4 Replies Latest reply: Dec 6, 2012 7:05 AM by 2xtap RSS

    Firewall not blocking IP addresses

    2xtap

      Recently, I noticed multiple attempts to remotely log into one of my PCs.  I loaded a port recorder to get the IP addresses so I could block them with McAfee. However, once they were blocked, nothing changed. The IP addresses are still showing up in the port recorder and they are linked with login failures in the event viewer. Plus, there is no record of them in the firewall history. Am I missing something in the setup of Blocking IP addresses or doesn't McAfee record blocked\allowed IP addresses?

       

      Here's a list of the IPs

       

      Remote  IP
      112.132.214.53
      112.65.240.228
      115.239.229.220
      217.160.239.94
      222.186.15.127
      23.15.9.146
      47.23.23.202
      5.79.32.188
      54.243.154.76
      61.147.119.186
      70.89.192.201
      77.120.246.16

      I researched these and found these addresses are assigned to various users in the US, China, and Ukraine (not a good feeling).

       

      Any suggestions on blocking IPs using McAfee would be greatly appreciated.

       

      FYI:

      OS - XP sp3

        • 1. Re: Firewall not blocking IP addresses
          Hayton

          If you saw the IP addresses in Security History they were being blocked anyway so specifically adding them to the firewall to be blocked is probably unnecessary, although an extra precaution.

           

          I picked one at random - 217.160.239.94 - and did a quick check. The IP address is UK-based, 1&1 Networks, assigned to SCHLUND-CUSTOMERS, and one or more of their servers is infested with malware according to Clean-MX

           

          Your best bet is to set the firewall to Stealth mode and make sure NetGuard and Intrusion Prevention are enabled.

          • 2. Re: Firewall not blocking IP addresses
            2xtap

            Hayton,

             

            Thank you for the prompt reply!  Unfortunately,  the addresses are not showing up in the security history.  Since the system is XP, the event log only records the event and user name as a failed attempt.  I loaded MS's port recorder service.  This allowed me to record the port and addresses.  I then added the addresses to the firewall.  After a day, the same addresses are showing up in the recorder, but not the McAfee history.

             

            I can't figure out why McAfee is not detecting, or maybe just not recording, the blocked addresses.

             

            Message was edited by: 2xtap on 12/5/12 7:12:47 PM CST
            • 3. Re: Firewall not blocking IP addresses
              Hayton

              2xtap wrote:

               

              Unfortunately,  the addresses are not showing up in the security history.  Since the system is XP, the event log only records the event and user name as a failed attempt. 

              ... After a day, the same addresses are showing up in the recorder, but not the McAfee history.

               

              I can't figure out why McAfee is not detecting, or maybe just not recording, the blocked addresses.

               

              Sorry, I should have asked this earlier. Have you got Security Center 11.6.435? That's the one where McAfee changed the reporting arrangements, and after which update lots of people (me included) no longer saw any reports of incoming connections being blocked. I assume they still are being blocked, but there's nothing except scans and buffer overflows since the date of the update.

               

              We've passed a message about this up the line to McAfee but no-one's rushing to get it fixed

               

              fwiw there are port scanners out there looking for open and unprotected ports running 24/7. If you take a brand new machine, add some port-monitoring software and connect it to the internet, someone will attempt to break into it within 17 minutes (a bunch of security researchers did it as an experiment).

               

              And if you want to know where the infected or otherwise malicious machines are doing this, they're actually mostly in the good ol' USA. California especially. Kentucky, for some reason, is almost squeaky clean. Have a look at the latest Microsoft Security Intelligence Report (volume 13) for the lowdown. The Chinese mostly go for targeted high-value attacks (you haven't got any valuable intellectual property, by any chance?) and the Russians and Ukrainians go for anything at all outside their own countries so yes, watch out for addresses in those two countries.

              • 4. Re: Firewall not blocking IP addresses
                2xtap
                I should have asked this earlier. Have you got Security Center 11.6.435?

                 

                You nailed it, that's exactly the build I'm running!

                 

                I'm no expert by any means, but I thought I was protected. I have a router with firewall enabled.  All ports are in stealth according to GRC.com shields up.  DCOM is disabled and I'm running McAfee on my main PC. The other pcs are either turned off or not connected to the internet when in use.

                 

                I will say, since I started adding IP addresses to the blocked list, the number of attacks have increased exponentially according to the port reporter and event log.  The McAfee security report shows "15 risky connections blocked". Are they the addresses I blocked? Sure would be nice to have a log with date\time and address