Mageia forum

[nw1456]

Hi,
My daughter has a laptop running Windows 7. Every time she comes home from Uni I start getting Port scanning warnings from the firewall, from her local ip address.
If I process the "attack" and blacklist that ip, that stops it. Problem is that it keeps recurring after a reboot.

Question: Is there a way to permanently block that ip?

Question: Why the bloody hell does this Win7 machine keep scanning ports on other machines on the network?

[oj]

Is the IP multicast perchance? (240.0.0.x or thereabouts?) If so, that's windows network resource discovery at work. The machines basically play "Marco-Polo" on the network, asking for any reply within a certain IP range where things like windows media center servers live.

The best thing to do is disable that discovery on the windows machine. It's not easy using the windows advanced firewall control. (too many details) Try a thuird party 'firewall' like zone alarm, which makes things more comprehensible.

If it's an IP in the range of the LAN, it's still probably some kind of service discovery. (eg printers) Check what port(s) it's calling on, to identify the service, then disable it on the windows machine.

The tool for this is wireshark. Install/run it (as root) and capture a minute or two of traffic, then look through for the IP/port combination (aka "socket") from the offending machine.

[nw1456]

ok, thanks for that. Have installed Wireshark and running it now. The offending laptop is off at the moment, but I'll grab it when it comes back on line, then I'll try and turn the service off. I don't do Windows so I'll give it a googling.

Cheers

[djennings]

The easy solution is just to tun off port scan detection in Mageia so you do not see the alarms.
In MageiaControlCentre>Security>Firewall after clicking OK you are invited to disable Port scanning or the interactive notifications.

[nw1456]

Ah! I did look in the firewall configuration but couldn't see any way to alter settings. I'm assuming if I turn off the interactive part it will work as normal and just not bother me with warnings. Yes?

[djennings]

Ah! I did look in the firewall configuration but couldn't see any way to alter settings. I'm assuming if I turn off the interactive part it will work as normal and just not bother me with warnings. Yes?

Yep.
You could even turn off the firewall altogether. The firewall in your router will do a perfectly good job of protecting you. This is not like Windows. So long as you are not running a telnet or ssh server remote attackers are not going to get in.

[mailedfist]

I would have said that too, except that I am now seeing about 10 scans a day reported coming from the other side of the router provided by a well-known cable ISP!