Now, PeerBlock is a very old project, yes, and it's also not the best means of security by any stretch of the imagination. Idealy you'd also want to be behind some sort of ip-blacklist firewall and vpn at the least before you can say you are even remotely close to "secure".
Right now I am behind a pfsense router firewall with rules that are larger than its ram, dmz is set up (nothing in it, though) , as well as a ddwrt router/firewall, ddwrt more used for making my guest network separate from my main, but still it does some.
The blocked log on my pfsense has always been insanely huge, so I thought it was doing a good enough job on its own. Never bothered to do any sort of port scan or sniff, I was mistaken. I am so doing a sniff after what I see here.
This is the log of my peerblock. I'm not doing any sort of torrenting, all front end programs that use the internet are closed other than Chrome and Windows itself.
It has also been blocking BBC which seems like a port scan from port 49157-65534 why those ports? That is way out of the common p2p range, and why BBC? Is it just some chap in the UK port scanning the internet, or the actual bbc? I've never torrented BBC stuff before, sure maybe saw the video streams of Sherlock grey-legally, and my Dr Who I actually got from a friend (the collection is 400+gig in size. Fat chance I'll be able to actually download that on att :( )
That quantcast is from me loading teksyndicate. Quantcast is an advertising company, but for some reason the ads on the site still work?? Are they just doing data collection? I'm confused. Someone explain.
Here's another, after filtering out bbc.
Please call your attention to the ones in black.
Need I say more?
The first screenshot shows a host in your network connecting to a BBC server (bbcdl4.thdo.bbc.co.uk) over port 80, not a port scan. When you open a TCP connection, the client will choose a random high range port (62777, for example); the fact the source ports are incrementing by one is normal behaviour if a piece of softare has to make multiple attempts to make a TCP connection before giving up. Do you have iPlayer installed or anything BBC related, or are you browsing any BBC related websites?
You've already mentioned the quantcast being related to TekSyndicate (it's for data collection). When requesting a page, if your browser finds links to other servers, it will initiate connections for that as well; in fact, they're using port 443 (HTTPS) because this is what the TekSyndicate web server uses. PeerBlock is blocking this too.
As for the second screenshot, those are some odd destination hosts and ports. When looking at the IP addresses, we see the following:
- Name: 184.173.143.23-static.reverse.softlayer.com
Address: 184.173.143.23
- *** resolver1.opendns.com can't find 203.215.33.98: Non-existent domain
- *** resolver1.opendns.com can't find 112.198.79.129: Non-existent domain
- Name: pha75-23-83-156-168-202.fbx.proxad.net
Address: 83.156.168.202
- Name: adsl-71-131-183-171.dsl.sntc01.pacbell.net
Address: 71.131.183.171
- *** resolver1.opendns.com can't find 217.118.78.47: Non-existent domain
- Name: host126-190-static.22-87-b.business.telecomitalia.it
Address: 87.22.190.126
- *** resolver1.opendns.com can't find 85.26.231.21: Non-existent domain
Softlayer is a web hosting company, while the others look like home Internet customers; did you have an P2P software running when you took these screenshots? If not, something might be trying to call home, but probably not.
As for the ones that didn't resolve, 85.26.231.21 and 216.118.78.47 seem to be dodgy (spam mail servers). Project Honey Pot doesn't know anything about 112.198.79.129 and 203.215.33.98. Perhaps run a spyware/virus scan to ensure your host hasn't been compromised
If you're unsure of traffic, running a packet capture with something like Wireshark, Tshark, or Tcpdump to inspect the traffic is invaluable.
Thank you for the clarification. No matter how much I learn in school or out of, it always seems there is so much more to learn.
also, pfsense has a really awesome peer-blocker type plugin (pfblocker).. you can get it and block entire countries. several different lists of "bad" IPs are maintained on the net, and you can plug those in (and log them) as well under the 'lists' section. You can even paste in plain text lists there as well.
if you're really adventurous, install snort. you have to sign up for a (free) subscription, and your pfsense box needs some horsepower (sorry alix folks) but snort is amazing. You can log & block, or log only. I suggest log only until you get comfy because some of the rulesets for snort even block things like instant messengers and things like that. you can one-click ignore rules that are blocking the kinds of traffic you want, though, you just have to go to the dashboard to sort it out.
1 Like
Thank you, man. I have installed snort onto pfsense before, but the machine I am running on (dual-core 800mhz powermac g4, 4gb ram) has a whole hell of a lot of trouble keeping up when I do. Hence the reason why I've been posting quite a bit on diy network equipment here on the tek.
pfblocker might be something to look into, though.
I take it you were running Snort in IPS mode, then? Placing Snort inline in IPS mode will have an impact on your network traffic since it has to push the packets through a decoder, any preprocessors, and the detection engine.
An ideal setup would be to use a switch that supports port mirroring (or something similar), then connect Snort's passive monitoring interface to that switchport. You could then have Snort report rule violations to a syslog server (local or remote), and then act upon those rules by adding extra firewall rules as needed. This would also address the problem of false positives blocking your traffic (Snort will generate A LOT of false positives if its rules are misconfigured).