dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1708
share rss forum feed

ariez

join:2004-01-09
00000

ports not stealth

Click for full size
Did a test on grc.com and it shows ports 135, 139, and 445 as closed instead of stealth. Believe they tested as stealth in the past. Is this something to be concerned about? Using Zonealarm on Win7.


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

Do you have a NAT Router: If so, what is the brand and model of your NAT Router?

If not and you have (or plan to have) more than one computer, get one.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
reply to ariez

Who is your ISP? Those ports are likely blocked at the ISP level.


PrntRhd
Premium
join:2004-11-03
Fairfield, CA
reply to ariez

With either condition those ports will not respond to a port scan, so it is not a security problem for you.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

2 recommendations

reply to ariez

said by ariez:

Did a test on grc.com and it shows ports 135, 139, and 445 as closed instead of stealth. Believe they tested as stealth in the past. Is this something to be concerned about? Using Zonealarm on Win7.

Some say a "Closed" response invites closer scrutiny from hostile scanners. In my personal experience, this is not true. Despite that I "fail" at GRC, I don't see any more potentially hostile probes than I ever saw on a fully "stealthed" system.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online
reply to PrntRhd

said by PrntRhd:

With either condition those ports will not respond to a port scan, so it is not a security problem for you.

Technically a closed port does respond to a port scan, it does it with a RST, ie there is no program listening. A stealthed port does not respond at all.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

reply to ariez

said by ariez:

Is this something to be concerned about? Using Zonealarm on Win7.

They show closed. So, nope. Carry on.
--
Oh, Opera, what have you done?

HELLFIRE
Premium
join:2009-11-25
kudos:18

2 recommendations

reply to ariez

Suggest looking up "stealth versus closed ports" on your search engine of choice.

I fall into the camp that neither one is "better" than the other, as GRC / Steven Gibson? would have you believe.

2ndly, if you're that concerned, start logging the hits on your PC's firewall. Review on a regular basis.
Security definately does not have a "set it and forget it" button... it should be a constant process of
implemting, testing, reviewing, improving, and repeating repeatedly after that.

My 00000010bits

Regards



TopShelf

join:2010-06-25
reply to TheWiseGuy

said by TheWiseGuy:

Technically a closed port does respond to a port scan, it does it with a RST, ie there is no program listening. A stealthed port does not respond at all.

I've no opinion regarding stealth or closed. Either state is acceptable to me. However, the "All Service Ports" @ GRC.com shows stealth for all except for two ports showing as closed. How does one go about finding out why Port 111 (sunrpc) and Port 369 (rpc2portmap) are showing as closed as opposed to stealth? I have the wireless portion of my Linksys E900 turned off. I'm just curious why these two ports report as being closed. Any ideas or insights are appreciated.
--
The only thing North Korea could wipe out in four minutes is a South Korean all-you-can-eat buffet.


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

The scan may have been intercepted at a point upstream from you.
--
Oh, Opera, what have you done?


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

2 recommendations

reply to TopShelf

The Linksys appears to have a Log facility under the administration tab. You could enable the incoming log portion and check to see what packets are logged. As mentioned it may be that those ports are being intercepted by the ISP but that would be much more common for the original posters netbios ports. Once you set up logging you can run the test or just test those ports and see which packets the router receives from grc. If you do not see incoming from grc for those ports and you want to go further you could forward port 111 to your computer and run wireshark to see if the packets reach your computer.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.



mackey
Premium
join:2007-08-20
kudos:12

1 recommendation

reply to NormanS

said by NormanS:

Some say a "Closed" response invites closer scrutiny from hostile scanners. In my personal experience, this is not true.

Really this depends on the value of the target being scanned or why the scan is being performed. For a home user they're most likely being scanned by a script kiddie looking for another drone for their botnet and thus if the 1 vulnerability they're looking for isn't there they'll move on to the next IP. However if it's a high-value target (say a large corporation or gov't agency) who's being specifically targeted (they're not just a random computer on the internet), getting a RST/closed response means there is a active device at that IP and a hole in the firewall for it thereby telling the attacker that IP warrants a closer inspection.

/M


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

said by mackey:

getting a RST/closed response means there is a active device at that IP and a hole in the firewall for it thereby telling the attacker that IP warrants a closer inspection.

You've been reading too much Steve Gibson.
--
Oh, Opera, what have you done?


mackey
Premium
join:2007-08-20
kudos:12

1 recommendation

Oh? Please explain how letting an attacker know there's an active host at an address helps security.

/M


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

1 recommendation

reply to sivran

said by sivran:

said by mackey:

getting a RST/closed response means there is a active device at that IP and a hole in the firewall for it thereby telling the attacker that IP warrants a closer inspection.

You've been reading too much Steve Gibson.

Interesting, since Hacking Exposed which was considered a classic 10 years ago well before Gibson, said one of the first things you need to do when trying to access a network was map the network and the IPs by scanning. That included using signatures from any responses to determine the device responding. IIRC and I have not used it in years NMAP was designed to attempt to try and determine the Operating System by the responses so you would know what attacks might work.

Even the responses from different ICMP packets have been studied to see the patterns from different types of systems.

So while many people in this forum like to spout off that closed is as good as stealth IMO it is a debatable claim. I guess I do not understand TCP/IP.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.


Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state

1 recommendation

this argument has been raised before...i refer to this thread.

»Place your bets - Closed vs Stealthed

I think the difference between closed and stealth is negligible. as long as the ports are filtered and services are not listening on those ports, then i think its fine. Of course, Stealth or Closed, still gotta keep firmware updated on the firewall itself.

I always say, "The lack of a response is a response in itself" sometimes, its best to hide in plain sight...respond to their probes with a closed message and they go away....After all, it is possible to discover a stealth-ed machine as outlined in that thread.

again though, I don't think its something to bicker over, both are secure enough for most purposes. It just really comes down to personal preference and what your more comfortable with....I have ran closed systems for years without issue, same with stealth....it just depends on which im most comfortable with for which scenario.
--
Tech Tips


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

There are even longer threads that occurred even before that thread. Yes it has been discussed here many many times and in great depth.

My viewpoint is that there is a reasonable argument for both positions, that there are advantages/disadvantages to not giving out any information (stealth) by dropping packets and there are advantages/disadvantages to following standard TCP/IP practices and sending RSTs but that which is better really must be an individual preference since as I stated which is better is Debatable"
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to mackey

said by mackey:

Oh? Please explain how letting an attacker know there's an active host at an address helps security.

How does a TCP RST response indicate the host is, "active". An "Open" result would indicate an "active" host. Using Telnet to attempt to connect will show if there is an "active" host. If there is no service "listening", the host isn't "active".
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Jasu

join:2010-01-09
Finland

2 recommendations

TCP RST should be a response from the host. Routers on a route should use ICMP if the they are blocking the packets. When you are using Telnet, TCP RST causes "connection refused" error while stealth (no responses) causes a long wait and "connection timed out" error.



sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to mackey

There being an "active host" at a particular address is a foregone conclusion. So can you explain how "stealth" helps? Bearing in mind that a reset can come from any device upstream, sent on behalf of the destination, it does not necessarily mean anything. And where does profiling a reset get you? Nowhere -- since a closed port is just as exploitable as a filtered one.

I think TheWiseGuy See Profile is right in that it's a matter of personal preference. Myself I think it's preferable to be uniform, with every port the same, but I'm not going to worry--and it's not worth worrying--over a few ports that show closed when I was going for filtered, or vice versa. Those ports are still safe from network intrusion.
--
Oh, Opera, what have you done?



mackey
Premium
join:2007-08-20
kudos:12

said by sivran:

There being an "active host" at a particular address is a foregone conclusion.

What? It is most definitely NOT a foregone conclusion!

Lets say a company has a /24 but they only currently have, say, 143 computers active (workstations+servers). An attacker then scans a single port on every host in that /24. The company has a firewall that blackholes (stealth) all IPs except for the servers they make available to employees in the field or who are working from home. If the attacker does not get a reply to the scan (it's stealth) how do they know if that particular IP is an active computer that's firewalled but may be listening on a different port or one of the 111 unused addresses? If the company decided a RST is just as good as "stealth" and thus the hole in the firewall allows everything to that IP through, the attacker then gets a RST for that port he scanned and thus knows there is an active computer there and it's not one of the 111 unused addresses. For the 2nd pass the attacker can then focus a much larger port scan on the handful of IPs that responded with a RST (since he knows there's something there) instead of needing to scan the entire /24 again.

/M


Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state

2 recommendations

said by mackey:

said by sivran:

There being an "active host" at a particular address is a foregone conclusion.

What? It is most definitely NOT a foregone conclusion!

If the company decided a RST is just as good as "stealth" and thus the hole in the firewall allows everything to that IP through, the attacker then gets a RST for that port he scanned and thus knows there is an active computer there and it's not one of the 111 unused addresses.

/M

I just want to focus on this one part:

1. Since when is a port that responds "Closed" a port that's actively accepting connections? When in fact a port that responds Closed is the exact opposite of that...its saying the port is not accepting connections period.

2. Since when is a port responding "Closed" a hole in the firewall letting things through? Ports that respond closed are not accepting connections on those ports, so they are not letting anything through.

Perhaps I am not following or understanding your line of reasoning, but in the last 20 years I have learned to take what Steve Gibson says with a grain of salt...Stealth is more of a marketing term then anything else.

Stealth has pros and cons just like Closed, the fact is both Closed and Stealth are "Filtered Ports". Neither is accepting connections, the only difference is one drops silently, the other says" Were not accepting connections go away"

Some choose to run Closed instead of Stealth because it suits a particular scenario....Stealth isn't the right setup for all situations.

For example Google responds to pings, Microsoft doesn't...does that make Google any less secure? Nope.

As i said, perhaps I misunderstand what your trying to say, and if i do, my apologies. Look forward to your response, hope your having a great day!
--
Tech Tips


mackey
Premium
join:2007-08-20
kudos:12

1 recommendation

said by Woody79_00:

Since when is a port that responds "Closed" a port that's actively accepting connections?

When did I ever say it was? Did you not read the last part I wrote: For the 2nd pass the attacker can then focus a much larger port scan on the handful of IPs that responded with a RST (since he knows there's something there) instead of needing to scan the entire /24 again. Seriously. My point is that having a machine respond with a RST tells an attacker there is an active machine there (whereas "stealth" cannot be distinguished from no machine at that address) allowing them to focus more effort there.

And why do people keep mentioning Steve Gibson? I haven't heard anything about him in years.

/M


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 recommendation

reply to ariez

STEALTH term was first use by USAF, and now many military carrier build with this anti radar tech.
My own opinion all devices protection best to go with STEALTH mode Here are my result settings:
YOUR INTERNET CONNECTION has NO reverse DNS
Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account — and therefore you — and may disclose other information, such as your geographic location.
When present, reverse DNS is supported by Internet service providers. But no such lookups are possible with your current Internet connection address (XX.XXX.XXX.XXX). That's generally a good thing.........BTW, still I could established 3 hand_shake connection also remember to turn OFF your “PLUG & PRAY” !!!


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 edit

5 recommendations

reply to mackey

said by mackey:

Oh? Please explain how letting an attacker know there's an active host at an address helps security.


1) "Enamour with stealth is inversely related to knowledge of TCP/IP" - me
2) "Misunderstanding security threats makes you less safe" - me

edit to add:

3) "Worry about the things not in your logs, not the things that are" - me


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

reply to mackey

And so what if they scan it again? And why do you assume they wouldn't bother scanning the remainder as well, despite there being no response? The performance impact of "stealth" to a scan is negligible to non-existent. What's he gonna do? He can scan and ping to his heart's content but he's not going to hack that host.

Please, again, remember that port scan results may not paint an accurate picture of a target's network. Upstream devices can and do either drop silently or send reset responses on behalf of the hosts behind them. Thus, until you find an open port and interact with it, you still aren't certain of anything. (Hell, even when you find a service to poke at, you can't be absolutely certain you're interacting directly with the host running that service)
--
Oh, Opera, what have you done?



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to Parad0X787

said by Parad0X787:

My own opinion all devices protection best to go with STEALTH mode Here are my result settings:

And your router logs show no port probes?

YOUR INTERNET CONNECTION has NO reverse DNS
Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account — and therefore you — and may disclose other information, such as your geographic location.

Just having an IP address, by the very nature of TCP/IP connections, is a unique identifier. And if your IP address is dynamically assigned, the odds are favorable that a previous assignee gave some geo-location service a clue.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 edit

{{{SMILE }}} ..... just geo-location my ISP !!!


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

said by Parad0X787:

{{{SMILE }}} ..... just geo-location my ISP !!!

Your provider offers CGN, yes? How do you like their "Intranet"?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


TopShelf

join:2010-06-25
reply to ariez

I've come to the conclusion that Shield's Up is broken or Steve's trying to sell something.

I took two computers (in separate, individual tests) completely off the router. Ports 111 & 369 should have shown as stealth on those two computers because I have a software firewall (NIS) in addition to the router. Those two ports weren't stealth, they were closed. Two other computers that never see the internet were connected directly to the internet and the only firewall was the one provided by Windows. I'll be damned if those two ports showed as closed instead of stealth.

Like I said before, I've really no opinion one way or the other if a port is stealth or closed. Either state is good.

I no longer trust Shield's Up.
--
The only thing North Korea could wipe out in four minutes is a South Korean all-you-can-eat buffet.