Hi,

Does anyone have any advice or experience in dealing with attempted firewall breaches?

I have Norton Firewall and Systemworks installed. Every so often I receive a security alert advising that someone has tried to penetrate my PC using various Trojans, Subsevens or other arcane things.:(

Usually I ignore them. Occaisonally I have tried emailing back after doing the trace, but never received a reply.

Any suggestions? Are these serious and is there some way of sending something back down the line to these hackers??

Thanks for any suggestions.:ok:

jafo33,

Most of the time your ports are just being probed for open shares. (Especially if you have Broadband. Most people do not probe Dialup accounts.)

When you have Viruses trying to get into your system, it is a person with an infected computer who does not even know his computer is doing this.

Then there are the hackers, actively trying to hack into your computer. If the hacker is any good, then he would have hacked another computer and from there launched his attack against yourself. So going back to the place the attack was launched from will only lead you to a poor unsuspecting person, that did not even know his computer had been hacked.

If you are worried about the attacks, I would switch from a software firewall to a hardware firewall. Remember that your software firewall that you installed is also available on the shelf at your local software store for hackers too. Since they have access to the program itself, they can get around it and break in, if they really want into your system. (Chances are, most hackers are not going to spend all that time and energy to get in your system, they are going to go after a large corporation's servers or government/military servers.)

Take Care,

Richard

Then there are the hackers, actively trying to hack into your computer. If the hacker is any good, then he would have hacked another computer and from there launched his attack against yourself. So going back to the place the attack was launched from will only lead you to a poor unsuspecting person, that did not even know his computer had been hacked.


An active hack attempt on a private user is extremely rare. Getting access to remote computers is useful for a number of reasons (for example as a proxy to hide behind, spam mailer, host to put something on or to enroll in a denial of service attack) but there are so many vulnerable computers (i.e. broadband but no firewall, unpatched Windows) online that can be trivially accessed that nobody would bother with you if you have the basic defences in place - unless they are after you and you alone, and for a private user this is very unlikely (unless you've made an enemy down the pub ;) ).

As Richard says, the firewall is just picking up sweeps over a wide range of IP addresses, one of which corresponds to your computer. These will either be active port scans (initiated by a l337 h@x0r script-kiddie with a copy of nmap), or most commonly a virus/worm scanning unknown to the owner of the computer. At first they're interesting, but there are so many that it's better to turn off the pop-up box and just ignore them. A precursor to a real attack is rather different, and any halfway-competent hacker can stealth it so that your firewall will probably miss it anyway.

It's all been covered pretty well already, but in essence what you are seeing is the network equivalent of somebody walking down the street trying car doorhandles for one that's unlocked. If they find the car is locked, they move straight on to the next. Outrageous though this behaviour is, it's probably safe to just ignore it.

If some body is "after" you in particular, or has just picked your system at random for a challenge, then either (1) all the bells and klaxons should go off on your firewall and you can choose disconnect temporarily (or whatever); or (b) they are too good for your "firewall" in which case it's probably already too late :(

Like Richard, I'm personally in favour of dedicated hardware firewalls, or at least running software firewalls on PCs that are specifically cut-down and hardend for that specific purpose.

A software firewall running on a general-purpose computer is about as secure as the weakest point in that general purpose computer's operating system... :-(

If you have a spare lowly-spec PC lying around you might want to have a play with:-

Smoothwall (http://www.smoothwall.org/)

or

IPCop (http://www.ipcop.org/)

for starters

Was just reading the thread and did not know about IPCop.
Now I know what to do with that old PIII 500 lying around
:ok:

I suppose this will free me from having to try and mingle with Iptables
rules from a command line interface
:}

Thanks for the pointers

C

I suppose this will free me from having to try and mingle with Iptables

Exactly :)

I've only used smoothwall in anger, but it does seem well though out and designed (provides a full set of Network Services in a box as well -- DHCP, caching DNS through to your ISP, proxy servers, IDS, etc.)

I have succesfully run earlier release on a P90 with 16MB RAM... :ooh:

To answer the original question:Does anyone have any advice ... in dealing with attempted firewall breaches? This is a FAQ, and the FGA is to turn off the logging in your firewall. That way you won't be told about the hacking attempts and so you won't be able to worry about them.