dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4576
share rss forum feed


Jay864

join:2013-07-18
Reviews:
·Comcast

Firewall is not doing it's job

Hi,

I have found that a port scan (from a remote location) with Nmap shows quite a few ports as open. The firewall is on, disabled services i don't need but I am not hidden and my ports are found wide open (not even closed or stealth!)

Any pointers?

FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Which ports?

-Alan


Jay864

join:2013-07-18
Reviews:
·Comcast
Hello again Alan
Different results from different locations (both other countries).
From location one: ports 21 and 554 found and show "open"
From location two: ports 80, 110, 143, 993, 995 found and show "open". Port 3544 found but shows as "closed".

I have been awake all night so am grabbing a few hours sleep now. Looking forward to ideas or suggestions.

Jay

FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast

1 edit
You should not be getting different results, no matter what source location you use.

The only way I can see you might be getting different results is *maybe* if you have open sessions already established on the PC you are scanning from [http, smtp, etc], and even then I'm not sure it would show them as open on your router [VPN probably would].

The other thing is are you sure you got your public IP correct?

-Alan

PS: For what its worth, I just downloaded and installed nmap [i've seen it mentioned several times, but never used it], and ran a scan to my house from my work PC. 3 open services [ports], but that is purposely. All other ports not listed [I assume stealth].


Otto58

join:2001-02-26
Germany

1 recommendation

reply to Jay864
Try this Page »www.grc.com/x/ne.dll?bh0bkyd2
and check "All Service Ports".


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Jay864
If I was to run malicious software and gain entrance to your PC i would pretend to be security software checking your security.
What program or sites are you using. GRC is an excellent recommendation, its what I use.


Jay864

join:2013-07-18
Reviews:
·Comcast
reply to FirebirdTN
I ran the scan again but turned off the VM running a VPN. The results are the same. With the Mail application off also, same results with all those email ports open.

I have used ShieldsUp and other sites before and they all tell me "passed" "everything stealthed" etc. but those tests are rudimentary, a test with Nmap shows a lot more as Nmap is more persistent and has many more features that would be used by someone with malicious intent.

My biggest concern is not the fact that these ports are found (though I don't like it), it's the fact they are listed as "open". Not even closed or stealth but open

JPedroT

join:2005-02-18
kudos:2
Remote management ports? What does your firewall logs say?

And if you from the remote side do a telnet to your wan ip port 80 does it connect, is there any output when you give it the GET command?
--
"Perl is executable line noise, Python is executable pseudo-code."


Jay864

join:2013-07-18
Reviews:
·Comcast
My logs don't show anything being blocked like it did with previous tests. Guess this may have something to do with syslog that stopped working yesterday and I have not been able to get it working again even after reboots and resets. It just shows a lot of Lan1 to Wan blabla ACCEPT. No mentions of incloming traffic or scans being blocked.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
reply to Jay864
Post a screenshot of all your firewall rules.

FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast
reply to Jay864
said by Jay864:

...
I have used ShieldsUp and other sites before and they all tell me "passed" "everything stealthed" etc. but those tests are rudimentary, a test with Nmap shows a lot more as Nmap is more persistent and has many more features that would be used by someone with malicious intent....

This just doesn't make any sense. If a port is closed, it should be closed for any site or any application, no matter how intense the scan. The only exception to this would be if you are blocking [or allowing] specific IP addresses through your network.

I downloaded nmap earlier, and as I said above, its the first time I have ever laid my hands on it. Having said that, although you are correct, it gave very detailed info about the device and services operating on the three open ports I have, as far as all other ports, they are not listed at all [i assume stealth]. In short, I got the exact same results with nmap on my connection at home as I do with the shieldsup site.

Something just isn't making sense here...

-Alan

-EDIT- Your not running nmap on a machine on your local network are you?


SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
reply to Jay864
So, what firewall model do you actually have (probably from ZyXEL since you are posting here, but do you have a model name?)

What nmap options do you use?
What happens if you try to connect to these supposedly open ports (e.g. 21)?
Is there anything interesting in the firewall log?
Have you tried looking at the probe/response packets using wireshark?


Jay864

join:2013-07-18
Reviews:
·Comcast
reply to FirebirdTN
said by FirebirdTN:

-EDIT- Your not running nmap on a machine on your local network are you?

I'm not. One is a friend over in Ireland running Nmap and another is a friend's computer i run the scans on through Apple Remote Desktop.

I have tried Nmap from my laptop to my external IP but i get a huge list of open ports (i assume because a device on the LAN requested the traffic the scan is not being blocked?) so figured that's not reliable.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
reply to Jay864
1) Run this for all service ports »www.grc.com/x/ne.dll?rh1dkyd2 and post results here.
2) Post screenshot of your firewall rules.


Jay864

join:2013-07-18
Reviews:
·Comcast
reply to SYNACK
- I use a USG20
- nmap 00.000.00.000 -Pn -p 1-6000, without the -Pn i get "host seems down" as it should be but using -Pn the firewall isn't fooling Nmap and spills it's guts.
- When i connect to FTP i get a login window even though i disabled FTP in configuration > system > FTP. No other computers or devices on the network running a service that can be connected to.
- The logs are acting strange it only shows allowed traffic, no mention of port scans like i've seen before. As i've mentioned this may have something to do with syslog no longer working when i send it to my Mac.
- I have no wireshark skills :/


Jay864

join:2013-07-18
Reviews:
·Comcast
reply to Brano
Click for full size
Firewall rules, #10 disabled to close https port, the rest is default

ShieldsUp results
The log DOES show a port scan and being blocked when i run ShieldsUp. Guessing a basic TCP scan is recognized but an Nmap scan is not.


SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
reply to Jay864
said by Jay864:

- When i connect to FTP i get a login window even though i disabled FTP in configuration > system > FTP.

What does the welcome banner say? Does it look similar to what you see if you connect to the ftp port from the LAN side?

If you get a login prompt, it would show as open on any scan, even grc. Are you sure you still have the WAN IP you think you have?


Jay864

join:2013-07-18
Reviews:
·Comcast
"Provide a name and password for the server '00.000myIPbla' The default window shown by OS X. Connecting with my firewall name/password doesn't let me in and neither does a guest login. Not sure how to test this from the LAN side, i tried connecting to every device on the LAN through FTP but get no responses like i do remotely.


SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
connect with commandline ftp tool instead.


Jay864

join:2013-07-18
Reviews:
·Comcast
If you mean just typing "ftp 00.000.00.000" in the terminal, I just did that. From within the network to external IP i get "connection refused". Remotely i get "operation timed out".

If that wasn't the way to do it let me know

EDIT: The logs also shows this connection being blocked.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to Jay864
You're covered, the firewall is not allowing anything from WAN.

NMAP does the same thing as ShieldsUP test (ShieldsUP is most likely using NMAP for the actual test).
...this seems to be way over your head, but don't worry, you're secure based on the ShieldsUP.

JPedroT

join:2005-02-18
kudos:2
reply to Jay864
Try to login with from your machine to the LAN ip of the USG, compare that with the WAN prompt you got when connection from another site, is the info you get the same?

From the WAN side, there might be something between your USG and scanner that is actually scanned.
--
"Perl is executable line noise, Python is executable pseudo-code."


Jay864

join:2013-07-18
Reviews:
·Comcast
reply to Brano
Typing 00.00.0... instead of my actual IP
If ShieldsUp shows all clear (and logs show it being blocked) why would a more aggressive Nmap command reveal ports and not show in the log? If shieldsUp does use Nmap they probably use the default port scan which is indeed blocked when i perform it as well.

I just don't expect a firewall to 'give it up' that easy. Not using port forwarding or anything I expect all ports to be closed or stealth.

You're right, this probably is over my head but the scan results still worry me. It means closed or stealthed ports are only closed/stealth for people that don't know how to port scan, against someone that knows how to use Nmap and more you're screwed :P


Jay864

join:2013-07-18
reply to JPedroT
"ftp 192.168.1.1" also results in 'Connection refused'

JPedroT

join:2005-02-18
kudos:2
But, if you are unable to connect to a port from remote, then its closed. It really does not matter what the scanning software says. Since nobody can connect to the port.

And is your WAN IP a global ip? Your not on some CGN/LSN solution from your ISP?
--
"Perl is executable line noise, Python is executable pseudo-code."


Jay864

join:2013-07-18
Correct, global IP.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to Jay864
OK, go here »www.whatismyip.org and tell me your IP address from this site. PM me privately if you don't want to share here.
I'll do NMAP from my side and will give you the results.

Also, compare the IP from the site I gave you with the IP on your USG WAN interface. If there are not the same you have some other NAT on your WAN side.

FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast
I was out to dinner with the family. I was going to do exactly as brano is doing now.

Just for reference, feel free to nmap my public IP:

(I can't rembmer the actual IP, but just use bak.flinn.com ).

I DO realize I have 3 open ports, but that is all there should be. 21, 80, and 8082.

-Alan


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to Jay864
The NMAP didn't show any open ports

Starting Nmap 6.00 ( »nmap.org ) at 2013-07-24 20:42 EDT
Nmap scan report for c-66-176-104-x.hsd1.fl.comcast.net (66.176.104.x)
Host is up.
All 1000 scanned ports on c-66-176-104-x.hsd1.fl.comcast.net (66.176.104.x) are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.32 seconds


Jay864

join:2013-07-18
So 3 different results from 3 different locations. Can the modem/router in each location affect the scan and give false positives or in your case no results?