Results 1 to 8 of 8

Thread: Why only ports 1 - 103 unstealthed with gateway

  1. #1
    peg Guest

    Default Why only ports 1 - 103 unstealthed with gateway

    I've read numerous posts about certain ports showing up as closed but not stealthed when you use a router (I have a 2wire gateway). That I understand.

    Question is why, in my case anyway, are ONLY ports 1 through 103 shown as Closed, but not stealthed? Why not 1 -110, or 4 - 89, etc? Is it always the same ports for everyone using a router that show up as unstealthed? If not, what determines which ones are stealthed and which are just "closed" - at least which ones the router shows as closed?

    In my case, I can't disconnect the router and connect directly w/ the modem, because it's a gateway. Is there another way to verify those ports are really stealthed by ZAP (v6.5).

    Thanks.

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:6.5

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Why only ports 1 - 103 unstealthed with gateway

    There maybe a chance that the modem has some NAT ability and this may be causing the closed port issue. Perhpas this can be changed and perhpas not. A router that is properly set up and has the proper firmware will show all ports as stealthed.

    The PC should have internet connections when just attached directly to the modem. Try it and see what happens.

    You may consider the direct PC to the modem tested with both the ZA and the Windows firewall for a comparision. Just do not test both at the same time- just seperately.

    Oldsod
    Best regards.
    oldsod

  3. #3
    peg Guest

    Default Re: Why only ports 1 - 103 unstealthed with gateway

    Thanks Oldsod,

    I'm not aware of a way to "just attach directly to the modem" when it is a gateway, w/ the modem / router in one unit.

    The 2Wire 2701 HG-B gateway does have NAT & PAT. There certainly may be a way to configure how / which ports the hardware firewall stealths, or just shows as "closed".

    Based on your astute and wise-beyond-your-years observation, I searched the very detailed 2Wire manual. It notes that this gateway's "normal" FW operation is to respond to unknown device requests w/ "connection not available", which does confirm that there is an active network.

    It does list steps to configure the gateway FW for Stealth mode, that I've not yet tried, but seem fairly straight forward. I can try it and then run another scan. However, my original question remains, why would the gateway FW show ONLY ports 1 - 103 as closed, and all others as stealthed? Seems curious.

    I assume (and you know what happens when we **bleep**-u-me), that if the default setting is to show the ports as closed, not stealthed, there must some cases where it is undesirable for the hardware FW to stealth all ports. I have no idea what those cases would be - do you? By contrast, many software FWs stealth all ports by default.

  4. #4
    peg Guest

    Default Re: Why only ports 1 - 103 unstealthed with gateway

    Follow up: I reconfigured the 2Wire gateway (through their web based configuration)to the Stealth Mode. I didn't select "Block Ping".

    Went back to GRC's Shields Up for another scan. This time it showed all 1056 ports it scanned as Stealthed.

    The report suggested that Pings also be blocked, as they consider this somewhat of a security issue when your pc responds to a hacker's ping. Maybe, but couldn't blocking Pings cause other problems, as with ISPs? I use DSL - SBC Yahoo.

  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Why only ports 1 - 103 unstealthed with gateway

    echo 7/tcp
    echo 7/udp
    discard 9/tcp sink null
    discard 9/udp sink null
    systat 11/tcp users #Active users
    systat 11/tcp users #Active users
    daytime 13/tcp
    daytime 13/udp
    qotd 17/tcp quote #Quote of the day
    qotd 17/udp quote #Quote of the day
    chargen 19/tcp ttytst source #Character generator
    chargen 19/udp ttytst source #Character generator
    ftp-data 20/tcp #FTP, data
    ftp 21/tcp #FTP. control
    telnet 23/tcp
    smtp 25/tcp mail #Simple Mail Transfer Protocol
    time 37/tcp timserver
    time 37/udp timserver
    rlp 39/udp resource #Resource Location Protocol
    nameserver 42/tcp name #Host Name Server
    nameserver 42/udp name #Host Name Server
    nicname 43/tcp whois
    domain 53/tcp #Domain Name Server
    domain 53/udp #Domain Name Server
    bootps 67/udp dhcps #Bootstrap Protocol Server
    bootpc 68/udp dhcpc #Bootstrap Protocol Client
    tftp 69/udp #Trivial File Transfer
    gopher 70/tcp
    finger 79/tcp
    http 80/tcp www www-http #World Wide Web
    kerberos 88/tcp krb5 kerberos-sec #Kerberos
    kerberos 88/udp krb5 kerberos-sec #Kerberos
    hostname 101/tcp hostnames #NIC Host Name Server
    iso-tsap 102/tcp #ISO-TSAP Class 0
    rtelnet 107/tcp #Remote Telnet Service
    pop2 109/tcp postoffice #Post Office Protocol - Version 2
    pop3 110/tcp #Post Office Protocol - Version 3
    sunrpc 111/tcp rpcbind portmap #SUN Remote Procedure Call
    sunrpc 111/udp rpcbind portmap #SUN Remote Procedure Call
    auth 113/tcp ident tap #Identification Protocol

    Is it safe to assume that the modem is supplied by your Provider? They do like to keep in touch with the hardware connected to their nets. This often helps to keep the connections maintained. If the ports are stealthed, the connection from the modem to the ISP may become difficult to keep maintained. You can try to stealthing the modem and see if your connection can be maintained properly without having any loss of connection issues. Even I am getting curious about this, being the diehard ISP cable user.

    Regarding the closed and not stealthed issue, there are somethings to consider.

    a) Closed ports are not a security risk. Stealthed is highly regarded, yes, but if ports are closed there is no outside force that can actually open the port to enter.

    b) Open ports can be a vulnerability, but not neccessarily. Still what ever does try to enter, there has to a vulnerability in the OS or some application that lets it in. Worms and trojans are the most noteable for open port vulnerabilities, but a harden and updated PC would handle these quite well. Ping is like that too- many users believe that the reply ping from the router is a risk. In reality it is not.
    The router is hards to hack and even if the
    hacker ever did beat it, there is still the software firewall in front of the PC connections.

    c) NAT is still being used. Even if something did manage to actually hack the modem, it still cannot reach the PC due to the difference of address of the PC performed by the router.

    d) The phone line does have a lot less internet background "noise" than the cable connections. Worms run rampant on the cable internet and very few on the phone internet.

    e) Your IP assigned by your Provider may not be static and could be dynamic. Do not use the PC for a few days and there is a good chance your IP has changed. Any hacker who had designs on your IP now is attacking someone else.

    f) I definitely have to stop replying to posts when I am half asleep. Answering posts when I am fully awake is better- I can actually read and absorb the posts.

    Oldsod
    Best regards.
    oldsod

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Why only ports 1 - 103 unstealthed with gateway

    Glad to hear the gateway configuration went well. Try this for a few weeks, starting the modem from a complete off and startups to see if the internet is attained and held.

    Reply to ping from the PC is a small risk and actually the reply to ping from a router has no real risk. The hacker is just attacking the router and not the PC. Reply to ping is needed for some users that call the PC, such as VPN user or they use the PC as a server and need to retrieve some mail or files.

    Your provider may need to ping your gateway to find you. Try it and see what happens. If it works OK without the reply to ping, then use it that way.

    Oldsod
    Best regards.
    oldsod

  7. #7
    peg Guest

    Default Re: Why only ports 1 - 103 unstealthed with gateway

    Thanks Oldsod,
    I assume (there we go again) that the 20 or 30 lines in your response that began w/ "echo7/tcp", was from some modem/router's configuration or a response to being queried?

    I don't have Ping blocked, but so far, haven't noticed problems w/ having the gateway FW configged to stealth all ports.

    As far as your comments about closed ports not necessarily being bad. Assuming (**bleep**!)that you don't have special reasons for NOT stealthing all ports, wouldn't it be better in general to stealth than not? It may be hard(er) for hackers to get by a hard FW, then a soft FW, etc., but why take a risk w/ stealthing vs not, if there's no need?

    Yes, my gateway was supplied by my ISP.

    My PC address appears to be static - when I use IPCONFIG. The address that sites see from the gateway seems to be dynamic.

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Why only ports 1 - 103 unstealthed with gateway

    http://www.iss.net/security_center/a.../7/default.htm

    It is actually an old protocol (Internet Caching Protocol)-that is now obselete. It is not related to reply ping or ping.

    The ping and reply ping are actually types of ICMP. Ping is a Eight and replu is a 0.

    See the list and it has some details>

    http://en.wikipedia.org/wiki/Interne...ssage_Protocol

    THe 8 and the 0 are used and the 3 and the 11 are also needed for the minimum of internet connections.

    Actually in the router the ping is not blocked, but the reply to ping. The PC does actually ping out to connect to the internet and asks where is the sites. The site replies here and then there are several more messages sent back and forth after as a result. Reply to ping is disabled by many users because hackers do just ping a wide range of addresses and wait for an answer- they collect a list of addresses that replied and then begin to scan for ports of those addresses. Both open and closed ports will answer. Then they determine which port (s) are open and not closed. Then they determine which ports can be actually attacked and which way and how.This takes a long of time and effort. The closed ports can not be opened externally and pose no security risk- they just are visible..

    All what the closed port did actually , was show that the port is there. It is visible but not vulnerable. The open port is onle vulnerable if the PC is not secured or has not the latest updates.


    A stealthed port does not show that it is there. It never answered. It always appears as invisible. But oddly enough, firewalls can stealth ports and those ports could be open or closed. But now they cannot be seen.

    The only way that a router or a software firewall could be vulnerable is if the ports are opened by the users. Still if there is no application using that port or it is not being used by the OS or if the vulnerablity has been patched, the open port(s) become very useless to a hacker. Yes he sees your IP and he sees the open port, but he is unable to actually take full advantage of it. If the opened port is very vital, then yes he could take advantage of the situation.

    But remember that the gateway is using NAT- the attack is just to the internet IP of the gateway and stops there. It can not go further because he still does not know the correct LAN address of the PC. For this reason alone, the low priced home router is a great inbound firewall. It stops hackers dead in their tracks.

    The hackers usually ignore home users and concentrate on the business/institue/fiancial/goverment servers. That is where the money is to be found. All that information and secrets and data that can be used and sold for profit.

    See how the new security settings work and if it goes well, then that is good news. If it doesn't then just undo the changes.

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •