Firewall accepting dodgy incoming connections
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Fibre Broadband
- :
- Re: Firewall accepting dodgy incoming connections
Firewall accepting dodgy incoming connections
24-06-2020 8:28 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Noted the following firewall events in my log:
04:47:05, 10 Jun. IN: ACCEPT [57] Connection closed (Port Forwarding: TCP [192.168.1.65]:4006 <--> [143.159.XXX.XX]:57616 - - - [193.27.228.161]:55235 CLOSED/SYN_SENT ppp3 NAPT)
04:45:04, 10 Jun. IN: ACCEPT [54] Connection opened (Port Forwarding: TCP [192.168.1.65]:4006 <--> [143.159.XXX.XX]:57616 - - - [193.27.228.161]:55235 CLOSED/SYN_SENT ppp3 NAPT)
14:28:45, 08 Jun. IN: ACCEPT [57] Connection closed (Port Forwarding: TCP [192.168.1.65]:4006 <--> [143.159.XXX.XX]:55299 - - - [185.176.27.178]:40210 CLOSED/SYN_SENT ppp3 NAPT)
14:26:45, 08 Jun. IN: ACCEPT [54] Connection opened (Port Forwarding: TCP [192.168.1.65]:4006 <--> [143.159.XXX.XX]:55299 - - - [185.176.27.178]:40210 CLOSED/SYN_SENT ppp3 NAPT)
It appears that the firewall is allowing an incoming connection and setting up port forwarding between port 4006 on my PC and port 40210/55235 on a device with IP185.176.27.178/193.27.228.161. I checked both the destination IPs and both are registered to some obscure address based in Russia!! (see below) - Should I be worried? Is there a way to block incoming connections from specific IPs? How do I find out what service is running on my PC that is responding to the connection request? Tried using netstat and looking for PID but that only seems to work while the connection is live which is tricky to catch because the connections are at random times and very short duration. Have done malware scans and checked there are no port forwarding rules active. Any advice welcomed.
Re: Firewall accepting dodgy incoming connections
25-06-2020 11:03 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Could it be that something on your computer has initiated it and uPNP has added the forwarding?
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
Re: Firewall accepting dodgy incoming connections
26-06-2020 8:00 AM - edited 26-06-2020 8:03 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@pjmarsh Thanks for the reply and yes I am beginning to think that is what is happening. Tried looking through Event viewer at all tcpip entries around the date stamp shown in the firewall log but nothing is showing at all. I need to find a way to log the connection details so I can see what is initiating the connection on my PC. Is there a way to set up a log of all uPNP connections? If I could continually log uPNP connects then I might catch an instance of the dodgy connection and hopefully I'll have a fighting chance of finding out what is initiating it. Anyone know how I go about this?
EDIT - Also what I don't get is why, if it the connection is being initiated from my PC, is it classed as an 'IN' connection on the firewall log and not an 'OUT'?
Re: Firewall accepting dodgy incoming connections
26-06-2020 10:10 AM - edited 26-06-2020 10:13 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
To start with If you haven't already, I'd be setting up a Windows firewall rule to block that IP (range) in both directions and then check the Windows firewall log at regular intervals. Do you need Upnp on? If not, I'd turn that off (assuming you can - I don't use the plusnet router). Once all that's done, I'd then be running a malwarebytes check, plus another AV product to scan the entire system.
Re: Firewall accepting dodgy incoming connections
26-06-2020 8:35 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@grahamn Will have a look at blocking IP through Windows firewall - I hadn't thought of that so thanks.. That should provide some protection but I have read that if this is a determined attacker they will just spoof their IP but it feels like its definitely worth a try. I did think about turning off uPNP but wasn't sure if I needed it on or not. I guess the simple answer is if I don't know then I probably don't! Gonna turn that off too and see what happens. 😲 Thanks again for the reply!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Fibre Broadband
- :
- Re: Firewall accepting dodgy incoming connections