OK, so I ditched Zonealarm firewall and got Sygate, cause Zonealarm was causing problems (like not letting anything access the internet…even though it had access.) I like Sygate better, because it’s more in depth, and lets me know when things happen, like when my ports are scanned.
Well, my ports are scanned several times a day. I am confident that the firewall keeps them closed, but I still don’t like this guy looking. Is there any way I can stop it? Report him to somewhere? Do a “counter-attack” of some kind? Or do I just have to live with them?
Free hint dude: router. Forget about software firewalls. With a router, it just shuts out port scanners. My box is behind a router. My box would never know about port scans, as they’d never make it to my box.
Seconded. They’re not expensive, just scan the Best Buy/Circuit City/CompUSA/Staples/OfficeMax circulars for a few weeks, and you should within a month see one offered for $30 or thereabouts. Buy.com is also a good source, when they’re having a sale.
At the moment, I wouldn’t even need to buy a router. The DSL provider gave me a free one port router when I signed up. I just have set it as a non-router as I have another one. DSL around here is so cheap it just makes no sense to use dial up like I used to. Why pay for dial up when the router just keeps the DSL going 24/7 for $20 a month, and I can just turn on the box and be online with no additional effort? (Of course, if where you live the local telco isn’t in a price war with the cable companies, it might be different.)
A router, eh? Well, I’ve been meaning to get a wireless router for a while now. I plan to build a multimedia box and hook it to my entertainment system to access all my main box’s soungs, movies, etc…, and this will save the hassle of a CAT5 cable, so long as I get a wireless PCI card for it.
So when I get the router and have it all configured properly, can I completly ditch the software firewall, or should I keep it just in case? I don’t want to be bogged down with excess firewalls maknig my connection slower if I don’t have to be.
Sorry for shouting, but it’s important. I’m sure someone will come along (probably while I’m composing this) to detail why, but the short answer is you need both.
I like Agnitum’s Outpost firewall. It has a Stealth Mode that just eats up port scans. I’ve poked at my own machine while it was on; it’s like the thing isn’t even connected to the 'Net. Not “Port closed”, but “Hey, buddy, there’s no machine there.”
I’ve checked the logs, and usually a scanner will attempt about five ports, give up, and go away.
Regarding action to take: the log will show the scanner’s IP address (assuming he hasn’t hijacked another host, which happens quite frequently). Visit www.dnsstuff.com and do a “reverse DNS lookup” on the IP address, to find the offender’s ISP. You can then send a note to abuse@<his ISP>.com (or .net) informing them of the activity, which is against almost all ISP AUPs (acceptable use policies). They will either follow up, or do nothing, since this is so prevalent. Of course, this is mainly for your own satisfaction; trying to deal with port scanners this way is like trying to get rid of an ant colony with a BB gun.
Stealth mode is most likely your best and easiest way to get back, as the scanning computer has to wait for a response which will never come, which slows it’s port scanning down.
You should be able to set a rule in the firewall to completely ignore all traffic from that address. If you set a rule to drop traffic instead of replying that ports are closed, he should give up shortly. I can’t advice launching a counterstrike in case of repercussions. And yes, do get a hardware router, or at least a unix-based software router.