Main Area and Open Discussion > Living Room
I want to ping back blocked incoming pings - could I use BlackIce Defender?
IainB:
@4wd: Many thanks for that. Yes, I had read the manual and found the notes at the bit you point to in the image above. However, not knowing anything much about these things, I took it to mean simply that the syslog server would need to be a separate, remote physical device with it's own remote IP address - which I couldn't see myself as doing. I couldn't see why they made it so hard to do.
You give me some hope if the syslog can be output to the client Windows Event Log though! That could be ideal, if feasible.
I shall follow up on Kiwi and PRTG.
As for:
... do you have incoming ICMP messages blocked in the router ...
-4wd (December 31, 2013, 09:20 PM)
--- End quote ---
I don't know, I never kept a record, and I wouldn't know the difference anyway. As far as I recall, they all look similar in format to the ones in the image.
There is some other stuff - e.g., Windows 7 Firewall Control reports a lot of this kind of thing, which is what originally started me examining the router log to see what it was stopping.
For all I know, the source of a lot of this could be US NSA or NZ GCSB pings, or other similar criminal activity...
4wd:
You give me some hope if the syslog can be output to the client Windows Event Log though! That could be ideal, if feasible.-IainB (December 31, 2013, 10:04 PM)
--- End quote ---
After suggesting that, I've starting playing around with AutoIt3 to see if it can receive the events, (I can already write to the Application EventLog), atm it can see the kernel log restarts from my router. So if it works out, it'll just be a small program that sits around monitoring a port.
... do you have incoming ICMP messages blocked in the router ...
-4wd (December 31, 2013, 09:20 PM)
--- End quote ---
I don't know, I never kept a record, and I wouldn't know the difference anyway. As far as I recall, they all look similar in format to the ones in the image.
--- End quote ---
By default incoming connections should be blocked, (if the router firewall is enabled), so for ICMP messages, (pings), to be getting through there's usually a couple of places to check:
Check Incoming IP Filtering and ensure there isn't an Allow rule for ICMP protocol:
If it's only happening to one particular IP on your network, then you may also have an Allow rule set to Any, (depends on your router whether Any is a valid selection), to that IP.
And there is usually an option somewhere, (in Advanced or Administration), that says something like:
Respond to ICMP requests: Never, LAN, WAN, Both
This is purely to do with what the router does when a ping is directed towards its LAN or WAN IP. Normally you'd set it to Never or LAN unless you have a specific need to ping your router from the internet.
A quick search through the manual for your router for ping or ICMP didn't seem to find anything but that doesn't mean it can't be controlled by logging in via telnet and issuing a command.
I am wondering why your software firewall is seeing a lot of inbound blocking activity if the routers firewall is turned on though, (it does support a SPIw firewall which should make it reasonably intelligent).
Referring to the W7FC image, you've cut it off so does it report what protocol is being used?
Don't know if this is feasible or worth bothering with, (SJ, 40, etc would be more informed than me), you have connection attempts being blocked to processes started by svchost.exe - it might pay to try and narrow down what processes in particular. Possibly by using Process Explorer to get the names and trying to correlate with lookups on the blocked IPs.
Addendum: Here's another SysLog Server that might be a bit simpler, LogLady - very small (2.30MB) and works quite well with my router sending messages to it. LogLady's default port for your router to send to is 514.
Shareware, but you could use it for a short period to see what's what.
I want to ping back blocked incoming pings - could I use BlackIce Defender?
IainB:
...Referring to the W7FC image, you've cut it off so does it report what protocol is being used? ...
-4wd (December 31, 2013, 11:09 PM)
--- End quote ---
Here's a fuller image sample (taken from SysExporter):
I want to ping back blocked incoming pings - could I use BlackIce Defender?
IainB:
...Check Incoming IP Filtering and ensure there isn't an Allow rule for ICMP protocol...
-4wd (December 31, 2013, 11:09 PM)
--- End quote ---
==> I checked. There are no such rules set in the router. (I set up no Allow rules on Incoming IP Filtering.)
I am wondering why your software firewall is seeing a lot of inbound blocking activity if the routers firewall is turned on though, (it does support a SPIw firewall which should make it reasonably intelligent).
-4wd (December 31, 2013, 11:09 PM)
--- End quote ---
==> "Enable SPI Firewall" is ON.
Referring to the W7FC image, you've cut it off so does it report what protocol is being used?
-4wd (December 31, 2013, 11:09 PM)
--- End quote ---
==> See above latest image of log from me. It looks like it's all TCP.
Possibly by using Process Explorer to get the names and trying to correlate with lookups on the blocked IPs.
-4wd (December 31, 2013, 11:09 PM)
--- End quote ---
==> Playing with this now...nothing obvious so far...
40hz:
You could run an online vulnerability scanner such as GRC's ShieldsUp to get some idea of what ports are responding to WAN queries. (It does a few other things as well. Good reference info on service port numbers and what they're most commonly used for.)
Once you've identified where you may be potentially vulnerable, it becomes a lot easier to close the holes.
After you know you're secure, you can more comfortably start trying to figure out who or what is probing you. :Thmbsup:
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version