Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Firewall parameters and PC security

  1. Sep 2, 2017 #1
    I have installed an antivirus. But one day I realized that somebody was controlling my PC. Then I installed a firewall. There are lots of attempts to my PC which are recoreded in the firewall. I am very confused why these are happening and who they are, how they can do this. Now some important performance issues has started. I do not know if I am secure. How can I completely be sure that my PC is secure? Can firewall stop all attempts. I did a full system scan. There is no virus or other malevolent programs. I use a wlan and how can I be sure if somebody is in my wlan? How can I close dangerous ports through which they can access to my PC? firewall.png
     
  2. jcsd
  3. Sep 2, 2017 #2

    jedishrfu

    Staff: Mentor

    There are automated tools scouring every internet computer looking for vulnerabilities to capitalize on. You are not the only one with this problem. Hackers are even targeting IoT devices, everything that's connected. It's information they can use or sell to whoever wants it.

    Here's a partial index of tools and techniques:

    https://flipboard.com/@ir0nf1re/security-tools,-scripts-and-tricks-3mcelheiz
     
  4. Sep 2, 2017 #3
    What are those "route", "incoming", "outgoing" in the firewall?

    Thank you.
     
  5. Sep 2, 2017 #4

    Borg

    User Avatar
    Gold Member

    Addresses that start with 192.168.1 are addresses within your own LAN and usually are nothing more than internal software communication. From the limited image, it looks like there are two main computers on your network - one at 192.168.1.1 and one at 192.168.1.44. I suspect that 1.1 is your computer but that's just a guess. Incoming and outgoing traffic within the network is generally harmless. The 30,000 and 60,000 range port numbers are a little odd but it's hard to know without more info.
     
  6. Sep 2, 2017 #5

    Borg

    User Avatar
    Gold Member

    8.8.4.4 is a Google address so that looks harmless. The 212.4.153.164 address is a server in the Czech Republic and port 80 means that you're connected through a web browser so it looks like you were viewing a page at a site hosted in that country when you took the screenshot.
     
  7. Sep 2, 2017 #6

    Borg

    User Avatar
    Gold Member

    If you want a good scare, open up a dos window and type netstat -ano. This will show a (long) list of all of the current network connections on your computer. Any entries that have 0.0.0.0, 127.0.0.1, [::], or a variation of 192.198.1.x for the local and foreign address (both sides) are typically harmless. If you get something outside of that, you might have something to worry about.

    Here are a few examples from running it on my computer.
    Code (Text):
    Proto   Local Address         Foreign Address   State         PID
    TCP      192.168.1.151:61057  192.168.1.155:22  ESTABLISHED   1475
    TCP      127.0.0.1:27017      0.0.0.0:0         LISTENING     1475
    TCP      [::1]:27017          [::]:0            LISTENING     1475
     
    192.168.1.151 is my computer's LAN address and 192.168.1.155 is the LAN address of my Raspberry Pi. I have a Putty session connected to the Pi which allows me to run commands on the Pi in a DOS-like window. My Putty session is connected through port 22. The second and third lines reference a tunnel that I've established through the Putty session that allows me to talk to a Mongo database on the Pi as if it was located on my computer. Mongo listens to requests on port 27017. The PID (Process ID) is the same PID that you would see if you open your computer's Task Manager and select the Processes tab.
     
    Last edited: Sep 2, 2017
  8. Sep 2, 2017 #7
    It seems we will be able to solve these issues.
    How can we know that those addresses are harmless?
    What are other numbers after coming 151, i.e 61057 and after 155, i.e 22?

    . How can you understand this?

    Thank you.
     
  9. Sep 2, 2017 #8

    Borg

    User Avatar
    Gold Member

    It is software that is running on your computer (0.0.0.0, 127.0.0.1, [::], or a variation of 192.198.1.x as described above). As long as they aren't trying to connect to the internet through ports other than 80 (unencrypted) or 443 (encrypted), they're most likely harmless.
    Those are port numbers. If you're not familiar with them, they are like phone lines that are connected to your computer. For example, if you and another person in your house wanted to talk on the phone to different people at the same time, you would need two phone lines (or ports) to the outside world. Your computer is continually establishing and destroying these ports based on the needs of the software running on it. Yes, even for internal communication.
    Lots of experience. :oldwink: I'm not a sysadmin but I do end up dealing with it a lot.
     
    Last edited: Sep 2, 2017
  10. Sep 4, 2017 #9
    Here are a few more details that I've run across over the years.

    ADDRESSES:
    0.0.0.0 A non-existent or dummy address that does not refer to anything on the network

    127.0.0.1 "Self." That is the current computer (some programs are structured to talk with other parts of themselves using this conceptual net address)

    192.168.x.x Defines a private network that does not connect to the Internet; it is usually the default for your home (private) network for instance

    192.168.1.1 The default address for the router on your home network

    192.168.1.x The individual devices on your home network. Usually these default address assignments are done by your router

    There is another private address range that may be used instead of 192.168.x.x. I don't remember for sure, but I think it starts with 24.?.x.x
    First read the manual/documentation for your router. Somewhere the will be a reference about "Connected Devices" or similiar.

    Open your browser and in the URL field (address field) enter 192.168.1.1 This is the default address to talk to your router. (If that doesn't work, find the dafault address in the documentation.)

    DO NOT CHANGE ANY ROUTER SETTINGS WITHOUT BEING SURE YOU KNOW WHAT YOU ARE DOING AND WHY. It is possible to disable connectivity between the router and all of your devices. If this happens you will have to find in the documentation how to reset the router to "Factory Defaults" and then start over and reconfigure your network. This may require a wired (Ethernet) connection to the router.

    Once the router screen shows up in the browser, follow the documentation instructions to display the Connected Devices. This will display a list of all the devices that are currently connected to your network. If something is shut off or out of range it will not be listed.

    Well that's about all I know about it, and... Welcome to the maddening inner workings of networks. You can spend years looking into all the non-obvious details, most of us don't bother.
     
  11. Sep 4, 2017 #10

    OCR

    User Avatar

    It might look something like this... my old one.

    Basic Setup.JPG

    As Tom.G said...
    I did... just once, though. [COLOR=#black]..[/COLOR] lol
     
  12. Sep 5, 2017 #11
  13. Sep 5, 2017 #12
  14. Sep 5, 2017 #13
    Unfortunately I can only guess what's happening in your logs without the "Destination IP" column being in view, it's like trying to understand a phone conversation by hearing one side of the conversation. I'll try to address the different questions you posed separately.

    You can never really be sure a networked computer is secure, the best you can do is take precautions, the most important being to backup you data to an external disk and store it somewhere else safe. See these recommendations from US-CERT for more internet security best practices.

    A firewall will stop all attempts that are not configured to be allowed. I suggest NOT changing the default rules if you don't have a solid grasp on network routing and packet filtering.

    You should be able to see all connected Wi-Fi devices when you log into your access point or router.

    You have done this by installing a software firewall.

    ZoneAlarm doesn't define what the connection type "Route" means in their documentation, but I can infer it to mean connections your computer recently initiated, but are no longer valid for various reasons.

    "Incoming" means connections initiated by another system to your computer.

    "Outgoing" means connections initiated by your computer to another system.
     
Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook

Have something to add?
Draft saved Draft deleted



Similar Discussions: Firewall parameters and PC security
  1. Firewalls for Macs (Replies: 12)

Loading...