Intrusion detection

Archived from groups: comp.security.firewalls (More info?)

Hi! I don´t want anyone to hijack my pc and surf to porn sites or other bad
things with my ip.

I heard that a firewall is not enough. Perhaps there are other good
intrusion detection systems?

But i would also like to be able to monitor the ports that are opened and
also "close" (the applications working through them) them if they they are
just wasting space and memory.

Are there softwares for this?


Thanks for your help
12 answers Last reply
More about intrusion detection
  1. Archived from groups: comp.security.firewalls (More info?)

    "news" <geerge@yahoo.com> wrote in message
    news:e7YBc.96576$dP1.317750@newsc.telia.net...
    > Hi! I don´t want anyone to hijack my pc and surf to porn sites or other
    bad
    > things with my ip.
    >
    > I heard that a firewall is not enough. Perhaps there are other good
    > intrusion detection systems?

    There is a rather good IDS at www.snort.org

    There is also the add on http://www.chaotic.org/guardian/ which can activly
    block ports based on Snort alerts.

    > But i would also like to be able to monitor the ports that are opened and
    > also "close" (the applications working through them) them if they they are
    > just wasting space and memory.

    netstat perhaps?
  2. Archived from groups: comp.security.firewalls (More info?)

    "Mike" <nospam@notherematey.com> wrote in message
    news:cb9mov$gdc$1@thorium.cix.co.uk...
    >
    > "news" <geerge@yahoo.com> wrote in message
    > news:e7YBc.96576$dP1.317750@newsc.telia.net...
    > > Hi! I don´t want anyone to hijack my pc and surf to porn sites or other
    > bad
    > > things with my ip.
    > >
    > > I heard that a firewall is not enough. Perhaps there are other good
    > > intrusion detection systems?
    >
    > There is a rather good IDS at www.snort.org
    >
    > There is also the add on http://www.chaotic.org/guardian/ which can
    activly
    > block ports based on Snort alerts.
    >
    > > But i would also like to be able to monitor the ports that are opened
    and
    > > also "close" (the applications working through them) them if they they
    are
    > > just wasting space and memory.
    >
    > netstat perhaps?


    Thanks for your help!

    Is it possible to block ip in Windows 98? To only allow certain ip..

    Then no one can get through that if not first hacking the allowed ip, right?

    Thank you
  3. Archived from groups: comp.security.firewalls (More info?)

    In article <MlZBc.96583$dP1.317738@newsc.telia.net>, geerge@yahoo.com says...
    >
    > "Mike" <nospam@notherematey.com> wrote in message
    > news:cb9mov$gdc$1@thorium.cix.co.uk...
    > >
    > > "news" <geerge@yahoo.com> wrote in message
    > > news:e7YBc.96576$dP1.317750@newsc.telia.net...
    > > > Hi! I don=3Ft want anyone to hijack my pc and surf to porn sites or other
    > > bad
    > > > things with my ip.
    > > >
    > > > I heard that a firewall is not enough. Perhaps there are other good
    > > > intrusion detection systems?
    > >
    > > There is a rather good IDS at www.snort.org
    > >
    > > There is also the add on http://www.chaotic.org/guardian/ which can
    > activly
    > > block ports based on Snort alerts.
    > >
    > > > But i would also like to be able to monitor the ports that are opened
    > and
    > > > also "close" (the applications working through them) them if they they
    > are
    > > > just wasting space and memory.
    > >
    > > netstat perhaps?
    >
    >
    >
    >
    >
    > Thanks for your help!
    >
    > Is it possible to block ip in Windows 98? To only allow certain ip..
    >
    > Then no one can get through that if not first hacking the allowed ip, right?
    >
    > Thank you
    >
    >
    Hi News. You can use the Windows 98 Host file to block sites and prevent
    your computer from connecting to those sites. Host info:
    http://www.accs-net.com/hosts/what_is_hosts.html
    You can also use a good firewall, set up correctly, to control applications,
    ports, protocols, IPs, etc.
  4. Archived from groups: comp.security.firewalls (More info?)

    "Casey" <casey@nosuch.net> wrote in message
    news:MPG.1b423bfbf7837bf3989741@news.west.earthlink.net...
    > In article <MlZBc.96583$dP1.317738@newsc.telia.net>, geerge@yahoo.com
    says...
    > >
    > > "Mike" <nospam@notherematey.com> wrote in message
    > > news:cb9mov$gdc$1@thorium.cix.co.uk...
    > > >
    > > > "news" <geerge@yahoo.com> wrote in message
    > > > news:e7YBc.96576$dP1.317750@newsc.telia.net...
    > > > > Hi! I don=3Ft want anyone to hijack my pc and surf to porn sites or
    other
    > > > bad
    > > > > things with my ip.
    > > > >
    > > > > I heard that a firewall is not enough. Perhaps there are other good
    > > > > intrusion detection systems?
    > > >
    > > > There is a rather good IDS at www.snort.org
    > > >
    > > > There is also the add on http://www.chaotic.org/guardian/ which can
    > > activly
    > > > block ports based on Snort alerts.
    > > >
    > > > > But i would also like to be able to monitor the ports that are
    opened
    > > and
    > > > > also "close" (the applications working through them) them if they
    they
    > > are
    > > > > just wasting space and memory.
    > > >
    > > > netstat perhaps?
    > >
    > >
    > >
    > >
    > >
    > > Thanks for your help!
    > >
    > > Is it possible to block ip in Windows 98? To only allow certain ip..
    > >
    > > Then no one can get through that if not first hacking the allowed ip,
    right?
    > >
    > > Thank you
    > >
    > >
    > Hi News. You can use the Windows 98 Host file to block sites and prevent
    > your computer from connecting to those sites. Host info:
    > http://www.accs-net.com/hosts/what_is_hosts.html
    > You can also use a good firewall, set up correctly, to control
    applications,
    > ports, protocols, IPs, etc.


    Hi! Thanks!

    But host file can only block specified ip:s right? Not the opposite way, to
    only allow a few?

    Thanks
  5. Archived from groups: comp.security.firewalls (More info?)

    news wrote:

    > But host file can only block specified ip:s right? Not the opposite way,
    > to only allow a few?

    Using a local hosts file for other hosts than a few in your LAN (in case no
    local DNS server for the LAN is configured) is usually a pain in the a*s.
    DNS was invented and introduced long time back to overcome the problems
    problems associated with the use of local hosts files.

    The technique recommended here is IMHO useless for the purpose and will do
    more harm than good.

    Wolfgang
    --
    A foreign body and a foreign mind
    never welcome in the land of the blind.
    from 'Not one of us', (c) 1980 Peter Gabriel
  6. Archived from groups: comp.security.firewalls (More info?)

    "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
    news:cbaaan$rq8$1@news.shlink.de...
    > news wrote:
    >
    > > But host file can only block specified ip:s right? Not the opposite way,
    > > to only allow a few?
    >
    > Using a local hosts file for other hosts than a few in your LAN (in case
    no
    > local DNS server for the LAN is configured) is usually a pain in the a*s.
    > DNS was invented and introduced long time back to overcome the problems
    > problems associated with the use of local hosts files.
    >
    > The technique recommended here is IMHO useless for the purpose and will do
    > more harm than good.
    >
    > Wolfgang


    Thanks! How safe is an ip blocking method? Is it still possible for someone
    with a not allowed ip to hack inside? How can they get around that? They
    need to show their ip to get inside my pc, right? Can it be faked so it
    looks like an allowed one? Or can they change the adjustments for the
    blocked/allowed ip some other way? Perhaps from inside (If already there)
    with a trojan!? But those can be found and destroyed easier i guess.


    I´m not scared of someone searching through my computer. But what i am
    scared of is that someone might use my ip for illegal activities.

    Do i need a firewall that takes alot of cpu just to specify allowed ip? I
    read Kerio can do this.
    I can´t do this in Windows 98 without any extra softwares? I am not spoiled
    with cpu :)

    Guess it´s to much to ask - but a small software where we can specify ip and
    keep an eye of intruders or attempts. Is that heaven? :)

    Thanks!!
  7. Archived from groups: comp.security.firewalls (More info?)

    news wrote:

    > Thanks! How safe is an ip blocking method? Is it still possible for
    > someone with a not allowed ip to hack inside?

    Please define 'hack inside'. And keep in mind that 'hacking inside' requires
    a service that is running and can be expolited in whatever way. Anyhow a
    service was always installed or started by yourself (perhaps by unwilligly
    executing malware).

    > How can they get around that?

    Think at least twice, what software you install. Use an operating system
    that knows user and access rights, set these strict. Switch all unwanted
    services off.

    > They need to show their ip to get inside my pc, right?

    Every machine that communicates via a tcp/ip network needs an ip.

    > Can it be faked so it looks like an allowed one?

    When udp is used as the transport protocol ip spoofing is easy, when tcp is
    used, it it quite difficult. Spoofing icmp is also easy but icmp is no
    transport protocol, therefore there is no playload like tcp or udp.

    > Or can they change the adjustments for the blocked/allowed ip some other
    > way?

    Which ip do you want to block? Remember: If you run no services, nobody cann
    connect to your machine.

    > Perhaps from inside (If already
    > there) with a trojan!? But those can be found and destroyed easier i
    > guess.

    A system that is infected with malware has to be reinstalled completely from
    clean media.
    >
    > I´m not scared of someone searching through my computer. But what i am
    > scared of is that someone might use my ip for illegal activities.

    ???

    > Do i need a firewall that takes alot of cpu just to specify allowed ip? I
    > read Kerio can do this.

    A host based packet filter, taht allows end user interaction doesn'tmake
    anmy sense at all.

    > I can't do this in Windows 98 without any extra softwares?

    What services does your box offer? None? Fine, so just sit back and relax.

    >I am not
    > spoiled with cpu :)
    >
    > Guess it's to much to ask - but a small software where we can specify ip
    > and keep an eye of intruders or attempts. Is that heaven? :)

    You don't need addional software, a locked down box that offers no services
    is sufficient, if you are able to keep an overview, what sofwtare is
    installed on your system and what that software does. If you can't keep
    control over the installed software all firewall placebos will not be able
    to help you on a win98 system, since malware can control the firewall
    completely.

    Actually I'm afraid that all what I've written was far to technical and
    complicated for you and you've hardly understood anything of what I wanted
    to tell you. So install whatever tool/firewall placebo you want, you'll
    never be able to secure your win98 box.

    Wolfgang
    --
    A foreign body and a foreign mind
    never welcome in the land of the blind
    Peter Gabriel, Not one of us, 1980
  8. Archived from groups: comp.security.firewalls (More info?)

    "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
    news:cbbjc8$1tv$1@news.shlink.de...
    > news wrote:
    >
    > > Thanks! How safe is an ip blocking method? Is it still possible for
    > > someone with a not allowed ip to hack inside?
    >
    > Please define 'hack inside'. And keep in mind that 'hacking inside'
    requires
    > a service that is running and can be expolited in whatever way. Anyhow a
    > service was always installed or started by yourself (perhaps by unwilligly
    > executing malware).
    >
    > > How can they get around that?
    >
    > Think at least twice, what software you install. Use an operating system
    > that knows user and access rights, set these strict. Switch all unwanted
    > services off.
    >
    > > They need to show their ip to get inside my pc, right?
    >
    > Every machine that communicates via a tcp/ip network needs an ip.
    >
    > > Can it be faked so it looks like an allowed one?
    >
    > When udp is used as the transport protocol ip spoofing is easy, when tcp
    is
    > used, it it quite difficult. Spoofing icmp is also easy but icmp is no
    > transport protocol, therefore there is no playload like tcp or udp.
    >
    > > Or can they change the adjustments for the blocked/allowed ip some other
    > > way?
    >
    > Which ip do you want to block? Remember: If you run no services, nobody
    cann
    > connect to your machine.
    >
    > > Perhaps from inside (If already
    > > there) with a trojan!? But those can be found and destroyed easier i
    > > guess.
    >
    > A system that is infected with malware has to be reinstalled completely
    from
    > clean media.
    > >
    > > I´m not scared of someone searching through my computer. But what i am
    > > scared of is that someone might use my ip for illegal activities.
    >
    > ???
    >
    > > Do i need a firewall that takes alot of cpu just to specify allowed ip?
    I
    > > read Kerio can do this.
    >
    > A host based packet filter, taht allows end user interaction doesn'tmake
    > anmy sense at all.
    >
    > > I can't do this in Windows 98 without any extra softwares?
    >
    > What services does your box offer? None? Fine, so just sit back and relax.
    >
    > >I am not
    > > spoiled with cpu :)
    > >
    > > Guess it's to much to ask - but a small software where we can specify ip
    > > and keep an eye of intruders or attempts. Is that heaven? :)
    >
    > You don't need addional software, a locked down box that offers no
    services
    > is sufficient, if you are able to keep an overview, what sofwtare is
    > installed on your system and what that software does. If you can't keep
    > control over the installed software all firewall placebos will not be able
    > to help you on a win98 system, since malware can control the firewall
    > completely.
    >
    > Actually I'm afraid that all what I've written was far to technical and
    > complicated for you and you've hardly understood anything of what I wanted
    > to tell you. So install whatever tool/firewall placebo you want, you'll
    > never be able to secure your win98 box.
    >
    > Wolfgang


    --------------------------------------


    I think i understand at least. Have asked on other forums how to turn of
    ports but i could not get any straight answers except - "get a firewall".

    Are there any softwares that can control what programs i can close so that
    those ports are safe? I don´t know how to do it manually. Perhaps you know
    of some guide for this?

    Thanks
  9. Archived from groups: comp.security.firewalls (More info?)

    "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
    news:cbbjc8$1tv$1@news.shlink.de...
    > news wrote:
    >
    > > Thanks! How safe is an ip blocking method? Is it still possible for
    > > someone with a not allowed ip to hack inside?
    >
    > Please define 'hack inside'. And keep in mind that 'hacking inside'
    requires
    > a service that is running and can be expolited in whatever way. Anyhow a
    > service was always installed or started by yourself (perhaps by unwilligly
    > executing malware).
    >
    > > How can they get around that?
    >
    > Think at least twice, what software you install. Use an operating system
    > that knows user and access rights, set these strict. Switch all unwanted
    > services off.
    >
    > > They need to show their ip to get inside my pc, right?
    >
    > Every machine that communicates via a tcp/ip network needs an ip.
    >
    > > Can it be faked so it looks like an allowed one?
    >
    > When udp is used as the transport protocol ip spoofing is easy, when tcp
    is
    > used, it it quite difficult. Spoofing icmp is also easy but icmp is no
    > transport protocol, therefore there is no playload like tcp or udp.
    >
    > > Or can they change the adjustments for the blocked/allowed ip some other
    > > way?
    >
    > Which ip do you want to block? Remember: If you run no services, nobody
    cann
    > connect to your machine.
    >
    > > Perhaps from inside (If already
    > > there) with a trojan!? But those can be found and destroyed easier i
    > > guess.
    >
    > A system that is infected with malware has to be reinstalled completely
    from
    > clean media.
    > >
    > > I´m not scared of someone searching through my computer. But what i am
    > > scared of is that someone might use my ip for illegal activities.
    >
    > ???
    >
    > > Do i need a firewall that takes alot of cpu just to specify allowed ip?
    I
    > > read Kerio can do this.
    >
    > A host based packet filter, taht allows end user interaction doesn'tmake
    > anmy sense at all.
    >
    > > I can't do this in Windows 98 without any extra softwares?
    >
    > What services does your box offer? None? Fine, so just sit back and relax.
    >
    > >I am not
    > > spoiled with cpu :)
    > >
    > > Guess it's to much to ask - but a small software where we can specify ip
    > > and keep an eye of intruders or attempts. Is that heaven? :)
    >
    > You don't need addional software, a locked down box that offers no
    services
    > is sufficient, if you are able to keep an overview, what sofwtare is
    > installed on your system and what that software does. If you can't keep
    > control over the installed software all firewall placebos will not be able
    > to help you on a win98 system, since malware can control the firewall
    > completely.
    >
    > Actually I'm afraid that all what I've written was far to technical and
    > complicated for you and you've hardly understood anything of what I wanted
    > to tell you. So install whatever tool/firewall placebo you want, you'll
    > never be able to secure your win98 box.
    >
    > Wolfgang

    -------------------------------------


    A little more...

    I just use my computer for email, browsing and for access to some data
    services.

    I am a little confused. Let´s see.. But it is better to close a program that
    holds a port open than to try to block ip:s? Since you apparently can get
    around by spoofing.

    So if my computer is on and online but all softwares are closed, not even
    the best hacker can communicate with it? They can´t start a program and
    continue from there?

    Then why do they tell us to install even more softwares? :) They want to
    make money of course..

    Thanks for your help

    Patrik (News is not my name. Just typed wrong :)
  10. Archived from groups: comp.security.firewalls (More info?)

    news wrote:

    > I just use my computer for email, browsing

    Use safe client sofwtare.

    > and for access to some data services.

    You mean file sharing (kazaa etc)? Simply forget security when using file
    sharing services.

    > I am a little confused.

    That happens when firewall placebos are confronted with basics about network
    communication.

    > Let's see.. But it is better to close a program
    > that holds a port open than to try to block ip:s?

    Yes. A not existing service can neither be connected nor be expolited.

    > Since you apparently can get around by spoofing.

    IP spoofing is difficult with tcp, easy with udp.

    > So if my computer is on and online but all softwares are closed, not even
    > the best hacker can communicate with it?

    Right, as lonf as there are no vulnerabilities in the network protocol stack
    of your operating system. You have to trust the vendor of the OS up to that
    point.

    > They can't start a program and continue from there?

    How should anyone be able to start a software on a box that he cannot even
    connect to?

    > Then why do they tell us to install even more softwares?

    Which is nonsense. More software means more code, thus more possible errors.
    Safe systems are small systems.

    > :) They want to make money of course.

    That might be a reason.

    Wolfgang
    --
    A foreign body and a foreign mind
    never welcome in the land of the blind
    Peter Gabriel, Not one of us, 1980
  11. Archived from groups: comp.security.firewalls (More info?)

    "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
    news:cbbnnt$2h7$1@news.shlink.de...
    > news wrote:
    >
    > > I just use my computer for email, browsing
    >
    > Use safe client sofwtare.
    >
    > > and for access to some data services.
    >
    > You mean file sharing (kazaa etc)? Simply forget security when using file
    > sharing services.
    >
    > > I am a little confused.
    >
    > That happens when firewall placebos are confronted with basics about
    network
    > communication.
    >
    > > Let's see.. But it is better to close a program
    > > that holds a port open than to try to block ip:s?
    >
    > Yes. A not existing service can neither be connected nor be expolited.
    >
    > > Since you apparently can get around by spoofing.
    >
    > IP spoofing is difficult with tcp, easy with udp.
    >
    > > So if my computer is on and online but all softwares are closed, not
    even
    > > the best hacker can communicate with it?
    >
    > Right, as lonf as there are no vulnerabilities in the network protocol
    stack
    > of your operating system. You have to trust the vendor of the OS up to
    that
    > point.
    >
    > > They can't start a program and continue from there?
    >
    > How should anyone be able to start a software on a box that he cannot even
    > connect to?
    >
    > > Then why do they tell us to install even more softwares?
    >
    > Which is nonsense. More software means more code, thus more possible
    errors.
    > Safe systems are small systems.
    >
    > > :) They want to make money of course.
    >
    > That might be a reason.
    >
    > Wolfgang
    > --
    > A foreign body and a foreign mind
    > never welcome in the land of the blind
    > Peter Gabriel, Not one of us, 1980


    ------------------------


    No not file sharing for me. It´s data from a company i subscribe to.

    Thanks for helping me with some ?
  12. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 22 Jun 2004 15:20:42 GMT, the right honourable "news"
    <geerge@yahoo.com> wrote:

    >Hi! I don´t want anyone to hijack my pc and surf to porn sites or other bad
    >things with my ip.
    >
    >I heard that a firewall is not enough. Perhaps there are other good
    >intrusion detection systems?
    >


    definitions:

    A FW is NOT an IDS.

    A FW blocks specific traffic and mabe redirects traffic too.

    An IDS systems looks at traffic that is not blocked and looks if it is
    suspicious. It does not block, it just reports.

    So the word "other" is not appropriate.

    IMHO you need:
    FW (OSI layers: Transport and Application)
    Virusdetection/removal (automatic)
    AD-removal once a day

    And if you need to be active: an IDS box like a SNORT system.
    You should put it after the first FW, on a **HUB**, not a switch.

    fr gr
    Erik
Ask a new question

Read More

Firewalls Detection Networking