Helping people with computers... one answer at a time.

Firewall software can help protect against remote intrusion attempts, as well as outgoing attempts. 192.168 addresses give a clue as to the source.

I have a software firewall on trial. One penetration attempt the program consistently blocks is from IP 192.168.0.105. This attempt is incessant and for the moment I've turned off the reports. However, if it's a legitimate probe, I need to let it through. Our router IP is 192.168.0.101, so that's close to the "culprit". So, how do I determine whence cometh the IP address the firewall doesn't like?

One of the common annoyances with software firewalls is exactly this: that you may get repeated notification of access attempts, with no real sense of where they're really coming from, and whether or not they're legitimate.

In this case, I can't really say whether it's legitimate.

But I can say that the IP address is closer than you think.

The IP address range 192.168.x.x is never seen on the internet. By definition that range and a couple of others are reserved specifically for local area networks.

Your router's internet-facing connection has a real internet address. But the inward-facing connection on which your computer and perhaps others are connected will have an IP address like you've seen: 192.168.0.101 is one common default configuration for routers.

The router also assigns the IP addresses for the machines on your local network from that same range. It then also takes care of translating between the "real" internet IP address and the local network IP addresses as data flows to and from the internet.

"The IP address range 192.168.x.x is never seen on the internet. By definition that range ... [is] reserved specifically for local area networks."

What that implies is that 192.168.0.105 is a machine on your local network.

So the next step is pretty easy: check the IP addresses assigned to the machines on your network and you'll quickly find out which machine is the culprit. My favorite way to get the IP address is to open a Windows Command Shell and type in "ipconfig" followed by Enter; you should get something much like this:

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

Here you can see my router is assigning from the "192.168.1.*" range, but it's the "192.168" part that shows that I'm behind a router performing this network address translation or "NAT".

Now, there's a interesting scenario you might run into and that's this: you might find that the IP address is that of the very machine you have your firewall installed on. There are a couple of reasons that might be:

  • What you're seeing could be a warning relating to an outgoing connection attempt. Your machine is attempting to connect to some remote machine in a way that your firewall has been configured to block. Without knowing more about the connection attempt details it's almost impossible to say whether this is good or bad.

  • Sometimes software will attempt to "connect to itself" using the network - so even though my machine might be at IP 192.168.1.2, it's possible that software running on that machine might try to make an outbound connection to ... 192.168.1.2, which is, of course, itself. That's totally valid, but it might be seen as either an incoming or outgoing connection attempt that your firewall doesn't like.

Regardless of the reasons, and be it from your own machine or another machine on your local network, understanding the alert is the first step. Hopefully the firewall will include additional information like the "port" the attempt is being made on, which will often tell you what it's trying to do. For outgoing alerts, the firewall should also be able to tell you what software or service on your machine is requesting the connection. If the firewall's not giving you that information in the alert, then check any logs that the firewall might be creating.

Using that information you can make a call as to whether or not the alert is legitimate. If it's not, if it's just an annoyance, then it's time to reconfigure the software firewall to stop bugging you about it.

And if it's not legitimate, then of course, you'll want to address the underlying cause.

Article C3329 - March 23, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

7 Comments
vincent
March 24, 2008 2:02 AM

If you have a wireless connection it's possible that someone else has hacked into your network and is trying to break into your computer.
I thought I should mention it because it happened to me once...

Rahul
March 24, 2008 6:58 AM

One more point - It could be a hacker connected to your LAN through your router's WiFi connection. Is your router's wifi security enabled? Is it WEP - which is easily broken? If your LAN does not have a PC with IP .105, this could be the case.

Quickly enable WPA security on your router. If that is not possible, change your router to one that gives this level of security. Another protection is to enable MAC filtering on your router to allow only those devices whose MAC is known to you and you have configured it on your router.

If you are not using WiFi, just disable radio on your router.

vincent
March 24, 2008 11:02 AM

Uhm, Rahul, that is what I meant with my first post ;-)
I probably wasn't clear enough, sorry.
Anyway, forget mac filtering too, it isn't secure either, trust me...

Doug Hagan
March 28, 2008 7:13 PM

Actually, since I was the author of the query to Leo about this issue, I thought it might be helpful to announce that Leo is (as is almost always the case) dead on in his remote analysis. The IP address at issue does, in fact, belong to a member of our LAN; namely. our Dandy Dell Laptop. However, I for one, at least, appreciate the additional comments provided above in re WIFi et al!

Rahul
March 31, 2008 2:03 PM

If someone is using your wifi connection, he/she will be on your LAN with appropriate IP fro myour LAN's DHCP. An exterme measure I would like to mention would be to close down DHCP and take complete charge of assigning fixed IP to equipment on LAN. However this gets to complicated for anything but a trivially small LAN - e.g. home network would be ideal candidate. I use this for my home network along with other safeguards. Only issue I have faced till now is to add a friend's laptop when he/she visits but that is trivial. I assign another IP when I permit the MAC on the network. Oh and one more thing, if a friend does not want me to mess with his/her computer for IP assignment, no connection for that PC.

DONNA
December 2, 2008 9:45 AM

OK HERE GOES I HEARD ALOT OF DONGING GOING ON IN THE LIVING ROOM AND CAME INTO MY COMP. ROOM TO SEE YAHOO PAGE BEING ACCESSED REPEATEDLY AND THE HTTP AREA WAS SAYING VIEWATDMT.COM IFR/VIEW/ AND AN EIGHT DIGIT NUMBER/DIRECT.
WAS THIS SOMEONE TRYING TO ACCESS MY COMP.?
I KNOW SOMEONE WHO IS A ROCKET SCIENTEST WHO IS OBSESSED WITH ME AND KNOWS MY BACK DOOR INFO.WHEN HE TRIED TO FIX MY COMP. ONCE. CAN HE BE WATCHING MY EVERY MOVE I MAKE ON MY COMP.? HE IS CREEP TOO

All sorts of things are possible. Sounds like you need to get your computer checked out by someone knowledgable that you trust.
- Leo
03-Dec-2008

Ray
June 15, 2012 11:37 AM

Thanks a lot for the advice, i really had to laugh when you explained this.I could not believe it was own machine.I now have reconfigured my firewall to ignore this rule.
"Eset smart security was the real culprit though"

Thank you so much for the help, it saved me a lot of worries.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.