[SOLVED] port scan detected

Calicoe · 09-26-2008, 07:53 PM

I have an ASUS PC and a laptop running XP Pro. Recently the laptop's firewall started reporting a "Port Scan Detected" coming from 192.168.1.1 which is my Westel DSL modem.
Is this something to be concerned about and how do I stop it?
Pete
Calicoe

grue155 · 09-27-2008, 09:41 AM

What firewall are you running on your laptop? It sounds like there needs to be a slight settings tweak.

Presuming that 192.168.1.1 is your Westel box, then I'd guess this is normal UPnP traffic or normal router traffic. In which case your firewall simply needs to be set to ignore the packets from Westel box.

Calicoe · 09-27-2008, 01:03 PM

I'm running VCom's Net Defender and I was going to tell it to allow the incoming traffic but I didn't know if it was safe to do so.
The scan is coming from my Westell DSL modem.
Is there a way to tell if it originates at the modem or from the net?

grue155 · 09-27-2008, 05:09 PM

Traffic coming from the Internet would have Internet accessible addresses. The 192.168.x.x isn't accessible from the Internet. It's one of the private address spaces, and ISP's will not route those addresses across the Internet. Details in Internet RFC 1918. So, yes, traffic with a source address of 192.168.1.1 is coming from your router, and is safe to allow it thru the firewall.

Is there any additional detail in the NetDefense security log? It could be that a setting needs to be changed in the router, depending on what kind of traffic it is. That detail would be in the protocol and ports that are being reported in the log.

Calicoe · 09-27-2008, 06:53 PM

I set Net Defender to allow traffic. I guess I'll just have to keep an eye on it for a while.
All that was in the log was:

Time 09/26/2008 5:33:31 AM
Security Type Port Scan detected
Severity Major
Direction Inbound
Protocol UDP
Local IP 192.168.2.100
Remote Host 192.168.1.1
Application Involved SYSTEM
Count 1

every three or four minutes.

grue155 · 09-27-2008, 07:26 PM

Quote:

Local IP 192.168.2.100
Remote Host 192.168.1.1

Your PC is at 192.168.2.100? Then there may be a problem, as I had presumed your PC to be in the 192.168.1.x address range.

All may still be okay, if the numbers line up. And those numbers are the ones that get reported by opening up a command prompt and entering "ipconfig /all".

Can your tell me what devices there are on your LAN? I don't want to presume something else and get it wrong.

Calicoe · 09-27-2008, 08:15 PM

I have a Lynksys router (192.168.2.1) that I set up as a gateway connected to a Westell DSL modem (192.168.1.1).
My PC is .2.2 and the laptop is .2.100

I just realized that an IP address (192.168.2.47) keeps popping up. It links to an address (72.14.247.127).

grue155 · 09-27-2008, 08:46 PM

Interesting LAN you have there. All okay, so far, except for that 2.47.

Just to check my understanding, your LAN layout is like this:

Westel --- Linksys---- PC/laptop

Westel is 192.168.1.1

Linksys is a NAT/router at 192.168.2.1. If it is proper NAT/router then you shouldn't be seeing the Westel packets. And I'm presuming this is a wireless router.

PC is wired connection, at 192.168.2.2
laptop is wireless, at 192.168.2.100

No other devices? If true, then I'd guess the 192.168.2.47 is coming into your LAN over wireless. Is your wireless connection running any encryption (WEP or WPA or some such)?

Calicoe · 09-27-2008, 08:57 PM

I don't have any encryption running. It's a Lynksys wireless router.

grue155 · 09-28-2008, 08:39 AM

Quote:

I don't have any encryption running. It's a Lynksys wireless router.

Then this has become an entirely different game. The lack of wireless encryption means that the 2.47 address you are seeing, and very likely the 1.1 address also, are coming from machines outside your LAN, and so are using your LAN as a gateway to the Internet.

You need to secure your wireless. Use at least WEP, preferably WPA. It's just a question of entering a long, preferably random, string of characters into the setup of the router, and having matching entries in your PC and your laptop.

If you don't want to make up your own random password, there are number of sites on the Internet that can do the job. One of the better known sites is grc.com (the Shield's Up firewall testing site). There is a password generator available on the Services tab, for "Perfect Passwords".

Calicoe · 09-28-2008, 04:38 PM

When I access then Lynksys router and go to status it shows the router IP address as 192.168.1.47. In the home screen the local IP address is 192.168.1.47
I set up WPA security.
Is there anything else I should do at either the laptop or desktop?

grue155 · 09-28-2008, 05:14 PM

For anything that connects to your router by wireless, it needs to have the same key setting. Otherwise it won't connect properly.

Having the WPA set on your router will keep anybody else from connecting to your LAN. I think now the port scans will disappear, along with the unexpected IP addresses showing up.

For now, it's just watch the firewall logs and see if anything unexpected shows up.

Calicoe · 09-28-2008, 08:05 PM

OK, I finally got the wireless net set up with WPA security and the laptop to access the net. I used to do this for Ma Bell , now I remember why I retired.
I guess there's nothing else to do but see if the port scan attacks come back.
I'll give it 2 days and post a reply if all's well.
Until then thanks for the help.
Pete

Calicoe · 10-01-2008, 10:43 AM

OK, no more problems,
Thank again for the help

Pete

09-26-2008, 07:53 PM	#1 (permalink)
Calicoe Registered User Join Date: May 2005 Posts: 55 OS: Win XP	[SOLVED] port scan detected I have an ASUS PC and a laptop running XP Pro. Recently the laptop's firewall started reporting a "Port Scan Detected" coming from 192.168.1.1 which is my Westel DSL modem. Is this something to be concerned about and how do I stop it? Pete Calicoe Last edited by Calicoe; 09-26-2008 at 07:55 PM.

09-27-2008, 09:41 AM	#2 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: port scan detected What firewall are you running on your laptop? It sounds like there needs to be a slight settings tweak. Presuming that 192.168.1.1 is your Westel box, then I'd guess this is normal UPnP traffic or normal router traffic. In which case your firewall simply needs to be set to ignore the packets from Westel box.

09-27-2008, 01:03 PM	#3 (permalink)
Calicoe Registered User Join Date: May 2005 Posts: 55 OS: Win XP	Re: port scan detected I'm running VCom's Net Defender and I was going to tell it to allow the incoming traffic but I didn't know if it was safe to do so. The scan is coming from my Westell DSL modem. Is there a way to tell if it originates at the modem or from the net?

09-27-2008, 05:09 PM	#4 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: port scan detected Traffic coming from the Internet would have Internet accessible addresses. The 192.168.x.x isn't accessible from the Internet. It's one of the private address spaces, and ISP's will not route those addresses across the Internet. Details in Internet RFC 1918. So, yes, traffic with a source address of 192.168.1.1 is coming from your router, and is safe to allow it thru the firewall. Is there any additional detail in the NetDefense security log? It could be that a setting needs to be changed in the router, depending on what kind of traffic it is. That detail would be in the protocol and ports that are being reported in the log.

09-27-2008, 06:53 PM	#5 (permalink)
Calicoe Registered User Join Date: May 2005 Posts: 55 OS: Win XP	Re: port scan detected I set Net Defender to allow traffic. I guess I'll just have to keep an eye on it for a while. All that was in the log was: Time 09/26/2008 5:33:31 AM Security Type Port Scan detected Severity Major Direction Inbound Protocol UDP Local IP 192.168.2.100 Remote Host 192.168.1.1 Application Involved SYSTEM Count 1 every three or four minutes.

09-27-2008, 08:15 PM	#7 (permalink)
Calicoe Registered User Join Date: May 2005 Posts: 55 OS: Win XP	Re: port scan detected I have a Lynksys router (192.168.2.1) that I set up as a gateway connected to a Westell DSL modem (192.168.1.1). My PC is .2.2 and the laptop is .2.100 I just realized that an IP address (192.168.2.47) keeps popping up. It links to an address (72.14.247.127). Last edited by Calicoe; 09-27-2008 at 08:34 PM.

09-27-2008, 08:46 PM	#8 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: port scan detected Interesting LAN you have there. All okay, so far, except for that 2.47. Just to check my understanding, your LAN layout is like this: Westel --- Linksys---- PC/laptop Westel is 192.168.1.1 Linksys is a NAT/router at 192.168.2.1. If it is proper NAT/router then you shouldn't be seeing the Westel packets. And I'm presuming this is a wireless router. PC is wired connection, at 192.168.2.2 laptop is wireless, at 192.168.2.100 No other devices? If true, then I'd guess the 192.168.2.47 is coming into your LAN over wireless. Is your wireless connection running any encryption (WEP or WPA or some such)?

09-27-2008, 08:57 PM	#9 (permalink)
Calicoe Registered User Join Date: May 2005 Posts: 55 OS: Win XP	Re: port scan detected I don't have any encryption running. It's a Lynksys wireless router.

09-28-2008, 04:38 PM	#11 (permalink)
Calicoe Registered User Join Date: May 2005 Posts: 55 OS: Win XP	Re: port scan detected When I access then Lynksys router and go to status it shows the router IP address as 192.168.1.47. In the home screen the local IP address is 192.168.1.47 I set up WPA security. Is there anything else I should do at either the laptop or desktop?

09-28-2008, 05:14 PM	#12 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: port scan detected For anything that connects to your router by wireless, it needs to have the same key setting. Otherwise it won't connect properly. Having the WPA set on your router will keep anybody else from connecting to your LAN. I think now the port scans will disappear, along with the unexpected IP addresses showing up. For now, it's just watch the firewall logs and see if anything unexpected shows up.

09-28-2008, 08:05 PM	#13 (permalink)
Calicoe Registered User Join Date: May 2005 Posts: 55 OS: Win XP	Re: port scan detected OK, I finally got the wireless net set up with WPA security and the laptop to access the net. I used to do this for Ma Bell , now I remember why I retired. I guess there's nothing else to do but see if the port scan attacks come back. I'll give it 2 days and post a reply if all's well. Until then thanks for the help. Pete

10-01-2008, 10:43 AM	#14 (permalink)
Calicoe Registered User Join Date: May 2005 Posts: 55 OS: Win XP	Re: port scan detected OK, no more problems, Thank again for the help Pete Last edited by Calicoe; 10-01-2008 at 10:46 AM.