Port scan

[dante]

OK, First this is a great forum....It will take a while to come up to speed on the information here but I’m happy that I found it! It makes my head spin a bit being a newbe. OK, I read a post regarding a portscan. I did not get the information that I wanted, but was educated about a post scan.

First I understood that a port scan can be innocent, according to the posts.

It sounds as if a port scan is a general way to say an intrusion is occurring but is not specific to the intent.

My questions are (please talk in very simple terms)

First. If an unknown IP address is intruding with a post scan is the person trying to infiltrate my system ( in my case an IP address from San Jose CA. came up with a warning of a port scan) Can this be a person on my AIM list? Someone that I had contact with......is the Port scan warning that general? For example can a port scan be triggered by a benign contact? Or is this more specific warning of a attack? I don’t know anyone from that area other then in the gaming world.

Second: What is a post scan? what information can be obtained from a port scan? Are they looking at your hard drive?

Lastly: Can people hack/ break into your system through Norton’s firewall. Are there attacks that Norton can’t handle and how can you know they have happened?

other then being taken for cash or having a total melt down ion your system.

OK thanks for the info....

[Farelf]

Hi dante - "Lasciate ogni speranza voi che entrate." (sorry, the Devil made me do it). Yeah, I keep getting alerts, warnings and all sorts of stuff (mostly from "intrusions" by my own ISP, sometimes myself). My solution was to find a trustworthy port tester to set my mind at rest, then forget about it. See: http://forum.spamcop.net/forums/index.php?...indpost&p=28674

Someone came this way once before, asking about a worrysome "ping" - (not for the faint-hearted) see: http://forum.spamcop.net/forums/index.php?...indpost&p=24092

[Wazoo]

How Ethernet Works sounds like a good starting point for your research. When you are on-line, your computer is just one more computer on the Internet network. All traffic on a/the network is based on one computer sending a request (or data) to another computer. Ports are a simply a way of specializing some traffic identification. (In general) For example, when you browse to a web page, there will be a web server listening for your web browser's request for data coming in on Port 80. The person running the web server could change this to another port (say a user running a web server on a system that is not supposed to be running a web server) and you'd then see a link offer like http: // 192.168.25.23:8080 which would tell your browser to send it's call for data to port 8080 in instead of port 80. Try to connect to an NNTP news-server and that would normally be trying to connect to port 119 .... calls and data flow to ports are how things work.

a "port scan" is normally defined as sending data requests to another system in an attempt to see if there is anything running on that other system that will respond, i.e., is that other system running a mail server, a web host, an FTP server, etc. The :"bad" side is when a service is found running on that other computer that shouldn't be, or has been left open to abuse.

Some traffic conditions are a bit static .. for example, if a dial-up user had one of those file-sharing programs up, it's likely that another handful of folks were connected to his/her computer 'sharing' files ... Time for bed, this user disconnects from the Internet. The next user that connected to this ISP ends up with the same IP address that was just in use by the file sharing user. Right off the bat, this second user's firewall alarms start going off due to those other file-sharing folks' computers trying to reconnect to the computer that they 'were' talking to, but this new user isn't running that software, thus no service is found, no response seen by those other computers, so the requests keep coming in trying to re-establish that contact. This is not an attack, just software working as designed, but ... the second user seeing this for the first time would probably get excited by "someone trying to hack his/her computer" .....

"Can someone break through xxxxx's firewall?" ... of course they can ... based on how the user has configured it ... a firewall is supposed to block any traffic not seen as authorized, but .... users can do silly things to make some software "work" ... Microsoft's MSN Messenger for instance requires that dang near all ports be opened up to allow that traffic to flow (and this was done to solve the complaints about how hard users found it to correctly configure a firewall, a way to work around those nasty Admin/IT folks that tried to block MSN Messenger traffic from occurring in the work place, etc.) On the other hand, most of the "firewall security was breached" isn't usually from the outside, these days being more of the idiot user clicking on that e-mail attachment, which then installed that nasty software "behind" the firewall .... which brings one back to the issue that running a software firewall on the same system that you're using isn't considered very secure, as this firewall is thus susceptible to the same issues that the computer itself is.

Anyway, it's a combination of things that you'd want to learn about to answer your actual question .. how is your firewall configured, what services are running on your computer, and how secure do you need things to be ....

[mshalperin]

On the other hand, most of the "firewall security was breached" isn't usually from the outside, these days being more of the idiot user clicking on that e-mail attachment, which then installed that nasty software "behind" the firewall .... which brings one back to the issue that running a software firewall on the same system that you're using isn't considered very secure, as this firewall is thus susceptible to the same issues that the computer itself is.

36717[/snapback]

How secure are the "hardware" firewalls found in typical routers (i.e. Netgear, Lynksys, Belkin, etc.). To access and modify them you have to know the specific address of the router and password, or are there other backdoor entries a hacker can exploit?

[Wazoo]

How secure are the "hardware" firewalls found in typical routers (i.e. Netgear, Lynksys, Belkin, etc.). To access and modify them you have to know the specific address of the router and password, or are there other backdoor entries a hacker can exploit?

36721[/snapback]

It's not your fault, but .... choking back the tears from laughing so hard ....

Story 1: guy that once worked for me, maybe a dozen years ago ... cable company arrived, hooked him up .. he had some problems, solved them by unplugging this little box and jacking his system right into the modem. He sent me that wierd box, figuring I could do something with it. So here I set with his router with print-server that also was a firewall.

Story 2: talking to daughter-in-law ... had just walked her through setting up a network connection between two Win2K machines a couple of weeks prior ... they also went to cable, cable company provided a router/firewall ... which of course broke the networking. No, the cable-guy hadn't left any manuals or documentation on the router, no, the passwords hadn't been changed on the router, yes, it was enabled to "Admin via the Internet" .... I reconfigured her router from 1,000 mailes away while talking to her on the phone .... (Note: in this configuration, her router was running a web-server, so hitting "her IP address" with a web browser brought up a web-page asking for a password, supplied the factory default magic word, and proceeded into the set-up pages)

Background (showing my age here, but ...) 40+ years ago, it was the "default" passwords left on the mainframe that caused issues ... but noting that things like this might not be documented short of a paragragh on page 84 in Volume 3 of a 300 pound stack of manuals, maybe the ignorance involved in removing/changing those manufacturer's default passwords could (possibly) be understood ... yet here we are today, folks installing Microsoft's e-mail server apps and not changing default passwords on default accounts, folks not changing defaults settings (to include passwords) on these little "home" boxes .... and that one of the more popular "home" routers (made even more popular after the hack went public) is running a bit of a Linux server, and once "patched" the code could be "updated" ....

In general terms, one would want an external (hardware) firewall to intercept all the crap coming in .... a software firewall to control any outgoing from 'your' system .... but both need configuring .... noting that "security" and "ease of use" don't usually go together ...

[mshalperin]

no, the passwords hadn't been changed on the router, yes, it was enabled to "Admin via the Internet" .... I reconfigured her router from 1,000 mailes away while talking to her on the phone ....

folks not changing defaults settings (to include passwords) on these little "home" boxes ....  and that one of the more popular "home" routers (made even more popular after the hack went public) is running a bit of a Linux server, and once "patched" the code could be "updated" ....

In general terms, one would want an external (hardware) firewall to intercept all the crap coming in .... a software firewall to control any outgoing from 'your' system .... but both need configuring .... noting that "security" and "ease of use" don't usually go together ...

36723[/snapback]

Thanks for your response. I use both router based hardware and software firewalls. Of course default passwords need to be updated and things that are set up on auto-pilot are going to be vulnerable. My concern for my (simple) system comes from setting up "holes" for PC Anywhere or Ulta VNC for outside access to my office server could be exploited by others.

[Wazoo]

Thanks for your response. I use both router based hardware and software firewalls.  Of course default passwords need to be updated and things that are set up on auto-pilot are going to be vulnerable.  My concern for my (simple) system comes from setting up "holes" for PC Anywhere or Ulta VNC for outside access to my office server could be exploited by others.

36725[/snapback]

My "instructions" for those applications are .... do not install as a "service" .. only start them up after you have me talking to you ... and I'll usually end my "session" by doing a (commanded) shutdown from this end.

One setting on "RealVNC" is to use 'default' or "automatic" on what "screen" port to have that application to use ... not so bad a few years back, but .. application got famous enough that it is now actively scanned for (see port scan <g>) .. so I configure my customers to only look at one "screen" port when this is running, and that's not "0" ... thus further limiting exposure, going with most scans are going to be at the "default" address, not spending time on 'walking' through all possibilities ....

Not knowing anything about the network involved, even this type of thing can be even more focused by a firewall by using the "port-forwarding" type controls ... for example, a quick scan here shows eight systems currently powered up and running in my "living room" .... There are also three routers in use (and two wireless access pont devices with their own routing configurations) .. the specific system I'm typing on right now has an ancient software firewall running (have yet to find something that takes its place) .. but it also sits behind two routers before it hits the cable-modem .... most of the other systems are only behind a single router, not all of them running a software firewall.

This becomes an issue on actually doing some things. Due to some web-site programming, I can't actually get to some sites on "this" computer (or the resulting page displays are next to useless) .... some of my configurations are based on the IP of a particular system, and that rears its ugly head when the systems get booted up in the "wrong" sequence and the DHCP server assigns an IP to a system that's not running the specific service, so the port-forwarding assignments end up sending the traffic to the wrong computer. (For instance, two laptops went to sleep, shutting off their network cards ... one of the tower systems crashed, do a reboot on the tower, it comes back up and snags one of the IP addresses that an hour ago belonged to one of the laptops ....) [and yes, hard-configuring systems to a specific IP also has its downside 'here']

[Farelf]

How Ethernet Works sounds like a good starting point for your research.  ...

36717[/snapback]

To add to that, if you're like me and hadn't done it already, download the product manual - http://www.symantec.com/home_homeoffice/downloads/index.html - seems very general but useful for the FAQ section as a starting point.

[Telarin]

How secure are the "hardware" firewalls found in typical routers (i.e. Netgear, Lynksys, Belkin, etc.). To access and modify them you have to know the specific address of the router and password, or are there other backdoor entries a hacker can exploit?

36721[/snapback]

Actually, those little sub $100 hardware firewalls are pretty secure from an outside attack standpoint, given a few conditions... The 3 most important things here are Turn off remote admin, turn off remote admin, and turn off remote admin. Very few of the newer routers have remote admin enabled by default now, so this is usually an out of the box setting, but check anyway. If you absolutely must have remote admin, use a very secure password, definitely not the routers default password. Keep in mind that very few of these routers use much of an actual firewall, so these generally don't help much if you already have a trojan or virus on your computer to initiate the connection. However, the built in NAT aspect of these routers offers a suprisingly hardened defense against direct outside attack.

There are a few exploits for some of the older versions on some routers, so make sure to keep your firmware up to date, and check around the net for any known exploits for your particular router make/model. This combined with a GOOD (read NOT free) antivirus program, periodic spyware scans, and some basic user education (read quit clicking yes everytime you see a dialog on a website) is usually more than adequate security for the average home user.

[Farelf]

Thanks Telarin, reassuring comment.

Just noting also a "security" forum which might be useful in getting under the hood/education - http://www.security-forums.com/forum/ No doubt there are many more out there.