On 31 May 99, at 14:19, Joan Rapier wrote:

> I'm on a high speed network w/ Cox@Home ISP.  I'm getting hit daily w/
> attempted breakins.  I'm running a program called Intruder Alert99.
> That's how I've learned my system's being poked at.

  I use a program called "AtGuard Personal Firewall" on my personal system.
Other products in this market include "ConSeal" and "Security98".

>   The system I have my cable modem on right now is running Windows95B.  I
> use another program called Visual Route to try and track down the
> culprit(s).  I've narrowed them down to as far away as Norway, Minnesota,
> and Florida. Although I've tracked them down that far, I'm at a loss as to
> what to do beyond that.

  I happen to have also recently seen an intrusion attempt from Norway, although
not on any of the ports you list below....

  In my professional capacity, I have the system configured to record logs of
intrusion attempts.  I use ARIN (or RIPE for Europe or APNIC for Asia) and
RWhois to identify the apparent[*] system of origin; coupled with TraceRoute
(TraceRt.exe included with NT), I can generally work out who their ISP is.
Most ISPs have an abuse@ or security@ email address that accepts reports of
such behaviour; they will determine which customer is involved, and whether
their customer is the perpetrator (in which case they will often lose their
access...) or themselves a victim (sometimes a customer's machine has been
taken over by a hacker, or is "framed" as the culprit).  Note that larger
ISPs probably won't get back to you with details; try a phone call if the
attempts continue.

> Also, I'm not confident that Intruder Alert can stave off all attacks.
> Can it detect all the hits?
>
> The ports that IA99 is monitoring are:
> 21-FTP
> 23-Telnet
> 25-SMTP
> 53-DNS
> 70-Gopher
> 79-Finger
> 80-HTTP
> 110-POP3
> 443-HTTPS
> 513-Login
> 514-Remote Command
> 31337-Back Orifice
>
> So far, IA99 has detected attempted breakins on Ports 21, 23, and 80.

  Hmmm.  A *good* product should monitor all but the ports you tell it are okay.
[AtGuard does.  Don't know about others.]  Specifically, Windows PCs too
often share ports in the 135-139 range (NetBIOS) with the world, and attempts
to connect to these should be monitored.  Back Orifice is configurable to use
other ports; a similar threat called NetBus uses 12345 and 12346....

> I have NT Workstation 4.0 - I even have Back Office.  I bought them both
> ages ago but just haven't had time to load either or both of them up.
>
> I've never set up a fire wall but am game if that's what I need to do.
> Is it time for me to load up NT4.0 Workstation and set up a fire wall or
> can I count on IA99 to fend off these attacks?

  It *sounds* like IA99 is watching for only a few things.  ["A 'packet filter'
permits everything except what you explicitly block; a 'firewall' blocks
everything except what you explicitly permit."]  Although Windows systems
aren't *generally* vulnerable to them, we routinely see attacks on ports 111,
143 and 161, for instance.

> I have another system - a Pentium 233MMX - ready to build up.  I could
> use my Pentium 133 for a Proxy Server if I need one and go ahead and
> build up the 233 system.  That'll be 3 systems on my network.  I have
> one more client - a K62/400 running Win98.  I'd like to setup internet
> access for both computers on the network anyway. I probably can take
> care of that at the same time if I need to use a Proxy Server - yes?
>
> Can a Proxy Server serve as my firewall or is that another animal
> altogether?

  Proxy Server is Microsoft's entry in the "firewall" field.  [Commercial
firewalls fall into three main types:  packet filters, filters with "stateful
inspection", and application proxies.  Proxy Server includes application
filtering and three flavours of application proxying.]
  Running the firewall ON a machine where you run applications is arguable in
a personal context, but in a more "professional" setting, it is frowned upon.
The best exposition of this I've seen is in Cheswick&Bellovin, "Firewalls and
Internet Security", Addison Wesley.
  This is the jist of the beef that many security professionals have with MS
Proxy Server; it runs on top of NTS4 and IIS4 (which means it also needs
IE4).  Bugs or security holes in any of these other largish suites may allow
an attacker to crash or compromise the protection you expect Proxy Server to
provide.
  A better choice might be to install a Linux with a 2.2.x kernel and the
ipchains package; its footprint will be much smaller and its OS
vulnerabilities, arguably fewer than NT's, will be *different from* your
application machines'.  [Note that this does involve dedicating a machine to
the firewall role -- however, indications are that a modest 486 DX2 or DX4 is
adequate for the job....

> These are the systems I have to work with.  I have each of the Microsoft
> Client OSs.  Can you folks suggest a setup using this equipment that
> would keep my systems safe (short of having to unplug my network cable)?
>
> Thank you in advance for your advice and assistance.

  The Cheswick and Bellovin book is one of the best around, but may be
slightly more technical than you'd like.  [Not much way around that, I'm
afraid.]  "Maximum Security" (by "Anonymous"), published by SAMS, is probably
the other thing on my shelf that is most accessible -- the technical errors
in it that bug me are probably too minor to matter to most readers.


David G

                         PCBUILD's List Owner's:
                      Bob Wright<[log in to unmask]>
                        Drew Dunn<[log in to unmask]>