modified protect.lst cause troubles ??

[ast]

Hello everyone,

I would like to ask for assistance about a problem i'm experiencing with op v1.0.1817.1645.

Recently i'd made some changes on the "protect.lst" file in order to get a better protection on vulnerable ports.

Since i made those changes, my internet connection [cable modem using a VPN server on windows 95] doenst work well, it disconnects every few minutes.

I attached the modified protect.lst file.

Thanks

[MegaHertz]

I suspect that your VPN is using one of the ports that you added to your list. You should be able verify this by checking your attack detection logs shortly after the disconnect to see what port is getting blocked. Once you know which port is causing the problem you can remove it from the list.

[ast]

MegaHertz,

Here is the log from the "attack detection plugin" -

13/04/04 22:24:08 Port scanned 172.25.185.192 TCP(445)
13/04/04 22:24:08 Connection request 172.25.185.192 TCP(445)
13/04/04 22:23:50 Connection request 82.255.1.167 TCP(1981)
13/04/04 22:23:44 Port scanned 68.75.102.28 TCP(2745)
13/04/04 22:23:44 Connection request 68.75.102.28 TCP(2745)
13/04/04 22:23:29 Connection request 81.33.32.15 TCP(4662)
13/04/04 22:23:12 Connection request 80.178.12.56 TCP(4662)
13/04/04 22:23:00 Connection request 213.115.10.42 TCP(6881)
13/04/04 22:22:47 Connection request 81.33.32.15 TCP(4662)
13/04/04 22:22:47 Connection request 194.204.29.11 TCP(4662)
13/04/04 22:22:45 Connection request 213.130.7.87 TCP(4662)
13/04/04 22:22:44 Port scanned 81.53.57.122 TCP(2745)
13/04/04 22:22:44 Connection request 81.53.57.122 TCP(2745)
13/04/04 22:22:36 Port scanned 62.202.80.56 TCP(139)
13/04/04 22:22:36 Connection request 62.202.80.56 TCP(139)
13/04/04 22:22:31 Connection request 217.225.28.146 TCP(4662)
13/04/04 22:22:14 Connection request 213.8.144.190 TCP(4662)
13/04/04 22:22:12 Connection request 81.218.205.150 TCP(4662)
13/04/04 22:22:03 Connection request 194.204.29.11 TCP(4662)
13/04/04 22:21:59 Port scanned 172.25.5.198 UDP(137)
13/04/04 22:21:59 Connection request 172.25.5.198 UDP(137)
13/04/04 22:21:47 Connection request 217.225.28.146 TCP(4662)
13/04/04 22:21:40 Port scanned 172.25.127.199 TCP(445)
13/04/04 22:21:40 Connection request 172.25.127.199 TCP(445)
13/04/04 22:21:36 Connection request 213.8.144.190 TCP(4662)
13/04/04 22:21:27 Connection request 81.218.205.150 TCP(4662)
13/04/04 22:21:20 Connection request 194.204.29.11 TCP(4662)
13/04/04 22:21:15 Connection request 80.178.168.151 TCP(4662)
13/04/04 22:21:03 Connection request 66.79.184.80 TCP(1043)
13/04/04 22:21:03 Connection request 217.225.28.146 TCP(4662)
13/04/04 22:20:51 Connection request 213.8.144.190 TCP(4662)
13/04/04 22:20:44 Connection request 81.218.205.150 TCP(4662)
13/04/04 22:20:27 Connection request 82.255.1.167 TCP(1981)
13/04/04 22:20:11 Connection request 80.194.234.181 TCP(4662)
13/04/04 22:19:36 Connection request 81.218.218.57 TCP(4662)
13/04/04 22:19:27 Connection request 80.194.234.181 TCP(4662)
13/04/04 22:19:19 Port scanned 217.132.179.251 TCP(2745)
13/04/04 22:19:19 Connection request 217.132.179.251 TCP(2745)
13/04/04 22:19:14 Connection request 81.218.194.74 TCP(4662)
13/04/04 22:19:06 Connection request 80.230.82.240 TCP(4662)
13/04/04 22:19:05 Connection request 194.204.29.11 TCP(4662)
13/04/04 22:19:03 Connection request 66.79.184.80 TCP(1043)
13/04/04 22:18:43 Connection request 80.194.234.181 TCP(4662)
13/04/04 22:18:41 Connection request 82.255.1.167 TCP(1981)
13/04/04 22:18:33 Connection request 81.218.218.57 TCP(4662)
13/04/04 22:18:31 Connection request 81.218.194.74 TCP(4662)
13/04/04 22:18:31 Port scanned 217.132.46.216 TCP(2745)
13/04/04 22:18:31 Connection request 217.132.46.216 TCP(2745)
13/04/04 22:18:28 Connection request 83.156.104.80 TCP(4662)
13/04/04 22:18:26 Connection request 80.230.82.240 TCP(4662)
13/04/04 22:18:21 Port scanned 217.132.146.32 TCP(445)
13/04/04 22:18:21 Connection request 217.132.146.32 TCP(445)
13/04/04 22:18:18 Connection request 194.204.29.11 TCP(4662)
13/04/04 22:18:17 Port scanned 217.132.177.219 TCP(445)
13/04/04 22:18:17 Connection request 217.132.177.219 TCP(445)
13/04/04 22:18:10 Connection request 80.230.0.93 TCP(4662)
13/04/04 22:17:52 Connection request 81.218.194.74 TCP(4662)
13/04/04 22:17:47 Connection request 81.242.115.57 TCP(4662)
13/04/04 22:17:42 Connection request 81.218.182.230 TCP(4662)
13/04/04 22:17:42 Connection request 80.230.82.240 TCP(4662)
13/04/04 22:17:36 Connection request 194.204.29.11 TCP(4662)
13/04/04 22:17:32 Connection request 81.218.218.57 TCP(4662)
13/04/04 22:17:31 Connection request 81.217.111.217 TCP(1122)
13/04/04 22:17:03 Connection request 66.79.184.80 TCP(1043)
13/04/04 22:17:02 Port scanned 217.132.3.96 TCP(2745)
13/04/04 22:17:02 Connection request 217.132.3.96 TCP(2745)
13/04/04 22:16:59 Connection request 81.242.115.57 TCP(4662)
13/04/04 22:16:44 Port scanned 81.248.191.222 TCP(2745)
13/04/04 22:16:44 Connection request 81.248.191.222 TCP(2745)
13/04/04 22:16:18 Port scanned 213.54.175.150 UDP(137)
13/04/04 22:16:18 Connection request 213.54.175.150 UDP(137)
13/04/04 22:16:11 Connection request 81.242.115.57 TCP(4662)
13/04/04 22:15:44 Connection request 217.225.152.108 TCP(4662)
13/04/04 22:15:39 Port scanned 217.132.146.78 TCP(445)
13/04/04 22:15:39 Connection request 217.132.146.78 TCP(445)
13/04/04 22:15:28 Connection request 147.45.33.30 TCP(4662)
13/04/04 22:15:24 Connection request 80.230.254.100 TCP(4662)
13/04/04 22:15:23 Connection request 82.166.81.69 TCP(4662)
13/04/04 22:15:09 Connection request 81.217.111.217 TCP(1122)
13/04/04 22:15:05 Connection request 217.225.152.108 TCP(4662)
13/04/04 22:15:03 Connection request 66.79.184.80 TCP(1043)
13/04/04 22:14:56 Connection request 82.255.1.167 TCP(1981)
13/04/04 22:14:39 Connection request 82.166.81.69 TCP(4662)
13/04/04 22:14:26 Port scanned 217.132.199.123 TCP(445)
13/04/04 22:14:26 Connection request 217.132.199.123 TCP(445)
13/04/04 22:14:18 Connection request 217.225.152.108 TCP(4662)

My IP [from my isp - it uses dynamic ip addresses] during this session was 217.132.240.54 , and my local ethernet ip is 172.25.58.8, my subnet is 255.255.224.0 and my default gateway is 172.25.64.1.

I also tried to modified my protect.lst again, attached is the new one.

Any idea ?

[ast]

Here is another session,

13/04/04 22:35:47 Connection request 195.137.35.192 TCP(4662)
13/04/04 22:35:43 Port scanned 217.132.58.98 TCP(2745)
13/04/04 22:35:43 Connection request 217.132.58.98 TCP(2745)
13/04/04 22:35:13 Port scanned 217.132.145.63 TCP(445)
13/04/04 22:35:13 Connection request 217.132.145.63 TCP(445)
13/04/04 22:35:00 Port scanned 216.170.20.56 UDP(137)
13/04/04 22:35:00 Connection request 216.170.20.56 UDP(137)
13/04/04 22:34:59 Connection request 82.255.1.167 TCP(1981)
13/04/04 22:34:54 Port scanned 217.132.211.165 TCP(2745)
13/04/04 22:34:54 Connection request 217.132.211.165 TCP(2745)
13/04/04 22:34:37 Connection request 213.132.149.167 TCP(1981)
13/04/04 22:34:07 Port scanned 217.0.59.98 TCP(80)
13/04/04 22:34:07 Connection request 217.0.59.98 TCP(80)
13/04/04 22:33:45 Connection request 172.182.62.63 TCP(4662)
13/04/04 22:33:17 Connection request 24.6.50.107 TCP(4662)
13/04/04 22:32:48 Port scanned 172.25.40.232 TCP(445)
13/04/04 22:32:48 Connection request 172.25.40.232 TCP(445)
13/04/04 22:32:31 Connection request 24.6.50.107 TCP(4662)
13/04/04 22:32:30 Port scanned 217.132.72.178 TCP(2745)
13/04/04 22:32:30 Connection request 217.132.72.178 TCP(2745)
13/04/04 22:32:12 Connection request 82.255.1.167 TCP(1981)
13/04/04 22:31:47 Connection request 24.6.50.107 TCP(4662)
13/04/04 22:31:28 Port scanned 217.132.85.173 TCP(445)
13/04/04 22:31:28 Connection request 217.132.85.173 TCP(445)
13/04/04 22:31:16 Connection request 217.225.28.146 TCP(4662)
13/04/04 22:31:06 Connection request 82.255.1.167 TCP(1981)
13/04/04 22:30:51 Port scanned 172.25.107.98 UDP(137)
13/04/04 22:30:51 Connection request 172.25.107.98 UDP(137)
13/04/04 22:30:48 Port scanned 218.58.74.118 TCP(3389)
13/04/04 22:30:48 Connection request 218.58.74.118 TCP(3389)
13/04/04 22:30:36 Connection request 217.225.28.146 TCP(4662)
13/04/04 22:30:35 Connection request 200.47.100.141 TCP(4662)
13/04/04 22:29:59 Connection request 202.89.142.27 TCP(4662)
13/04/04 22:29:51 Connection request 200.47.100.141 TCP(4662)
13/04/04 22:29:50 Connection request 217.225.28.146 TCP(4662)
13/04/04 22:29:36 Connection request 82.255.1.167 TCP(1981)
13/04/04 22:29:35 Port scanned 63.154.248.45 UDP(137)
13/04/04 22:29:35 Connection request 63.154.248.45 UDP(137)
13/04/04 22:29:10 Connection request 200.47.100.141 TCP(4662)
13/04/04 22:29:08 Connection request 202.89.142.27 TCP(4662)
13/04/04 22:29:08 Connection request 81.218.146.140 TCP(4662)
13/04/04 22:28:30 Connection request 202.89.142.27 TCP(4662)
13/04/04 22:27:59 Connection request 195.137.35.192 TCP(4662)
13/04/04 22:27:53 Port scanned 217.132.253.178 TCP(2745)
13/04/04 22:27:53 Connection request 217.132.253.178 TCP(2745)
13/04/04 22:27:36 Connection request 80.145.145.206 TCP(4662)
13/04/04 22:27:15 Connection request 195.137.35.192 TCP(4662)
13/04/04 22:26:58 Port scanned 62.0.188.173 TCP(139)
13/04/04 22:26:58 Connection request 62.0.188.173 TCP(139)
13/04/04 22:26:55 Connection request 80.145.145.206 TCP(4662)

Thistime i also tried to run "arp -a" from command prompt to get more information:

C:\...les\Agnitum\Outpost Firewall 1.0>arp -a

Interface: 172.25.58.8 on Interface 2
Internet Address Physical Address Type
172.25.64.1 00-05-00-e7-cb-22 dynamic

Interface: 217.132.240.54 on Interface 3
Internet Address Physical Address Type
216.12.219.12 20-53-52-43-00-00 dynamic


Any idea ?

Thanks

[Paranoid2000]

Port 4662 is used by the eDonkey P2P network - if you are running a client of this network (like eMule) then this will be why you get the connection attempts (you may wish to add this port to the IgnorePorts section). If not, then you may have been allocated an IP address that belonged to someone running eMule in which case, disconnecting and reconnecting may get you another address without this issue.

However the real problem is that you have included ports 1024-1030 in the your protect.lst. Port numbers from 1024 onwards are allocated by Windows to any program that wants to send network traffic so you will get replies back on these ports for legitimate applications. Remove them and the problem should disappear.

If you want to secure your Outpost configuration, take a look at instead. There are parts that only apply to Outpost version 2 and you will not be able to modify global rules if using Outpost Free but there should be quite a few useful suggestions in there nonetheless.

[ast]

Paranoid2000 and MegaHertz, thank you very much - it looks good now!

I solved the problem, i reduced the "Weight" of some ports - there is an option to choose the significance a port has.

Anyway, i have another question, how can you define "global" rules for op ? if i want to totaly block a specific port ? [dont forget i'm using the "free" version .. so its more difficult] - should i add it to the preset.lst ? where should i add such a rule if i want it to be a global rule [without adding it manualy to all the applications in the list ..] ?

Thank you very much!

Ps: i attached my latest protect.lst .. i think that it gives a better protection against hackers ... so whoever wants to use it is welcome... [just dont forget to change your ip and subnet under the "IgnoreHosts" section]

[MTDay]

What action were you using?

If you had "also block intruder subnet", then some bad activity by one system could disable connection to more important systems in the same subnet - it's an option that may be too secure, especially if you mke the "port scan" setting particularly hairtrigger.

I think I WILL declare UDP 1026 and UDP 1027 to be hazardous, as I'm taking a shedload of junk on them, and the only valid traffic I've seen on then is TCP.

For general web browsing, email and other stuff, the ONLY legitimate UDP is for DNS. Streaming media / videoconferencing is about the only other common use of UDP that you actually want - the rest tends to be either clueless or malicious!

[Paranoid2000]

Ast,

The only way to completely block a specific port is to have an application rule blocking it in every application plus a global rule blocking it (so you cannot do this with Outpost Free). I would advise against focusing on port blocking to the exclusion of other security measures though - many trojans are available in source code form so the port they use can be easily altered.

MTDay,

Some P2P applications use UDP also as does DHCP (Dynamic Host Configuration Protocol - used to obtain an IP address lease when you first connect to most ISPs). UDP is used where performance is more important than reliability so wholesale blocking of it would seem a bit "drastic".