Eek!!!

[Lazarus]

Guys,

Tweaking with my Netgear DB834 router last night and set it up to send out reports of any "suspicious" behaviour.

Well, I've just pulled my pop mail and almost shitmeself when I saw the emails :

NETGEAR *Security Alert* - 14 of the buggering messages. Most content was like:

TCP Packet - Source:xx.xx.xx.xx,22002 Destination:yy.yyy.yyy.yyy,3128 -
[DOS]

where xx and yy were IP addresses.

any ideas and hints or tips on how to correctly setup the router to avoid any malicious intent?

 

[sibanac]

Its just people out there infected with worms and other trojans trying to infect you.

Your router should keep you safe (and ofcourse you have patched your system)

You might wanne take a loook at dshield.org for more info

 

[TdC]

hehheh, as long as your router doesn't allow connections to be set up to you from "outside" you'll be fine. also, run firewalls on all your internal systems regardless of needing them or not. welcome to the world of being able to see the crap floating about the internet. be glad you only had 14 emails matey

here's a bit of my fw logs:

Apr 4 15:50:48 ring ipmon[70]: 15:50:48.143770 xl0 @0:14 b ip144.10.1411M-CUD12
K-02.ish.de[62.143.10.144],1038 -> [tdc's firewall],netbio
s-ns PR udp len 20 78 IN
Apr 4 15:51:44 ring ipmon[70]: 15:51:44.053811 2x xl0 @0:13 b usr1262-udd.bluey
onder.co.uk[62.31.139.7],4628 -> [tdc's firewall],loc-srv
PR tcp len 20 48 -S 2584424173 0 8760 IN
Apr 4 15:51:45 ring ipmon[70]: 15:51:45.660765 xl0 @0:13 b usr1262-udd.blueyond
er.co.uk[62.31.139.7],4628 -> [tdc's firewall],loc-srv PR
tcp len 20 48 -S 2584424173 0 8760 IN
Apr 4 15:51:47 ring ipmon[70]: 15:51:46.881276 xl0 @0:13 b usr1262-udd.blueyond
er.co.uk[62.31.139.7],4638 -> [tdc's firewall],loc-srv PR
tcp len 20 48 -S 2585659041 0 8760 IN

sorry I couldn't find anything cool, but the above is a good example of the random shite floating about the web due to ill-configured windows pootas :/

 

[Lazarus]

Its just people out there infected with worms and other trojans trying to infect you.

Your router should keep you safe (and ofcourse you have patched your system)

You might wanne take a loook at dshield.org for more info

*don clean underwear*

thanks sib.

On the netgear, you can setup allowable ports (already done some for HL and steam.

Notice on the INBOUND section that EVERYTHING is disallowed.

Can someone explain how to set this up for the inbound and the "normal" ports to allow?

 

[sibanac]

Unless you are hosting games, you dont realy need to allow anything from the outside

(steam/hl works perfectly fine on my machine with all incoming ports blocked)
gamespy will cause some errors in your firewall logs, but works fine nevertheless

 

[TdC]

it depends what your router needs. for example, I have to allow DHCP, DNS, NTP, WWW and sometimes FTP from outside. off the top of my head that works like so:

• ftp - allow 21 tcp/udp
• www - allow 80 tcp/udp
• ntp - allow 123 tcp/udp
• dns - allow 53 tcp/udp
• dhcp - allow 68 udp (sometimes tcp too)