delivered with these. If this IP is an individual, group, etc that's port scanning you or otherwise looking for some vulnerability, then the "Any" protocol setting is better. If this is just one of what will be a large blocklist, such as a list of adservers or sites that you don't want your kids to be able to access, then the custom address group would be the better place to put the IPs, then use one rule that blocks everything in that list. Making separate blocking rules for a quantity of IPs will make the ruleset hard to work with. Some people have found that there's a limit to the number of rules Kerio can handle. I can't confirm or deny this.

    Another thing to keep in mind is that the order of the rules is important. Most rule based firewalls including Kerio 2.1.5 read the ruleset from the top downward and use the first one that applies. Example, you have a rule that allows your browser to connect out to any IP and another rule that blocks all apps from connecting out to one specific IP. If the browser rule is above the blocking rule, it will be able to connect to the blocked IP. If the blocking rule is above the browser rule, then it won't be able to connect.

    The hosts file can be edited with Notepad or any other text editor. I prefer to use Notepad++ for this because of its handy search and replace function.

    The hosts file is the computer equivalent of an address book. The computer checks the hosts file first for an address. If it's not there, then it uses the DNS service. Example: The IP address for wilderssecurity is 65.175.38.194. The IP address 127.0.0.1 is the localhost IP. Connecting to localhost (also known as a loopback connection) is the computer connecting back to itself. The standard format for using the hosts file to block access to a site is like this, without the quotes:
    "127.0.0.1 blockedsite.com"
    If you added
    "127.0.0.1 www.wilderssecurity.com"
    to the hosts file, your browser wouldn't be able to connect here. The computer will connect back to itself instead of the site or adserver, not find what it's looking for, and give you a "page not found" or a similar message.
    The choice between using the firewall or hosts file to block access to a site depends on which you have, the site name or the IP address. Firewalls block IP addresses. The hosts file can block sites by name.
     
  13. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    noone_particular,

    ok, i wrote them down as i encountered them.
    things to change, filter rules, firewall
    1. protocol- to TCP and UDP
    2. direction- both directions (my err, what i originally wanted)
    3. put rules on top to possibly supercede any other existing rule.

    so far i have only 3 filter rules applied. these will be monitored closely and subject to change. if more need to be added, then i will go the custom group option.

    i have to give credit to this firewall. it was recommended to me by a very knowledgeable hijackthis analyst over 2 years ago. my zone alarm free was causing conflicts.:'( i did have to learn how to use arin whois, karen's tools, and DNS tool, so i knew what to deny, but i was a newbie in every sense of the word. i have done online banking and purchases without a penny being stolen out of my bank account, or any other kind of breach. now, finally 2 years later i am learning how to block IPs with it. once i allowed the IPs that needed access to my computer, i never had to change a thing, for years.

    i do have a general idea of the hosts file and how it works. the "bad guy" gets trapped inside my computer because he gets sent to 127.0.0.1, which is my computer, where he times out.
    i put the link you provided on the desktop for review. does it tell how to edit the hosts file? i tried that once, but i couldn't move a thing. the "I-bar" was ineffective. it seems silly how the computers administrator can't edit their own hosts file without some special programme or trick.
    i have read many tutorials on how to edit the hosts file. the person explains how to make an entry, and always leaves something out. they show a screenshot and it's not the same thing that i am looking at. i could have investigated it alot further, i admit, but i though learning how to block with the firewall would be more effective at meeting my immediate needs.

    i would also like to say that you really know your stuff. impressive screenshots, double quotes, links within the post, quite elaborate. all the material you have given me is going to take a good couple of days of hard study.
    thanks again.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    THe link is to an alternate text editor that's far better than notepad. No hosts file info there. For hosts file info, see http://www.mvps.org/winhelp2002/hosts.htm
    If the hosts file seems uneditable, check "properties" to see that it's not "read only". The file "hosts.sam" is a sample hosts file with some instructions in it. Should be in the windows folder on 98.
     
  15. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    noone_particular,

    i have made some progress with the hosts file editing project. thanks to youtube for their vids i know my problem was opening the hosts file with internet explorer, and it is required to be opened with notepad.
    anyway i made my entry, clicked file>save, and the problem began. i have attached a screenshot. after that another pop-up came up, that i will include later if necessary. maybe you have insight or advice that could get me past this.
    on a good note, blocking with the firewall has been successful.

    thanks again.
     

    Attached Files:

  16. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Code:
    Start - Run - cmd
    attrib -R "%SYSTEMROOT%\System32\drivers\etc\hosts"
    notepad "%SYSTEMROOT%\System32\drivers\etc\hosts"
    attrib +R "%SYSTEMROOT%\System32\drivers\etc\hosts"
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You never mentioned what OS you're using. I'm assuming XP or Vista. The path you have in the alert is correct for both. The hosts file has no file extension. The full name is just hosts.

    Are you intending to use the hosts file for anything more than adserver and malicious site blocking? If not, the MVPS hosts file on the link I posted is one of the best for this. It's updated quite regularly.
     
  18. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    doktornotor,
    you give me more credit than i can claim. i would like to take advantage of that valuable information, but i don't know how. my ability on the computer is intermediate at best. if you would instruct me as to how to merge this code in, i would be most grateful.

    noone_particular,
    my fault, that one got by me.
    something about depending on another person or company to manage my hosts file, just doesn't sit right with me. obviously, it kills me that i can't make one small change to my hosts file, when they make it look so simple in those videos. i know you would like to make all the changes to your hosts file yourself, unless there are massive amounts of changes. i know this is a legit company (MVPS). i have heard literally hundreds of good things about them. another thing that comes to mind is, i have never made any changes to the hosts file. spybot s&d has had total reign over it. i think they do it with the "immunize" feature. will MVPS get along with spybot? will MVPS simply add new entries if they don't already exist? if the list just gets bigger, that is ok by me.
    once i get the green light about these concerns. i will use MVPS.
    my computer is a compaq presario with xpsp3 and 256 ram.

    thanks for both replies.
     
  19. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Uhm? Do exactly what it says?

    1/ Click Start and go to Run (or just press Win+R keys), type cmd there, press Enter...
    2/ Paste the second line, press Enter.
    3/ Paste the third line, press Enter. When finished...
    4/ Paste the fourth line, press Enter.

    Seriously don't know what's the issue with that? o_O :doubt:
     
  20. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    doktornotor and noone_particular,

    basically, i misunderstood noone_particular's instruction concerning the hosts file's properties needing to be read only (i tried so many things that i can't say what went wrong). i went back and found the correct place and way to apply that action and finally made my entry "stick". i was able to make the entry several times, only it wouldn't stick. i would go back there, and it would be gone. i watched several videos on youtube, and none of the videos needed to uncheck the "read only" box. it was necessary for me. do i need to recheck the "read only" box?

    noone_particular,

    hoping for your advice on MVPS hosts file. will it conflict with the existing hosts file? you've been the "go to guy" for the entire thread and dealt with my screw-ups and would like to add in a good way that your user name is NOT fitting.


    thanks again guys.
     
  21. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    No, it won't conflict, it will replace the current (basically empty) one. By default, there's exactly one entry:

    Code:
    127.0.0.1	localhost
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Some anti-spyware apps change the hosts file to read only in an attempt to protect it from unauthorized changes by malware. When you said you couldn't edit it, I thought that might be the reason. It doesn't have to be read only. That just makes it a bit harder for some malware to alter it.

    As dok said, the default hosts file is normally empty, except fot the local host listing, and several lines that are instructional in nature, which all begin with #. Any additions to it need to be after the 127.0.0.1 localhost line.

    When I compared the hosts file to the computer equivalent of an address book, I should have mentioned that it's made by the user or user software and not actually written to by windows itself.

    I use a modified copy of the MVPS hosts file. Once in a while, it blocks a bit more than I'd like, but not very often. It gets rid of a lot of annoying ads. The hosts file is of limited value when it comes to protection against adware/malware. It's not physically possible to make one that covers al the malicious sites. Too many, changes too fast.
     
  23. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    the MVPS hosts file has been implimented as per your instructions.
    a pop-up asked "do you want to replace?", i clicked ok.
    another pop-up said save in etc, i clicked save.
    if these entries were added with spybots previous entries, i was unable to tell.

    "Some anti-spyware apps change the hosts file to read only in an attempt to protect it from unauthorized changes"

    on the other hand, malware likes to add security programmes to the hosts file, it's a huge advantage in particular if they can add your current real-time antivirus and antispyware programmes, but also the on-demand scanners wouldn't be allowed to manually update if they're added. wouldn't this be true? to add every known legitimate programme could serve to be beneficial, in anticipation of a switch of programmes. if the newbie user doesn't know about the hosts file, let alone how to remove entries from it, will have a nightmare trying to get programmes to work. if i were to switch to symantec, and symantec was already put on the list by malware, symantec wouldn't work properly, if at all. you're more knowledgeable than me about the hosts file, but if this isn't the case, by all means, please clarify.

    "I use a modified copy of the MVPS hosts file. Once in a while, it blocks a bit more than I'd like"

    this is why it's so important that we know how to add and remove entries ourselves.


    thanks to everyone who helped me.
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It's been years since I used SpyBot. If I remember right, it does make the hosts file read only. I'm pretty sure it adds entries to it as well, at least it used to. A good share of malware does add entries to the hosts file for AV and anti-spyware servers. Some have gone so far as to add security sites. Malware has used this tactic for a long time.

    The hosts file affects all internet apps on the PC. If the update servers for your AV are added to the host file with 127.0.0.1 as their IP, the AV won't be able to update. There's several ways to get around this kind of problem. A small file integrity checker can do this. Some security suites include file integrity checking components. The hosts file can be added to the list of monitored files.

    One of the simplest ways to protect the hosts file would be to make a backup copy of it, giving the backup a completely different name. Then make a script or batch file that will overwrite the existing hosts file with the backup copy and add an autostart entry to either the registry or the startup folder to run it automatically. This would replace it with a known good copy at each reboot.
     
  25. ejames82

    ejames82 Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    156
    noone_particular,

    spybot definitely adds the entries to the hosts file, and i'm pretty sure they check the "read only" box. i think it does that when the "immunize" feature is used. i can check that the next time i immunize. i'll check it before, immunize, then check it again.
    it also adds sites to the internet options>privacy>sites. recently it has also joined the right-click scan menu (i'm going off on a tangent about what spybot has).

    "Some have gone so far as to add security sites"

    do you mean like wilderssecurity, bleepingcomputer, and castlecops? that is a brilliant idea.

    "If the update servers for your AV are added to the host file with 127.0.0.1 as their IP, the AV won't be able to update."

    technically, kaspersky probably asks my computer "what updates do you need", but never gets an answer (if kaspersky was in my hosts file as 127.0.0.1), so no update is given. is that specifically what happens?

    "A small file integrity checker can do this. Some security suites include file integrity checking components. The hosts file can be added to the list of monitored files."

    this sounds very complex and elaborate. i wonder if kaspersky has this. i have heard of this and had no idea what it meant/was.

    "One of the simplest ways to protect the hosts file would be to make a backup copy of it"

    i would put a copy in my documents and regularly use a comparator to monitor the changes. spybot would only make changes during immunize. when does MVPS make their changes, when i run their program? other than spybot and MVPS, no changes should ever be made.

    "Then make a script or batch file that will overwrite the existing hosts file with the backup copy and add an autostart entry to either the registry or the startup folder to run it automatically. This would replace it with a known good copy at each reboot."

    i made a batch file once, with the help of the bitdefender mods. it took me 3 weeks. i'm sure this would be a much easier batch file to make than the bitdefender batch file, but i am very inexperienced at this.
    script or overwrite; this doesn't sound too tough.
    autostart entry; this sounds tough. i am not going to ask about these things either, i am interested, and i will look in to it on my own via google, but you have gone way, way beyond the call of duty. i don't want to wear out my welcome. if you want to tell me more, i will read it and study it, but my gut tells me that it will be quite a chore.

    thank you so much, noone_particular!
     
Loading...
Thread Status:
Not open for further replies.