Firewall Question

**Sudden** · 08-04-2004, 10:22 PM

For the past week someone as been attempting to access my comp.
My firewall states these attempts are Critical.

At first i just increased the time to block the ips.
This hasn't deterred who ever is doing this,
no sooner is the block finished there is another attempt.

So earlier today i switched of active response there
was a further 8 attempts, now i get 2/3 port scans every hour.

There is about 6 different ip addresses,
but the same remote mac number.

I did an whois on the ips and they are all from the same ip company,
no further information was available.

Any help on what i can do will be much appreciated.

**Chewie** · 08-04-2004, 10:59 PM

What type of attack is it?

**supersonic** · 08-04-2004, 11:06 PM

+ what kind of firewall do you have?

**Sudden** · 08-04-2004, 11:08 PM

Protocol says its a TCP

Thanks for the quick response Chewie UK

**Sudden** · 08-04-2004, 11:11 PM

Originally posted by supersonic@5 August 2004 - 00:07
+ what kind of firewall do you have?

sygate up to date

**Chewie** · 08-04-2004, 11:16 PM

Originally posted by Sudden@4 August 2004 - 23:09
Protocol says its a TCP

Thanks for the quick response Chewie UK

TCP? That is a protocol alright, but what attack is being perpetrated using TCP?

**supersonic** · 08-04-2004, 11:16 PM

make a sygate advanced rules to block the whole IP range.
e.g 64.0.0.0-64.225.225.225
All applications should be affected by this rule, highest periority (put it on top of other rules) on all ports and all protocols.

**Sudden** · 08-04-2004, 11:34 PM

Chewie UK,5 August 2004 - 00:17

but what attack is being perpetrated using TCP?

Inbound DCE BIND

supersonic Posted on 5 August 2004 - 00:17

make a sygate advanced rules to block the whole IP range.
e.g 64.0.0.0-64.225.225.225
All applications should be affected by this rule, highest periority (put it on top of other rules) on all ports and all proto

If idid that i would block my own ip

**shn** · 08-04-2004, 11:37 PM

I wouldn't bother with it. Just save the logs and if it continues then contact their isp's abuse dept.

Or get a fresh ip.

**supersonic** · 08-05-2004, 12:03 AM

You don't need to contact your own comp., so you can safely block the range.
If you have a static IP, you can block all the IPs of that ISP, except for yours.

And make sure you do either of the following:
1. Block SVHOST, if it caused problems
then
2.

In the SPF GUI, click on Applications, scroll to SVCHOST.EXE, click the Advanced button, and uncheck the "act as server" box.

Cam

source

As shn mentioned, your firewall is doing its job, so you shouldn't worry anyway.

Thread: Firewall Question

Thread Tools

Bookmarks

Bookmarks

Posting Permissions