HideMyAss VPN

Friday, May 17, 2013

How to setup Comodo Firewall - IP Binding through MAC address

These rules will work with or without a router.This is a good way to make sure any application(s) you choose,will only run through your vpn connection.

This will configure Comodo Firewall to allow specific applications, to access to the internet,only when HMA VPN is active.

With Comodo firewall (100% free version), you can set a network zone based on an adapters MAC, make a pre-defined rule for that zone, and apply that rule to certain applications.

A. Create a network zone, Get the MAC for the TAP-Win adapter
1. (XP) Start / Run and type CMD, press enter.
(Win7) Start and type CMD, press enter.
2. You should see a black box called a DOS box with a blinking cursor.
3. Type IPCONFIG /ALL
4. Look in the mess of junk for the section that says TAP-Win32.
5. You need the part that says Physical Address . . . . . . 00-??-??-??-??-??
6. Leave this window open for now.
 
Alternative way to find out the TAP-adapters MAC address:

Go to -> Control Panel\Network and Internet\Network Connections
1) Right Click the Tap-win adapter
2) Click Status
3) Click Details
The MAC address is the physical address, which you can't select on its on so you can either just write it down or
4) Ctr+C to copy and paste entire window into Notepad


B. Create network zone, Add in Comodo
1. In Comodo, go to Firewall / Advanced / Network Security Policy / My Network Zones
2. Add / New Network Zone
3. Name it HMA MAC (press apply)
4. Select HMA MAC
5. Add / New Address
6. Choose "A MAC Address" and enter the Physical Address from earlier.
7. You should see your new Zone with the New rule.
8. Press OK.

C. Make a Pre-Defined Rule
1. Open Firewall / Advanced / Predefined Firewall Policies
2. Click ADD
3. Enter a Name, HMA Only
4. Add...
Action: Allow
Protocol: IP
Direction: In
Source Address: Any
Destination Address: Zone / HMA MAC
Apply

5. Add...
Action: Allow
Protocol: IP
Direction: Out
Source Address: Zone / HMA MAC
Destination Address: Any
Apply

6. Add...
Action: Block
Protocol: IP
Direction: In/Out
Source Address: Any
Destination Address: Any
Apply
Apply
Apply

7. You should now have 2 green rules and then a Red one.


D: Apply rule to Applications
1. Open Firewall / Advanced / Network Security Policy / Application Rules
2. Choose the application that should only work with HMA active, or add an new one.
3. It will open to "Application Network Access Control"
4. Here choose the Predefined Policy "HMA Only"
5. If there are other rules already, they will be removed.To keep any existing settings, you'll have to improvise here.
6. Apply
7. OK.

Do this to all apps that should only access through the HMA VPN Connection

E. Testing...
1. In the above example, I made a rule for Google Chrome.
2. Disconnect from HMA
3. Open Chrome - it is unable to load the home page.
4. Enable HMA
5. Refresh Chrome - it worksBig Grin

I added a few more applications.
Open Firewall / Advanced / Network Security Policy / Application Rules *Make sure your applications refer to "HMA Only" and your covered.


Here's the download link for Comodo Firewall Free Edition:
http://www.comodo.com/home/download/down...d=firewall /
http://downloads.comodo.com/cis/download...taller.exe
(32/64bit installer)

How to Secure Firefox (with a lot of links to tools and add-ons)

I'd like for people to come together and compare the different addons that we have for Firefox which make internet surfing a better and safer experience.

  1. Start Firefox in Privacy mode (http://bit.ly/9c9bzl)
  2. Make the Homepage a IP-Checker (http://www.ip-adress.com/) or try an addon that warns you of an IP change (http://bit.ly/cjaELd)
  3. The problem with Privacy mode is that all the links/bookmarks will not save, thus you can use a synching tool - http://bit.ly/cMipZn OR http://bit.ly/dqkRo0
  4. Use NoScript - http://bit.ly/ccbv0n

This addon makes you select whether scripts should be allowed on the pages you visit - also a good way to look at which sites have what scripts.
  • Use AdBlock Plus - http://bit.ly/xRJb8 A great program that blocks ads, thus also blocking a good amount of Malware (by not letting you to click on the links)
  • Better Privacy - http://bit.ly/aYdQmH Deletes LSO's, not sure that privacy mode allows these to save permanently.
  • Force-TLS http://bit.ly/dcWqH4 Basically makes the browser (if there's a choice) to make a HTTPS connection to a site.
Great tool for passwords, if you remember the password, then it's not secure enough. Invest 12$ for a year that will give you access to some great second layer verification. Then you can also access all your passwords from phones, etc. It also allows you to save forms - thus you can save your credit card details, etc. You are taking a chance of storing such data in one place, so the 12$ investment is a good idea.
  • Ghostery - http://bit.ly/9Y5jaW Blocks information flow to AD agencies about your habits (use with NoScript)

Use of Facebook(remember to config your privacy settings) :
There have been some disturbing news about Facebook using your surfing habbits for targeted ads (while you're logged on).
Because of this, there are a few addons towards Facebook:

The addons for facebook are old, use the Adblock addons in conjunction with the ExException to clear up your experiance in FB.
  1. AntiSocial - DEAD
  2. No FB Tracking - OLD
  3. remove all facebook ads - OLD

For some people this doesn't work (old addon) , but it works for me.

Final Step:
Always use Firefox (or any Internet Browser) within a Sandbox (http://bit.ly/Ro4z)
It takes a bit of time to get used to the Sandboxie usage (especially once you have to remember that updates have to be done outside the sandbox) but it can save you from a very good amount of viruses/trojans and other nasty tings.

Also, there's a tool called VPNcheck - http://bit.ly/d8VK0x
The program will kill any program of your choice (Firefox/uTorrent etc) if you get a drop in the VPN connection. Though it might become obsolete once the IP Bind program within the VPN goes Alpha.

Similarly you can check out the great article of constricting your Internet Connection with a COMODO firewall through the VPN IP ranges - http://bit.ly/b3EC07

These are some of the addons that I use with my FireFox. I'd love to learn about other people's internet browser configuration. Also, I'd love to hear how people use other browsers (Chrome/Opera) as Firefox is a bit Clunky, but I haven't seen a good enough of a security with the other browsers.


UA is an interesting thing, you can go through forums and see the members-only links by masking yourself as a googlebot (use the Switcher for that) otherwise use UAControl and set the default to block.
  • RefControl - http://bit.ly/hmL3AW Similar to UAControl, set it to block and add the exceptions for sites that don't work - wordpress, etc.



  • ExExceptions - http://bit.ly/oXQzlN Last defense against ads/popups. This will block them, similar to editing your hosts fie.




In the end, you ought to use a couple checking sites:
http://ip-check.info/?lang=en and IP-score.com are good ones.

Stay safe.

OH and remember to use CCleaner with secure deletion time to time.

How to let websites and IPs bypass the VPN using static routing

There are several reasons for letting certain IPs or websites bypass the VPN connection, so they are used with your real IP and connection instead.
For example:
  • if a certain website is blocking access to foreign IPs, so you can only access it with your real IP
  • if websites and services forbid the use of VPN, so your account won't get restricted or suspended
  • if you cannot access a local machine in your network while the VPN is connected (e.g. server, other computer or network device of any kind.

Windows

If you don't want to do it the manual way via route.exe in command line, or using the HMA unRouting utility below, you might want to check out this GUI for route.exe

Manual setup via route.exe

On windows, to create static routing rules to let IPs bypass the VPN, you need to use the integrated tool "route.exe" of Windows.
You can find it in the folder C:\Windows\System32 - but it's executable from any place.
To use it, open a command prompt. Run "cmd.exe" or navigate to "All Programs/Accessories/Command Prompt" in the start menu.
Run "route" to get the instructions for how to use this tool. How to use it for our purpose (IPs bypassing the VPN) is quickly explained:
  • First you need to find your gateway IP address. This is usually the IP of your router/DSL-Modem, so the device your computer gets the internet from.
    If you're not sure which IP that is, please run "route print". In the mid-section of the output, you should see something like this:

  • You'll see that certain IPs are using a gateway address that belongs into your local network. In this case, 192.168.88.2 is our gateway IP address, the IP of the router
  • Keep that gateway IP address in mind. Now we need to get the IP of the website you want to bypass the VPN. For testing, we can use http://ipaddress.com
  • As you might know, this website shows your current IP and location. When disconnected from the VPN, go there and you'll see your real IP and location.
  • To get the IP of that website, you can simply ping it by running "ping ipadress.com". It returns the IP address, which is: 80.237.246.185
    Alternatively use websites like http://www.hcidata.info/host2ip.htm for this purpose
  • Now we create a routing rule for this website, by running "route add 80.237.246.185 192.168.88.2" (syntax: route add destinationIP gatewayIP)
  • When that is done, connect to the VPN and visit http://ipaddress.com again. You'll notice that it still shows your real IP and location, instead the VPN IP and location.
    That means the routing rule is working and the website is bypassing the VPN.

Note: This rules are only temporary, that means they disappear upon next reboot.
To make them permanent, use the switch "-p", so e.g. "route -p add 80.237.246.185 192.168.88.2"

Quick way using HMA UNrouting Utility


This tool creates routing tables for you - this allows to exclude certain IPs or websites from being accessed through the VPN. That means when your VPN connection is active, the traffic between your computer and the IP will be transferred through your "normal" internet connection, with your real IP, ISP and location.

This especially makes sense when accessing services that do not allow the use of VPN, e.g. financial related (Paypal, Onlinebanking) or advertising related (visitor exchange programs, affiliate systems).


 

Mac OSX

Manual setup using route and netstat


The setup is pretty similar to the manual setup with route.exe in Windows, just the commands differ a little.

To get the current routing table, so you can see all existing rules and get your gateway IP, run: "netstat -r". The output should look like the one on the right ->

You can see that the gateway in this example is 192.168.132.2

OK, now let's create the routing rule.

In this example we also want to let ipaddress.com bypass the VPN,
so we need to get the IP of that website by pinging it. Run "ping ipaddress.com".
It returns the IP of that website, which is 80.237.246.185
Run "sudo route -nv add 80.237.246.185 192.168.132.2".
The syntax is "sudo route -nv add destinationIP gatewayIP".
The output should look like in the image on the right ->
Now, connect to the VPN and visit http://ipadress.com
You'll notice that it shows your real IP and location, instead of the VPN ones.
That means the routing rule is working and the IP/website is successfully bypassing the VPN.
 

Linux

How to creating routing rules on Linux differs from distribution to distribution.
For an overview and a detailed explanation for each distribution, see this link:
http://www.cyberciti.biz/tips/configuring-static-routes-in-debian-or-red-hat-linux-systems.html
The command "ip route show" shows your current routing rules.
 

Android

To set up static routing rules on Android, your device needs to be rooted.
Then you can use any terminal emulator (e.g. this one https://play.google.com/store/apps/details?id=jackpal.androidterm) to get into the command prompt.
To get root privileges in the command prompt: su
To show the current routing rules: ip route
To set routing rules, you can use the same instructions as for Linux. See the link above
 

How to recover Windows passwords

This tutorial explains what to do if you have forgotton your Windows user password. Windows versions after XP can't be accessed through safe mode or otherwise. External applications are needed to reset/change the user password so it's possible to login again.

Caution: This tutorial is for advanced users. If you completely don't understand it, get someone who does. Alternatively, you can try other tools for this purpose. For example PCLoginNow (http://www.pcloginnow.com/product.html) or Ophcrack (http://ophcrack.sourceforge.net/).
See this link for more password recovery tools
The following way has been successfully been tested with Windows NT, 2000, XP, Vista, and Windows 7.

Related links:

Related downloads:

The files inside the USB zip are exactly the same as on the CD. See below for instructions on how to make USB disk bootable.

How to make the CD

Unzipped, there should be an ISO image file (cd??????.iso). This can be burned to CD using whatever burner program you like, most support writing ISO-images. Often double-clikcing on it in explorer will pop up the program offering to write the image to CD. Once written the CD should only contain some files like "initrd.gz", "vmlinuz" and some others. If it contains the image file "cd??????.iso" you didn't burn the image but instead added the file to a CD. I cannot help with this, please consult you CD-software manual or friends.
The CD will boot with most BIOSes, see your manual on how to set it to boot from CD. Some will auto-boot when a CD is in the drive, some others will show a boot-menu when you press ESC or F10/F12 when it probes the disks, some may need to have the boot order adjusted in setup.

How to make an bootable USB drive

  • Copy all the files that is inside the usbXXXXXX.zip or on the CD onto an usb drive, directly on the drive, not inside any directory/folder.
  • It is OK if there are other files on the USB drive from before, they will not be removed.
  • Install bootloader on the USB drive, from command prompt in windows (start the command line with "run as administrator" if possible)
    • X:syslinux.exe -ma X:
  • Replace X: with the drive letter the USB drive shows up as (DO NOT USE C:)
  • If it seems like nothing happened, it is usually done.
  • However, a file named ldlinux.sys may appear on the USB drive, that is normal.
  • It should now in theory be bootable.
  • Please know that getting some computers to boot from USB is worse than from CD, you may have to change settings, or some will not simply work at all.

    How to make the floppy

    The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block.
  • Unzip the bd zip file to a folder of your choice.
  • There should be 3 files: bdxxxxxx.bin (the floppy image) and rawrite2.exe (the image writing program), and install.batwhich uses rawrite2 to write the .bin file to floppy.
  • Insert a floppy in drive A: NOTE: It will lose all previous data!
  • Run (doubleclick) install.bat and follow the on-screen instructions.

Offline NT Password & Registry Editor, Walkthrough


 
  The following is a walkthrough of using the CD to reset one user (admin) on a test Vista computer.
Insert the CD and convince your BIOS that it should boot from it. How to boot from a CD varies from computer make to computer make, so it depends on your mainboard. Some BIOS shows a boot device select menu if you press ESC, F8, F11 or F12 or something like that during the self test. (some even tell you on the screen what to press)
If it boots, you should see this ->
Usually just press enter here. If you have linux knowledge, you can tweak kernel options if you need/like.
Then it boots and outputs a lot of kernel messages about your hardware and such.. most if not all are nothing to worry about.
Click images to enlarge

  Most of the generic linux boot now done, and we try to load the disk drivers. If you use the floppy version you will be asked to swap floppies at this point. Drivers are then tried based on PCI hardware indentification.
Most of these messages are from the drivers themselves. Some talk a lot, some doesn't. But all give info on the brand and model and size of the disks found, if any.



  Here you select one of the partitions listed above (in this case there is only one) or one of the letters from the menu. If there is a 100MB partition and a big one, select the big one.
Floppy users may need to do 'f' to load in more drivers from another floppy.
The 'd' option will re-run the PCI scan and start relevant drivers (they must already be loaded from floppy with 'f' option)
The 'm' for manual load will present a list of all the drivers with short description if available, and allow you to specify which to load. (Dependecies are handled automatically)
Here we only have one partition, so we just press enter to select it.
The registry is usually system32/config under WINDOWS or WINNT directory, depending on the windows version (and it may be changed during installation).
If the correct partition has been selected, the default prompt will be adjusted to match if it can find one of the usual variants.
Press enter, then the program will tell if the correct directory has been selected.
Choice 1 is for password edit, most used. But if you wish, you can load any of the files (just enter it's name) and do manual registry edit on them.
But here, we select 1 for password edit, some files are copied around into memory and the edit application is invoked.
This demo shows selection 1 for password edit, but you can also do other things.
Note that 2, Syskey may be dangerous! AND NOT NEEDED TO RESET PASSWORDS! and does not work at all on Vista, but you get some info before you do any changes.
Selection 3, RecoveryConsole is only relevant for Win2k, XP and 2003 and you must have selected to load the SOFTWARE part of the registry (selection 2) earlier.
The manual registry editor is always available, it is not the most user-friendly thing, but anyway..
We continue our quest to change our "admin" users password..
This is a list of all local users on the machine. You may see more users here than in the overly user-friendly control panel, for example XP has some help and support built in users.
The users marked "ADMIN" are members of the administrators group, which means they have admin rights, if you can login to one of them you can get control of the machine.
The buildt in (at install time in all windows versions) administrator is always RID 01f4. This example is from Vista, and Vista by default has this locked down (the installer instead asks and makes another user the regular use administrator, in this case RID 03e8)
The "lock?" collumn show if the user account is disabled or locked out (due to many logon attempts for example) or BLANK if the password seems to be blank.
We select to edit the "admin" user (this was the user made administrator by the Vista installer)
Some status info, user is locked out if "Disabled" is set or "Failed login count" is larger than "max tries" policy setting. This user is not locked in any way. The lockout can be reset with option 4 below.
UNIQ5cff702f5288ada4-pre-00000002-QINU Here we just reset/clear/blank the password.
But you can also try to set a new password with option 2, but it will only work if the password is not blank already. Also, it often fails to work on XP and newer systems.
Number 3 is to put a non-admin user into the administrators (220) group, thus making the user an administrator. IT IS STILL EXPERIMENTAL AND IT MAY sometimes RESULT IN STRANGE ERRORS WHEN LATER EDITING THE GROUP FROM WINDOWS! Also, usually pointless in promoting the Guest user, as it is most likely forbidden to log in by the security policy settings.
Exclamation point ! quits out (it's SHIFT 1 on the US keyboard layout used on the boot CD)
Then we get back to the main menu, and select to quit..
  You must answer y, or the changes will not be saved. This is the last chance to change your mind!
Only changed files of the registry are actually written back.
If you forgot something, you may run again, else press CTRL-ALT-DEL to reboot.

If you see an error message now, this does not mean that it isn't working.
Reboot and test if Windows can be accessed again.

Wednesday, May 15, 2013

How to setup HideMyAss Pro VPN Client

If you don't have a HMA Pro VPN account yet and need help with registering, see:

Below find detailed information about how to install use the HMA Pro VPN client for Windows:

 


Installation of the HMA Pro VPN client

The installation will run as displayed in the animation on the right ->

Please note:
You need administrator privileges to install the HMA client. To ensure this, install the HMA client by rightclicking the setup file and select "Run as Administrator"
Should you receive a warning that the TAP driver did not pass the driver signing check by Microsoft - this is nothing to worry about. Just confirm and let the installation finish. Should the installation get aborted because of this, or if you're unable to connect with the HMA client, you may need to disable the Windows Driver Signing check first and then install the client. See instructions for that here: Driver Signing Check

 Installation of the HMA Pro VPN client on Windows

Using the HMA Pro VPN client

Important settings:

When starting the HMA client, you'll see the "Dashboard".
To get started, first things to do are:
  • Entering username and password
  • select a VPN protocol (OpenVPN/PPTP)
  • select a VPN server 
See the image on the right;
once done that, hit "Connect to VPN" and the client will start to connect.

In the left menu, you can switch between the tabs of the HMA client, which are:
  • Dashboard
    Index page, for controlling connection options and login details
  • Country selection
    Shows a worldmap with all servers, so you have a better geographical overview
  • IP address settings
    Set automatic IP changes, IP verifying options and see your IP history
  • Secure IP bind
    Force applications to only work while VPN is connected (e.g. filesharing tools)
  • Speed guide
    Compare speeds of all HMA servers with a single click (disconnect from VPN first!)
  • Proxy settings
    Needed if you're online through a local network proxy (does not affect anonymity!)
  • Billing & Packages
    Quicklinks and info about your billing cycle, payment plan, etc.


Below you'll find descriptions of all features of the VPN client software.


Dashboard
When starting the HMA client, you'll first see the "Dashboard".
For connecting to the VPN, enter here your account username and password.
Select a protocol (OpenVPN/PPTP) and a VPN server.

It's best to choose a server, which is near your real location, to get the best speeds.
Usually it doesn't matter which VPN protocol you choose.
OpenVPN is more secure, but PPTP seems to be faster in most cases.
If you should be unable to connect, the first thing to try would be changing protocol and VPN server.
Dashboard - Settings
Here you can enable/disable "Load Balancing".
Load balancing is a feature that allows you to switch to a less-loaded VPN server,
should you try to connect to a VPN server that is heavily loaded.

You can choose between
a) Switch to a less-loaded server within the same location (City)
b) Switch to a less-loaded server within a certain country or preselected server group

By standard, you'll get asked and need to decide, if you want to switch to a less-loaded server.
When unchecking the "Show warning before load balancing" checkbox, you'll automatically
be switched to a less-loaded server, without confirmation.

In addition, you can choose to only use load-balancing if a server is
20%, 30%, 50% or 60% more loaded than other servers from the same group.
Country selection
In "Country selection", you'll find an overview of all available HMA Pro VPN servers,
sorted for distance and countries.

Country selection - Map overview
In the "Map overview" you'll see a worldmap with all server locations marked.
It gives a better overview about how far away the servers are, and where the servers are located.

IP address settings
In the "IP address settings" tab you can:
1) Change your IP with a single click
2) Setup automatic IP change after every X minutes/seconds 
3) Choose a IP-verifying website, to make sure your IP really has changed on connection

IP address settings - IP History
The IP History shows you all IPs you have used til now,
including country, date+time, server name.

Secure IP bind
With the Secure IP binding feature, you can prevent any application from making connections,
when the VPN is inactive. This is especially useful if e.g. you let your BitTorrent client running
through the night. With enabled IP binding, your torrent client won't leak your real IP when
the VPN should get disconnected. 

Speed Guide
With the speed guide feature of our VPN client, you can always check which VPN server is the
fastest for you. For that, select the servers you want to test.
You can choose to
  • Test both protocols
  • test only OpenVPN protocol
  • test only PPTP protocol
  • only do a ping test (to check the latency)
  • do an express test (faster than the full test)
  • do an full test (most accuracy)

There is also a history, so you can check the results of previous speed tets.
Attention: You need to disconnect from the VPN first, otherwise you won't be able to do the tests.
Proxy settings
The Proxy settings tab is important if you're connected to the internet through a local proxy,
like at school or at work.
If you have a direct connection (e.g. DSL, modem, etc.), leave it
"Direct connection to Internet" (which is default)

Billing & packages
The "Billing & packages" tab shows
  • your VPN account username
  • your billing cycle (1/6/12 months)
  • your subscriptions expiring date
  • current pricing

That way you always know when you need to renew your subscription,
and if the prices have changed.

Monday, May 13, 2013

Security risks: Netbios, port exposure & remote access removal

NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. Older operating systems ran NetBIOS over IEEE 802.2 and IPX/SPX using the NetBIOS Frames (NBF) and NetBIOS over IPX/SPX (NBX) protocols, respectively. In modern networks, NetBIOS normally runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol. This results in each computer in the network having both a NetBIOS name and an IP address corresponding to a (possibly different) host name.

The main reason for using NetBIOS if for two machines to communicate on a local network which rarely is needed except for file and printer sharing on a local network but leaves the door wide open for being hacked. You can remove this risk in two ways and I personally do it both ways Big Grin

Firewall: Block ports 135-139 plus 445 in and out. These are used by hackers to steal your info and take control of your pc and after doing so will use NetBIOS to then use your computer to take over another, etc, etc.. Port 137-139 is for Windows Printer and File Sharing but also creates a security risk if unblocked. But if you share a printer on your network you will have to allow this one but I recommend just go to the pc the printer is hooked up to and use. Port 135 is for RPC service on a remote machine. Port 136 is used for Profile Name Service which I don't even think is used any longer but opens a door for hackers.

Disable NetBIOS: Route depends on OS but go to the network connections and find your ethernet adapter which should be called local area connection, right click, click properties, double click TCP/IPv4 in the list, click advanced, click WINS, uncheck LMHosts lookup, choose disable NetBIOS near the bottom. Click ok, ok, ok to close all three windows. Also disable these the same way for the TAP Win32 adapter but LMHost lookup should already be unchecked.

Disable TCP/IP NetBIOS Helper service: From start type services, click services, go down to TCP/IP NetBIOS Helper and right click, click properties, click stop, switch automatically to disabled, click apply, close services.

Remote control ports: You should disable 5500, 5800 and 5900-5903 and 3389 (Windows uses for remote) in and out unless you need remote assistance on your pc which most people do not or do not use this. It's just an open doorway for hackers. This includes software such as VNC. If you ever notice VNC suddenly installed and you didn't then worry a lot and you have already been taken.

Note: If you disable Remote Access Connection Manager it will cause PPTP VPN to not work and connections disappear.

Disable UPnP port 5000: Universal Plug and Play allows your computer to automatically integrate with other network devices. There are known security vulnerabilities associated with this service and should be blocked as well but will eliminate sharing devices on the local network but the risk outways the use. Also it uses port 1900 for UPnP and should be blocked as well. Disable SSDP Discovery service.

You can also disable SMB (server message block) port 445 using regedit. Find HKLM/system/currentcontrolset/services/NetBS/parameters and find transportbindname, delete default value, reboot.

Other ports of interest: 8080 is used for HTTP proxy but also used by hackers to impersonate your pc and hack others. If you don't use a HTTP proxy you might want to block this one. Port 1080 is used for socks proxy and can be attacked and mine is every day by China. Port 500 is for IPSEC VPN use but also listed as a risk to Cisco systems and used mainly to carry the Isass trojan. Other ports known to be directly attacked by a long list of trojans is 21 FTP, 23 telnet dos, 1243, 3128, 3410, 6776, 7000, 12345, 12348, 20034, 27374, 31337. Technically any open port can be a risk but with a good firewall setup correctly you should be stealth for all of these ports. To test commonly attacked ports and check whether you are stealth go here.. https://www.securitymetrics.com/portscan.adp ..also can check here.. http://www.pcflank.com/scanner1.htm ..also.. https://www.grc.com/x/ne.dll?bh0bkyd2

Update: A new customizable port scanner I just found.. http://www.t1shopper.com/tools/port-scan/#

Messenger: Unless you use messenger it's best to uninstall because open up way too many ports and leaves to much at risk. Here are the ports used by MSN Messenger: 135 to get connection port, 1026, 1027, 1028, 1863, 5190, 6891-6900, 6901 voice pc to pc, 2001-2120 voice to phone. Yahoo ports: 80, 5000-5010, 5050, 5100. I'm still working on the different messenger service ports so will update as I go.

I personal recommend using Comodo Firewall and very easy to use and works perfectly. If using Comodo click firewall tab, advanced, network security policy, global rules click add and setup like illustrated below. It's 2 rules created but just showing the port settings of source and destination of each. To make simpler to understand.. the IN block rule is destination port you choose and source is ANY.. the OUT rule is the port you choose and the destination is ANY.

Update: You can download and install Comodo Firewall here.. http://personalfirewall.comodo.com/free-...ml?aid=350

and here with CNET review.. http://download.cnet.com/Comodo-Internet...tml?hhTest

[Image: block1.jpg]

[Image: block2n.jpg]

[Image: block3.jpg]

[Image: block4.jpg]

Only difference for single port block rules is choose "single port" for each rule and 5900-5903 will be setup identical to this one above and make sure you do source and destination of these.

Setup should look like this. Notice some only block incoming attacks so only has one IN rule..

[Image: block5.jpg]

Here is the setup for blocking incoming attacks on a specific port this is only one rule but shows source and destination

[Image: block6.jpg]

[Image: block7x.jpg]

This is because that is a port a hacker or trojan wants to enter but your pc is not going to be attacking out with the port, so only need the IN rule for these. The IN and OUT rule is best for one's where pc might be scanned for that port as entrance and your pc may also may try to communicate using such as with remote connections and especially the dangers of NetBIOS and LMHost lookup. Windows naturally loves for your pc to talk. I see 135-139 blocks all day long in my firewall events and it's not just other pc's but my pc as well until I stopped it with the steps listed in this tutorial. NetBIOS is the worst thing to have running and allowing to connect.

Here is what Comodo blocks but also with using my uTorrent VPN control rules (see.. http://forum.hidemyass.com/showthread.php?tid=1298 ) after cutting off VPN around 5pm you see uTorrent blocking my real IP in yellow (blurred IP) until I reconnected and then you can see in the green what has tried to scan my ports and is exactly what is on my list to block. Also notice the 1080 port scan bypassing VPN trying to scan my real IP. Looks shady to me. Also notice the 216 which is the VPN server IP other connected VPN users NetBIOS is trying to connect to my NetBIOS port 139. This is actually natural because it's their Windows OS that is doing it. Notice mine is not? Still wondering why people are using port 500 to my port 500 which is intended for IPSEC VPN connections like I'm the VPN server, keep in mind we are using openvpn protocol with HMA VPN and not IPSEC.

[Image: firewallblocks1.jpg]


Update: Another example of port scans on commonly used attacked ports. Notice the three blurred IP's (that is my real IP) is still being attacked by the same Chinese IP and same 1080 port.

[Image: portscan1.jpg]

Update!!! It would be a good idea in Comodo to export your firewall settings after completing all of the blocked ports. To do this click the "more" tab in Comodo and then choose "manage my configurations" then click "export" and to a place you will remember. If you have multiple hard drives or a flash drive it's best to store on something besides the Windows active partition in case of OS failure.

***Warning: if running a server on your network this can effect communication with local peers.

Also set your DNS to use OpenDNS - https://store.opendns.com/get/basic ..I set this up for all adapters. This eliminates any communication with DNS lookup with your ISP.

Here is doing some port scans and the results..

[Image: stealth1.png]

[Image: stealth2f.png]

[Image: stealth3.png]

[Image: stealth4.png]

If you disable NetBIOS properly, changed your DNS settings to OpenDNS properly you can check using CMD/ type ipconfig /all

[Image: ipconfigs.png]

How to Allow app installation from unidentified developers on Mac

When being unable to install the HMA! Pro VPN client for Mac or other software,
you might see the message
"This app can't be opened because it is from an unidentified developer"




You can easily fix this by navigating to:
System Preferences > Security & Privacy

In the "General" tab, click the little lock icon in the bottom left of the window to unlock making changes.
Now select "Anywhere" under "Allow applications downloaded from:"

Now try to install the software again.