Cable modem firewall logs "intuders"...should I worry?

I recently got a cable modem and a router/firewall/switch at home. I have it set to maximum security settings, but the log is a little disquieting:

And so on. Should I worry about all of this activity? And, unfortunately, the documentation doesn’t tell me what to make of these log entries–do these indicate attacks that have failed? Successful attacks? Would I even know if an attack was successful?

I’m not as worried as most users, since I have a Mac instead of a PC (fewer viruses, etc., plain and simple), but I do want to be careful, since I’m connected to the Internet all the time now.

I use Zone Alarm Pro (on a PC) and when you first start it up, it tells you of all attempts of attacks on your computer. You have the option of the program NOT telling you each time it blocks these attempts. I opted for this after about 15 attacks in one session (I still use dial up). Perhaps your software is doing the same thing - just letting you know it’s doing its job.

Ok, let’s try to understand the statement:

Sunday October 20 12:57:25 2002 Intruder found on TCP port (1433) from (3215)

This means that someone or something attempted to connect to a your TCP port no. 1433. Port no. 1433 is the official Internet Assigned Number Authority (IANA) socket number for SQL Server, so there is a decent chance that it is some kind of connection that is trying to access an SQL server that might be running on your comp. Ofcourse, other types of connections can also be used on this port, but it is usually SQL related.

The connection attempt (attack) is coming from IP address which is named gdnserver (most probably coming from a connection in Seoul, Korea). The port no. on that side (3215) is random.

Port 80 is for an http connection to your comp, port 21 is for an ftp connection to your comp.

Depending on how your firewall is configured, it either just informs you of connection attempts and allows the connections, or logs them and blocks the connection attempts. I’m not sure how yours works. But I’m assuming that the max. security settings is blocking all these connection attempts, so it’s nothing to worry about. The only problem is if a valid connection attempt is blocked in the process. e.g. You are running an SQL server on your comp. and wish for a colleague to access it, s/he might be blocked. You can always adjust your settings to allow such valid connections, based on a number of criteria.

Another thing to keep in mind is that some attempted connections are targeted while others are not. Meaning, some people might be trying to connect to your specific comp. for a reason (i.e. you have an SQL server running and they need to access the data), while many others are just sweeping the entire sub-net for comps with security holes (in this case your comp. will not list as one of the vulnerable ones, so you’re safe).

Here are some online security tests you might want to run on your comp. :

[Captain Kirk voice] Intruder alert! Intruder alert! all decks come to red alert! [/CKV]

sorry, somebody had to do it

Port 80 is HTTP and 1443 is an MS SQL port. Both are targets for common worms, and the connection attempts you see are very likely due to worms (which are all over the net and aren’t likely to go away any time soon, so unfortunately we’ll just have to get used to them).

Port 21 is the FTP port, those connections might be people scanning for FTP servers - they could be looking for places to dump their pirated stuff on, for example.

These messages tell you that someone or something tried to connect to your computer and not much more (even that is stretching the facts a bit, actually). Since the packets were blocked we can only guess why they found their way to your computer, based on experience and what’s common at the moment.

I could tell you why I don’t believe in “personal firewalls” and similar “security” software, but I’ve already tried explaining this one time too many and nobody ever listens anyway.