Firewall breach.

So here's my setup

ADSL 1 MBps Shared through Linksys BEFSR41 to four different machines.

Yesterday morning I got 6 intrusion attempts within 30 mins on my personal machine. My Norton Firewall caught and blocked it. I took care of notifying the offenders ISP but here's my concern.

I'm paranoid so I don't put a lot of faith in the firewall the ISP provides.

The Router is supposed to have a firewall but apparently it isn't worth much either.

Since the IP from my ISP is used by the router and only by the router and the router is set to use DHCP for the comptuers connected to it - how did they manage an intrusion attempt on my pc? The IP I use is assigned by the router and doesn't exist outside my network.

Did the individual, once getting past the ISP and router's firewalls coerce the router into allowing them access to any ip address on the network?? Incidently none of the other pcs on the network had an intrusion attempt.

Curious!!!

Gary.

 

I'm not familiar with the Linksys firewall included on the router but you may want to check to see if the firewall is even enabled. Even if it is enabled check to see what ports are open because if your ports are all wide open it does you no good to have a firewall.

 

The BEFSR41 does not have a built in HW firewall!

All NAT (network address translation) routers are a "natural firewall" by the nature of what they do! So you do have a level of firewall from the router.

This is different from a dedicated hardware firewall!

What about the other stations on this router/switch? Did they get probed also?

There should be enough awareness by you to keep an eye on it but no worry yet as the Norton firewall seems to be doing its job.

In your case you may have something on your computer inviting these things in.

So the next step in awareness is to doble check by runnning a full up to date virus scan set at max to check all files.

Then do a special Trojan/worm scan at:

http://www.anti-trojan.net/at.asp?l=en&t=onlinecheck

Then get rid of Spy/Adware by D/L install and run theses (more than likely this is the cause):

Spyware and adware removal


SpyBot http://security.kolla.de/index.php?lang=en&page=download

Run this twice delete all it finds, always run this before AdAware



AdAware http://www.lavasoftusa.com/downloads.html

Delete all it finds



BHO Demon http://www.definitivesolutions.com/bhodemon.htm

This program runs stand alone no install is required post me the items it finds

Mike

 

Also check the various Network properties of each machien and make sure that;

File and Printer Sharing IS NOT bound to ANY TCP/IP.

If it is it leaves port 139 open to the world and the Router will allow it to pass.

BillyBob

 

iceolated - only three possible reasons I can think of where you could get probed if you are behind a router using NAT.

NAT operates by trapping outbound packets, modifying the header to replace the internal IP of the originating PC with it's internet address, and storing info about the packet in a database. Inbound packets are examined against the database and it a match is found with stored information, the header IP is again changed from the router's to that of the local PC and the packet passed along to it. Thus the claim that NAT behaves sorta like a firewall. So my guesses would be:

- you have the device set up so your PC is in a DMZ and all traffic to your router that doesn't have an obvious point of origin from another of your PCs will be sent to yours. Solution - no DMZ. If you need to do games, at least only forward the ports the gaming app uses rather then all 64K+ that DMZ will open up.

- the probes were a response to packets you'd sent out to somewhere. Maybe YOU you or maybe a spyware/malware app on your PC is calling home.

- you have a trojan.

 

Thanks for all the speedy responses.

None of the other machines were probed.

I do not have a DMZ - no time for gaming

I do have a couple of printers shared through the machines on the network and does appear they are bound to TCP/IP. So, if not using TCP/IP for file/printer sharing which other protocol is the safest IPX/SPX or NetBeui?

I did run spybot and adaware for the first time in a month last week and found a couple of undesireables on my machine. I removed them and the next day is when these probes occured - Possible that they phoned home while being removed?

Newt, I will rerun a trojan scan and Mike I'll give the BHO demon link a hit when I go home.

Incidently, Of the Four machines hooked to the router - the three 98 machines weren't touched my XP machine was the only one probed.


Cheers,

Gary

 

And thus my ignorance is displayed......

So after that last post I did a little reading on TCP/IP IPX and NetBeui. Seems that IPX/SPX isn't used for file/printer sharing - so then its obvious that the only other choice would be NetBEUI - a lot safer that TCP/IP as it can't go beyond a local LAN.

So when I get home all the file/printer sharing will get bound to NetBeui.

BillyBoB - incidently in all the security/firewall tests that I have run from remote sites none ever identified 139 as being open.... Is this a normal oversite or does it not showing up one of the flaws of TCP/IP file and printer sharing?

Thanks for your help everyone

Gary.

 

incidently in all the security/firewall tests that I have run from remote sites none ever identified 139 as being open....

IF not shown as OPEN dies it show Closed or Stealth ?

Only closed is not enough. It should be shown as Stealth. ( at least by GRC test )

File and Printer Sharing will keep it from being Stealh.

ON my 3 Win98 SE machines NOTHING is bound to TCP/IP. The LAN uses IPX/SPX & NetGeui.

With XP I have not got it figured out yet just what it is doing.

BillyBob

 

BillyBob,

Ports have always show as stealthed - can't recall ever seeing one as closed or open - that would surely have caught my attention.

On a side note, you say that your LAN uses IPX/SPX and NetBeui. With the apparent liability of TCP/IP on my network I'm wondering if I shouldn't follow suite.

Is this something that is difficult to implement?

Thanks

Gary

 

BillyBob,

Think I'm going blind with all the sites I read:

Here's my confusion:

I understand that TCP/IP file sharing can be replaced with NetBEUI file sharing.

But I imagine that I am required to use TCP/IP for the connections between each computer and the router - correct?

In viewing the Linksys manual it says it works with any computers using the TCP/IP protocol.

I think I'm reading too much into some of this - isn't TCP/IP, by definition, what is needed for my computer to access the Internet?

I imagine there must be a way to setup up a network so the router uses TCP/IP to connect with DSL but uses NetBEUI or IPX/SPX to communicate with the rest of the machines - however I get the feeling that to set that up I'm going to need something that begins with Cisco

What's your thoughts?

Gary

 

You are absolutly correct!

And this is what I do on my home and some of the smaller networks I administer.

But in order for this to work you need to unbind the 2.

Read Steve Gibson, go to http://grc.com/su-bondage.htm

It will tell you how and why.


Mike

 

that begins with Cisco

I have no idea what that is.

I just have IPX/SPX and NetBeui installed on each machine and File and Printer sharing is not bound to TCP/IP.

Between that and the Router the LAN and the WAN are kept separated.

BillyBob

 

Tonight I successfully changed my file and printer sharing over to IPX/SPX and NetBEU. Was a little more of a challenge than I expected but worked it out in the end.

Billybob: I was referring to Cisco systems - Networking Giant.

Incidently a further run of the GRC scan shows all my ports as closed. Norton is set to stealth ports as is the Linksys router - so the book says. I wonder If the GRC scan is hitting my ISPs firewall first and the firewall is relaying the ports as closed.

If so is it more desireable to have my ISP turn the firewall off - so the ports show stealth when hitting my router or Norton - or better that I leave it as is? I believe there is a $25 charge for shutting down the firewall.

Mike:

Here is what the bhodemon scan reported - only two items: Norton and Adobe

NavShExt.dll
AcroIEHelper.ocx

Cheers,

Gary

 

Okay so I Lied.

I setup IPX/SPX on all 4 machines - TCP/IP is not bound to file and print sharing nor client for MS network.

2 XP machines 2 98 machines.

98 machines see everyone.

XP machines only see themselves - they don't see the 98 machines.

At wits end here.

Gary

 

Those are normal! So OK!

Leave the ISP firewall alone.

Remember: A firewall does not block what you invite
A firewall blocks uninvited!

Mike

 

Thanks to all for the info and TCP/IP, Net Beui etc - now I just have to get them to play together nice....

http://windowsbbs.com/showthread.php?s=&threadid=14248

Cheers,

Gary