Sign in with
Sign up | Sign in
Your question

Intrusion detection

Last response: in Networking
Share
Anonymous
June 22, 2004 7:20:42 PM

Archived from groups: comp.security.firewalls (More info?)

Hi! I don´t want anyone to hijack my pc and surf to porn sites or other bad
things with my ip.

I heard that a firewall is not enough. Perhaps there are other good
intrusion detection systems?

But i would also like to be able to monitor the ports that are opened and
also "close" (the applications working through them) them if they they are
just wasting space and memory.

Are there softwares for this?


Thanks for your help

More about : intrusion detection

June 22, 2004 9:29:17 PM

Archived from groups: comp.security.firewalls (More info?)

"news" <geerge@yahoo.com> wrote in message
news:e7YBc.96576$dP1.317750@newsc.telia.net...
> Hi! I don´t want anyone to hijack my pc and surf to porn sites or other
bad
> things with my ip.
>
> I heard that a firewall is not enough. Perhaps there are other good
> intrusion detection systems?

There is a rather good IDS at www.snort.org

There is also the add on http://www.chaotic.org/guardian/ which can activly
block ports based on Snort alerts.

> But i would also like to be able to monitor the ports that are opened and
> also "close" (the applications working through them) them if they they are
> just wasting space and memory.

netstat perhaps?
Anonymous
June 22, 2004 9:29:18 PM

Archived from groups: comp.security.firewalls (More info?)

"Mike" <nospam@notherematey.com> wrote in message
news:cb9mov$gdc$1@thorium.cix.co.uk...
>
> "news" <geerge@yahoo.com> wrote in message
> news:e7YBc.96576$dP1.317750@newsc.telia.net...
> > Hi! I don´t want anyone to hijack my pc and surf to porn sites or other
> bad
> > things with my ip.
> >
> > I heard that a firewall is not enough. Perhaps there are other good
> > intrusion detection systems?
>
> There is a rather good IDS at www.snort.org
>
> There is also the add on http://www.chaotic.org/guardian/ which can
activly
> block ports based on Snort alerts.
>
> > But i would also like to be able to monitor the ports that are opened
and
> > also "close" (the applications working through them) them if they they
are
> > just wasting space and memory.
>
> netstat perhaps?





Thanks for your help!

Is it possible to block ip in Windows 98? To only allow certain ip..

Then no one can get through that if not first hacking the allowed ip, right?

Thank you
Related resources
June 22, 2004 10:53:29 PM

Archived from groups: comp.security.firewalls (More info?)

In article <MlZBc.96583$dP1.317738@newsc.telia.net>, geerge@yahoo.com says...
>
> "Mike" <nospam@notherematey.com> wrote in message
> news:cb9mov$gdc$1@thorium.cix.co.uk...
> >
> > "news" <geerge@yahoo.com> wrote in message
> > news:e7YBc.96576$dP1.317750@newsc.telia.net...
> > > Hi! I don=3Ft want anyone to hijack my pc and surf to porn sites or other
> > bad
> > > things with my ip.
> > >
> > > I heard that a firewall is not enough. Perhaps there are other good
> > > intrusion detection systems?
> >
> > There is a rather good IDS at www.snort.org
> >
> > There is also the add on http://www.chaotic.org/guardian/ which can
> activly
> > block ports based on Snort alerts.
> >
> > > But i would also like to be able to monitor the ports that are opened
> and
> > > also "close" (the applications working through them) them if they they
> are
> > > just wasting space and memory.
> >
> > netstat perhaps?
>
>
>
>
>
> Thanks for your help!
>
> Is it possible to block ip in Windows 98? To only allow certain ip..
>
> Then no one can get through that if not first hacking the allowed ip, right?
>
> Thank you
>
>
Hi News. You can use the Windows 98 Host file to block sites and prevent
your computer from connecting to those sites. Host info:
http://www.accs-net.com/hosts/what_is_hosts.html
You can also use a good firewall, set up correctly, to control applications,
ports, protocols, IPs, etc.
Anonymous
June 23, 2004 1:40:18 AM

Archived from groups: comp.security.firewalls (More info?)

"Casey" <casey@nosuch.net> wrote in message
news:MPG.1b423bfbf7837bf3989741@news.west.earthlink.net...
> In article <MlZBc.96583$dP1.317738@newsc.telia.net>, geerge@yahoo.com
says...
> >
> > "Mike" <nospam@notherematey.com> wrote in message
> > news:cb9mov$gdc$1@thorium.cix.co.uk...
> > >
> > > "news" <geerge@yahoo.com> wrote in message
> > > news:e7YBc.96576$dP1.317750@newsc.telia.net...
> > > > Hi! I don=3Ft want anyone to hijack my pc and surf to porn sites or
other
> > > bad
> > > > things with my ip.
> > > >
> > > > I heard that a firewall is not enough. Perhaps there are other good
> > > > intrusion detection systems?
> > >
> > > There is a rather good IDS at www.snort.org
> > >
> > > There is also the add on http://www.chaotic.org/guardian/ which can
> > activly
> > > block ports based on Snort alerts.
> > >
> > > > But i would also like to be able to monitor the ports that are
opened
> > and
> > > > also "close" (the applications working through them) them if they
they
> > are
> > > > just wasting space and memory.
> > >
> > > netstat perhaps?
> >
> >
> >
> >
> >
> > Thanks for your help!
> >
> > Is it possible to block ip in Windows 98? To only allow certain ip..
> >
> > Then no one can get through that if not first hacking the allowed ip,
right?
> >
> > Thank you
> >
> >
> Hi News. You can use the Windows 98 Host file to block sites and prevent
> your computer from connecting to those sites. Host info:
> http://www.accs-net.com/hosts/what_is_hosts.html
> You can also use a good firewall, set up correctly, to control
applications,
> ports, protocols, IPs, etc.



Hi! Thanks!

But host file can only block specified ip:s right? Not the opposite way, to
only allow a few?

Thanks
Anonymous
June 23, 2004 4:02:16 AM

Archived from groups: comp.security.firewalls (More info?)

news wrote:

> But host file can only block specified ip:s right? Not the opposite way,
> to only allow a few?

Using a local hosts file for other hosts than a few in your LAN (in case no
local DNS server for the LAN is configured) is usually a pain in the a*s.
DNS was invented and introduced long time back to overcome the problems
problems associated with the use of local hosts files.

The technique recommended here is IMHO useless for the purpose and will do
more harm than good.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel
Anonymous
June 23, 2004 11:59:02 AM

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:cbaaan$rq8$1@news.shlink.de...
> news wrote:
>
> > But host file can only block specified ip:s right? Not the opposite way,
> > to only allow a few?
>
> Using a local hosts file for other hosts than a few in your LAN (in case
no
> local DNS server for the LAN is configured) is usually a pain in the a*s.
> DNS was invented and introduced long time back to overcome the problems
> problems associated with the use of local hosts files.
>
> The technique recommended here is IMHO useless for the purpose and will do
> more harm than good.
>
> Wolfgang



Thanks! How safe is an ip blocking method? Is it still possible for someone
with a not allowed ip to hack inside? How can they get around that? They
need to show their ip to get inside my pc, right? Can it be faked so it
looks like an allowed one? Or can they change the adjustments for the
blocked/allowed ip some other way? Perhaps from inside (If already there)
with a trojan!? But those can be found and destroyed easier i guess.


I´m not scared of someone searching through my computer. But what i am
scared of is that someone might use my ip for illegal activities.

Do i need a firewall that takes alot of cpu just to specify allowed ip? I
read Kerio can do this.
I can´t do this in Windows 98 without any extra softwares? I am not spoiled
with cpu :) 

Guess it´s to much to ask - but a small software where we can specify ip and
keep an eye of intruders or attempts. Is that heaven? :) 

Thanks!!
Anonymous
June 23, 2004 3:43:36 PM

Archived from groups: comp.security.firewalls (More info?)

news wrote:

> Thanks! How safe is an ip blocking method? Is it still possible for
> someone with a not allowed ip to hack inside?

Please define 'hack inside'. And keep in mind that 'hacking inside' requires
a service that is running and can be expolited in whatever way. Anyhow a
service was always installed or started by yourself (perhaps by unwilligly
executing malware).

> How can they get around that?

Think at least twice, what software you install. Use an operating system
that knows user and access rights, set these strict. Switch all unwanted
services off.

> They need to show their ip to get inside my pc, right?

Every machine that communicates via a tcp/ip network needs an ip.

> Can it be faked so it looks like an allowed one?

When udp is used as the transport protocol ip spoofing is easy, when tcp is
used, it it quite difficult. Spoofing icmp is also easy but icmp is no
transport protocol, therefore there is no playload like tcp or udp.

> Or can they change the adjustments for the blocked/allowed ip some other
> way?

Which ip do you want to block? Remember: If you run no services, nobody cann
connect to your machine.

> Perhaps from inside (If already
> there) with a trojan!? But those can be found and destroyed easier i
> guess.

A system that is infected with malware has to be reinstalled completely from
clean media.
>
> I´m not scared of someone searching through my computer. But what i am
> scared of is that someone might use my ip for illegal activities.

???

> Do i need a firewall that takes alot of cpu just to specify allowed ip? I
> read Kerio can do this.

A host based packet filter, taht allows end user interaction doesn'tmake
anmy sense at all.

> I can't do this in Windows 98 without any extra softwares?

What services does your box offer? None? Fine, so just sit back and relax.

>I am not
> spoiled with cpu :) 
>
> Guess it's to much to ask - but a small software where we can specify ip
> and keep an eye of intruders or attempts. Is that heaven? :) 

You don't need addional software, a locked down box that offers no services
is sufficient, if you are able to keep an overview, what sofwtare is
installed on your system and what that software does. If you can't keep
control over the installed software all firewall placebos will not be able
to help you on a win98 system, since malware can control the firewall
completely.

Actually I'm afraid that all what I've written was far to technical and
complicated for you and you've hardly understood anything of what I wanted
to tell you. So install whatever tool/firewall placebo you want, you'll
never be able to secure your win98 box.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
June 23, 2004 3:43:37 PM

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:cbbjc8$1tv$1@news.shlink.de...
> news wrote:
>
> > Thanks! How safe is an ip blocking method? Is it still possible for
> > someone with a not allowed ip to hack inside?
>
> Please define 'hack inside'. And keep in mind that 'hacking inside'
requires
> a service that is running and can be expolited in whatever way. Anyhow a
> service was always installed or started by yourself (perhaps by unwilligly
> executing malware).
>
> > How can they get around that?
>
> Think at least twice, what software you install. Use an operating system
> that knows user and access rights, set these strict. Switch all unwanted
> services off.
>
> > They need to show their ip to get inside my pc, right?
>
> Every machine that communicates via a tcp/ip network needs an ip.
>
> > Can it be faked so it looks like an allowed one?
>
> When udp is used as the transport protocol ip spoofing is easy, when tcp
is
> used, it it quite difficult. Spoofing icmp is also easy but icmp is no
> transport protocol, therefore there is no playload like tcp or udp.
>
> > Or can they change the adjustments for the blocked/allowed ip some other
> > way?
>
> Which ip do you want to block? Remember: If you run no services, nobody
cann
> connect to your machine.
>
> > Perhaps from inside (If already
> > there) with a trojan!? But those can be found and destroyed easier i
> > guess.
>
> A system that is infected with malware has to be reinstalled completely
from
> clean media.
> >
> > I´m not scared of someone searching through my computer. But what i am
> > scared of is that someone might use my ip for illegal activities.
>
> ???
>
> > Do i need a firewall that takes alot of cpu just to specify allowed ip?
I
> > read Kerio can do this.
>
> A host based packet filter, taht allows end user interaction doesn'tmake
> anmy sense at all.
>
> > I can't do this in Windows 98 without any extra softwares?
>
> What services does your box offer? None? Fine, so just sit back and relax.
>
> >I am not
> > spoiled with cpu :) 
> >
> > Guess it's to much to ask - but a small software where we can specify ip
> > and keep an eye of intruders or attempts. Is that heaven? :) 
>
> You don't need addional software, a locked down box that offers no
services
> is sufficient, if you are able to keep an overview, what sofwtare is
> installed on your system and what that software does. If you can't keep
> control over the installed software all firewall placebos will not be able
> to help you on a win98 system, since malware can control the firewall
> completely.
>
> Actually I'm afraid that all what I've written was far to technical and
> complicated for you and you've hardly understood anything of what I wanted
> to tell you. So install whatever tool/firewall placebo you want, you'll
> never be able to secure your win98 box.
>
> Wolfgang





--------------------------------------


I think i understand at least. Have asked on other forums how to turn of
ports but i could not get any straight answers except - "get a firewall".

Are there any softwares that can control what programs i can close so that
those ports are safe? I don´t know how to do it manually. Perhaps you know
of some guide for this?

Thanks
Anonymous
June 23, 2004 3:43:37 PM

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:cbbjc8$1tv$1@news.shlink.de...
> news wrote:
>
> > Thanks! How safe is an ip blocking method? Is it still possible for
> > someone with a not allowed ip to hack inside?
>
> Please define 'hack inside'. And keep in mind that 'hacking inside'
requires
> a service that is running and can be expolited in whatever way. Anyhow a
> service was always installed or started by yourself (perhaps by unwilligly
> executing malware).
>
> > How can they get around that?
>
> Think at least twice, what software you install. Use an operating system
> that knows user and access rights, set these strict. Switch all unwanted
> services off.
>
> > They need to show their ip to get inside my pc, right?
>
> Every machine that communicates via a tcp/ip network needs an ip.
>
> > Can it be faked so it looks like an allowed one?
>
> When udp is used as the transport protocol ip spoofing is easy, when tcp
is
> used, it it quite difficult. Spoofing icmp is also easy but icmp is no
> transport protocol, therefore there is no playload like tcp or udp.
>
> > Or can they change the adjustments for the blocked/allowed ip some other
> > way?
>
> Which ip do you want to block? Remember: If you run no services, nobody
cann
> connect to your machine.
>
> > Perhaps from inside (If already
> > there) with a trojan!? But those can be found and destroyed easier i
> > guess.
>
> A system that is infected with malware has to be reinstalled completely
from
> clean media.
> >
> > I´m not scared of someone searching through my computer. But what i am
> > scared of is that someone might use my ip for illegal activities.
>
> ???
>
> > Do i need a firewall that takes alot of cpu just to specify allowed ip?
I
> > read Kerio can do this.
>
> A host based packet filter, taht allows end user interaction doesn'tmake
> anmy sense at all.
>
> > I can't do this in Windows 98 without any extra softwares?
>
> What services does your box offer? None? Fine, so just sit back and relax.
>
> >I am not
> > spoiled with cpu :) 
> >
> > Guess it's to much to ask - but a small software where we can specify ip
> > and keep an eye of intruders or attempts. Is that heaven? :) 
>
> You don't need addional software, a locked down box that offers no
services
> is sufficient, if you are able to keep an overview, what sofwtare is
> installed on your system and what that software does. If you can't keep
> control over the installed software all firewall placebos will not be able
> to help you on a win98 system, since malware can control the firewall
> completely.
>
> Actually I'm afraid that all what I've written was far to technical and
> complicated for you and you've hardly understood anything of what I wanted
> to tell you. So install whatever tool/firewall placebo you want, you'll
> never be able to secure your win98 box.
>
> Wolfgang

-------------------------------------



A little more...

I just use my computer for email, browsing and for access to some data
services.

I am a little confused. Let´s see.. But it is better to close a program that
holds a port open than to try to block ip:s? Since you apparently can get
around by spoofing.

So if my computer is on and online but all softwares are closed, not even
the best hacker can communicate with it? They can´t start a program and
continue from there?

Then why do they tell us to install even more softwares? :)  They want to
make money of course..

Thanks for your help

Patrik (News is not my name. Just typed wrong :) 
Anonymous
June 23, 2004 4:58:05 PM

Archived from groups: comp.security.firewalls (More info?)

news wrote:

> I just use my computer for email, browsing

Use safe client sofwtare.

> and for access to some data services.

You mean file sharing (kazaa etc)? Simply forget security when using file
sharing services.

> I am a little confused.

That happens when firewall placebos are confronted with basics about network
communication.

> Let's see.. But it is better to close a program
> that holds a port open than to try to block ip:s?

Yes. A not existing service can neither be connected nor be expolited.

> Since you apparently can get around by spoofing.

IP spoofing is difficult with tcp, easy with udp.

> So if my computer is on and online but all softwares are closed, not even
> the best hacker can communicate with it?

Right, as lonf as there are no vulnerabilities in the network protocol stack
of your operating system. You have to trust the vendor of the OS up to that
point.

> They can't start a program and continue from there?

How should anyone be able to start a software on a box that he cannot even
connect to?

> Then why do they tell us to install even more softwares?

Which is nonsense. More software means more code, thus more possible errors.
Safe systems are small systems.

> :)  They want to make money of course.

That might be a reason.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
June 23, 2004 4:58:06 PM

Archived from groups: comp.security.firewalls (More info?)

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:cbbnnt$2h7$1@news.shlink.de...
> news wrote:
>
> > I just use my computer for email, browsing
>
> Use safe client sofwtare.
>
> > and for access to some data services.
>
> You mean file sharing (kazaa etc)? Simply forget security when using file
> sharing services.
>
> > I am a little confused.
>
> That happens when firewall placebos are confronted with basics about
network
> communication.
>
> > Let's see.. But it is better to close a program
> > that holds a port open than to try to block ip:s?
>
> Yes. A not existing service can neither be connected nor be expolited.
>
> > Since you apparently can get around by spoofing.
>
> IP spoofing is difficult with tcp, easy with udp.
>
> > So if my computer is on and online but all softwares are closed, not
even
> > the best hacker can communicate with it?
>
> Right, as lonf as there are no vulnerabilities in the network protocol
stack
> of your operating system. You have to trust the vendor of the OS up to
that
> point.
>
> > They can't start a program and continue from there?
>
> How should anyone be able to start a software on a box that he cannot even
> connect to?
>
> > Then why do they tell us to install even more softwares?
>
> Which is nonsense. More software means more code, thus more possible
errors.
> Safe systems are small systems.
>
> > :)  They want to make money of course.
>
> That might be a reason.
>
> Wolfgang
> --
> A foreign body and a foreign mind
> never welcome in the land of the blind
> Peter Gabriel, Not one of us, 1980


------------------------



No not file sharing for me. It´s data from a company i subscribe to.

Thanks for helping me with some ?
August 2, 2004 2:54:52 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 22 Jun 2004 15:20:42 GMT, the right honourable "news"
<geerge@yahoo.com> wrote:

>Hi! I don´t want anyone to hijack my pc and surf to porn sites or other bad
>things with my ip.
>
>I heard that a firewall is not enough. Perhaps there are other good
>intrusion detection systems?
>


definitions:

A FW is NOT an IDS.

A FW blocks specific traffic and mabe redirects traffic too.

An IDS systems looks at traffic that is not blocked and looks if it is
suspicious. It does not block, it just reports.

So the word "other" is not appropriate.

IMHO you need:
FW (OSI layers: Transport and Application)
Virusdetection/removal (automatic)
AD-removal once a day

And if you need to be active: an IDS box like a SNORT system.
You should put it after the first FW, on a **HUB**, not a switch.

fr gr
Erik
!