Who's There? Firewall Advisor
User's Guide

Investigating Accesses

This chapter assumes that you have read Basic Concepts, and are familiar with the features and controls of Who's There, as covered in Main Window, Who's There? Dialog and Other Windows. For more information on investigating access attempts, see Chapter 13 in Internet Security for Your Macintosh and iPhone.

Access attempts to services on your machine may be random events, due to human error or other causes. Such events usually exhibit no pattern, although they may if the error is part of an automated process such as a Web crawler. Malicious activity, however, often exhibits a pattern. The most common are

Two other situations that deserve attention are:

Note that if you run a server on the firewall machine and log allowed accesses, your log file may contain a very large number of lines for accesses to that server, making the log file so large that it's difficult for Who's There? to manage. It is generally recommended that you not log allowed access attempts to heavily-accessed server processes through your firewall, since logging could slow down performance and obscure denied access attempts. Generally the server itself will have a built-in logging facility that should be used instead. You should still log allowed access attempts to all other services on the server machine, assuming your firewall supports service-by-service logging options (which the DoorStop X Firewall does).

NOTE: An IP address you investigate may or may not be the origin of a given attack. A common ploy used by hackers is to use others' machines to launch their attacks from. Since this is done without a user's knowledge, a user you investigate may rightly claim to have no knowledge of the attack. If this occurs, you may wish to suggest to them that their machine may be infected with a virus or otherwise have been taken over by a third party.

 

Many denied access attempts from one accessor

Many denied access attempts from one IP address may indicate a user trying various services, either at random or with a port scan (trying one port number after another, in sequence). Such activity is very suspicious. To spot it, use "Summary by IP address" and sort by accesses denied, descending. Look for IP addresses at the top of the list showing significantly more denied access attempts than other addresses near the top. If there is such an IP address, select it and check the lower pane of the window to see how many services were accessed. Many services, especially in sequence, is suspicious. You can also investigate details of accesses from that IP address using the Access History window's filter field. If you choose to contact the administrator of the accessor's IP address, select the IP address, click the "Draft email" button and then the "Email via" button.

 

Many denied access attempts to a service within a small timeframe

This scenario may indicate an attempted security attack on your machine, even if the access attempts are from different IP addresses. To identify this situation, use Summary by Service and sort by accesses denied, descending. Look for services at the top of the list showing significantly more denied access attempts than other services near the top. If there is such a service, select it and check the lower pane of the window to see how many IP addresses accessed it. If there is an IP address that attempted many accesses to the service, this is especially suspicious. If many of the accesses are from different IP addresses, but most recently occurred at around the same time, this also is suspicious. You can also investigate details of accesses to that service (and associated port number) using the Access History window's filter field. If you choose to contact the administrator of the accessors' IP addresses, select one of the IP addresses, click the "Draft email" button and then the "Email via..." button.

 

Any access attempt to any high-risk service

Access attempts to any high-risk service should be regarded with some suspicion, unless you are intentionally running such a service on your machine, such as Personal Web Sharing or Personal File Sharing. Even if you are, a significant number of denied accesses from unknown IP addresses should be examined. Choose Summary by Service and sort by Risk, descending. Look for high-risk services with large numbers of denied accesses. If there is such a service, select it and check the lower pane of the window for an IP address with a large number of denied accesses. If you choose to contact the administrator of the accessor's IP address, select the IP address, click the "Draft email" button and then the "Email via..." button.

 

Allowed access attempts for services that should not be allowed

When you use your firewall to deny access to a service, you may want to deny access from all IP addresses, or just from certain IP addresses. Who's There? provides a way to see if, for specific services, accesses have been allowed from unwanted IP addresses.

Choose Summary by Service and sort by Accesses Allowed, descending. Look for services with accesses allowed, to which you wish to allow no access. If there is such a service, you need to configure your firewall to deny access to that service. If you are using the DoorStop X Firewall 1.1 or later, you can change DoorStop's protection for that service by simply clicking the Change button in the Service Info pane of the Who's There? dialog. Also look for services with accesses allowed, to which you want to limit access (allow from certain IP addresses, deny from others). If there is such a service, select it and check the lower pane of the window to confirm that no unwanted IP addresses have actually been able to access the service. If access has been made from an unwanted IP address, you need to configure your firewall to deny access to that address.

Note that the built-in firewall with OS X 10.4 does not log allowed accesses, making this important analysis impossible.


Back to Table of Contents
Back to Accessing the Book, the Blog and Twitter
Forward to Troubleshooting