Re: Prevent determined intrusion attacks ?
From: Carl Holtje (cwh0803_at_cs.rit.edu)
Date: Tue, 18 Nov 2003 08:09:51 -0500
The *first* thing I would do is put myself behind a hardware firewall..
the Linksys (blatant product endorsement here) routers are the best I've
You need something that blocks connection attempts, not just
connections... the hardware device will take care of this for you, and
then you *almost* don't even need to run anything on your computer...
Additionally, it will be the firewall that gets your ADSL IP address;
your computer will have an IP address like 192.168.1.2 or something...
this further prevents connections as they will not be able to connect to
192.168......, only your ADSL IP...
If you ensure all ports are closed (ie, not forwarding any connections
from the router), you're pretty safe...
FYI, the linksys boxes are router/switch/firewall all in one, so you can
later add systems or whatnot... Look around; these devices are pretty
common so they're not terribly pricey any more...
As for your 5 minute delay; that's about right.. more than likely,
you're part of a net-wide scan and not being targeted directly...
they're just looking for someplace to get in...
Hope it helps..
> Hi, bit of a newbie question, but I've had a good search on the groups
> and can't find anything directly on point.
> I run a personal computer, Windows XP, use Windows Update
> (reluctantly) with Norton Internet Security 2003 installed and
> updated. I have a broadband ADSL connection. As you will know, NIS
> detects and records instrusion attempts and provides a record of the
> IP address which probed your system.
> In the last four or five days I been getting very frequent attacks
> from one source. It's a dynamic IP, based in Israel (although the
> address could be "borrowed") and keeps changing (to get around the
> fact that NIS blocks any particular IP address which triggers an
> alert). I believe it's actually targetting me, rather than being a
> random sweep, because I get my first alert within 30 seconds of
> logging on, and then consistent alerts every 5 minutes or so - similar
> but not identical IP address.
> NIS tells me it's blocking the attempts, but, of course, no system is
> perfect. I also noticed when I logged onto my e:mail this morning,
> that Outlook appeared to send an e:mail when I hadn't drafted one, and
> when I checked Sent Items there was nothing there. I'm guessing this
> means I may have already been hacked. There's nothing special on my
> computer, just the usual amount of personal information which I would
> prefer to keep to myself !
> Does anyone have any ideas what a reasonably computer literate (but no
> specialist) person can do to deal with this kind of determined attack
> ? I've resorted to unplugging my modem, but wondered if there is a
> better way.
-- "There are 10 types of people in the world: Those who understand binary and those that don't." $>whoami: Carl Holtje $>mail holtje: firstname.lastname@example.org $>cu: http://www.cs.rit.edu/~cwh0803 $>whois holtje: System Administrator Group Computer Science Department Rochester Institute of Technology $>