[ale] How to test your public internet connection for open ports
Ron Frazier
atllinuxenthinfo at c3energy.com
Thu Feb 10 08:47:51 EST 2011
This is a PS to my prior reply post about configuring the router, with
the subject of Shout Outs for good Wirless-N Router for Home. I decided
to give this a new subject.
Once your system is set up to connect to the internet, you want to make
sure neither your modem, nor your router is exposing open ports to the
world that you don't intend. Following is an easy to use and very
popular port scanner that you can run from Steve Gibson's website. It's
harmless, but will scan the most commonly used ports on your public
address to see if any are open. If they are, you get a red light on
your screen for each open port number. If they're closed, but still
responding and saying "I'm not here" so to speak, you get a blue light.
If they are stealthed, meaning giving no response at all to the port
scanner, you get a green light. From a point of view of optimum
security, you want all stealth, or green lights. There are any number
of Linux utilities that you can use for this purpose as well, like
ZenMap. However, if you do too many port scans from your home IP, your
ISP may think you're a cracker. Also, port scanning your own public IP
from inside your home LAN may not work. This utility is easy to use,
comes from a third party, and is outside your LAN. Note, this will test
the outermost device (closest to the internet) on your public IP. If
your modem is responding to any querys, which it shouldn't unless
someone needs remote administration capabilities, which are a security
risk, that will show up in the results. Otherwise, you will be testing
your router.
Before getting into usage, here is some data on CLOSED vs STEALTH ports
from Steve's website at https://www.grc.com/su/portstatusinfo.htm .
quote on -->
A "Stealth" port is one that completely ignores and simply "drops" any
incoming packets without telling the sender whether the port is "Open"
or "Closed" for business. When all of your system's ports are stealth
(and assuming that your personal firewall security system doesn't make
the mistake of "counter-probing" the prober), your system will be
completely opaque and invisible to the random scans which continually
sweep through the Internet.
...
"Closed" is the best you can hope for without a stealth firewall or NAT
router in place. At least the port is not "Open" for business and
accepting connections from the probes which are continually sweeping the
Internet searching for exploitable systems.
Anyone scanning past your IP address will detect your PC, but "closed"
ports will quickly refuse connection attempts. Since it's much faster
for a scanner to re-scan a machine that's known to exist, the presence
of your machine might be logged for further scrutiny at a later time ---
for example, when a new operating system vulnerability is discovered and
before the potential for exploitation has been repaired.
For this reason it is important for you to stay current with updates
from your operating system vendor since new potential vulnerabilities
are discovered frequently.
<-- end quote
Here's how to us the ShieldsUp! service.
Go to http://www.grc.com/
Go to the services menu and click ShieldsUp!
Review the information presented. Beware of using this on your company
internet connection. The IT staff may see what looks like an attack in
their log files.
When you are ready, click the proceed button.
Click the "File Sharing" button. The remote system will probe your
public IP. You should get a notice saying that your Port 139 does not
exist. This is good. It means your computer is not exposing file
sharing to the world.
Click the "Common Ports" button. The remote system will probe a subset
of port numbers which commonly give problems. You should get a screen
that says TruStealth Analysis Passed. All ports should report as
stealth, with green color. The only exceptions should be ports that you
are intentionally exposing to the world. If you're not running any
servers from your public IP, there should be no exceptions. The test
will fail if your router responds to a ping. This is a slight security
risk, since it will tell a passing, possibly malicious, port scanner
that your router does exist, and may attract it's attention to do
further scanning on your IP. You can usually turn off ping response in
your router's control panel. Regardless of that, the ports should still
show up as stealth. Linux systems may show up as closed, rather than
stealth, and fail this test. See my note about Ubuntu below.
Next, click the "All Service Ports" button. The remote system will
probe the first 1056 port numbers at your public IP. You will see a
grid of colored dots, one for each port number, which shows it's
status. Again, they should be all green. You should see TruStealth
Analysis Passed. You can hover your mouse over any dot to see it's port
number which was tested, and you can click on the dot to see what that
port it for. After the test completes, a good deal of additional
information will be presented at the bottom of the page. It's a good
idea to read through this.
Here's an important piece about WAN security.
quote on -->
However, the Internet or "WAN" (Wide Area Network) side connection of
many NAT routers and DSL gateways is not as secure as it should be. Many
routers ship with web, ftp, or Telnet management ports wide open! And
many are still configured with their well-known default administrative
passwords. Although the router may be protecting the machines behind it,
it might not be protecting itself without your deliberate closing of
remote "WAN" administration ports.
ShieldsUP! automatically tests your NAT router's WAN-side security
because the router's WAN IP is the single public IP that connects your
internal private network to the public Internet. When a test is
initiated by any system behind a NAT router, we are testing the
public-side security of the router itself and not the security of the
individual machines which are located behind and protected by the router.
<-- end quote
So, if you find any open ports that YOU are not specifically desiring to
have open, you need to investigate how to close them. As the above text
indicates, it may be your cable / dsl modem that is the culprit,
exposing its own management interface to the world. This is an
invitation for it to be hacked, even though it may be intended for use
by your ISP. If the modem is not misbehaving, then your router may be
exposing open ports you didn't intend. You should take steps to close
or stealth those through the router's control panel. If that cannot be
done, there are a couple of options.
A) Forward the offending port to a non existent IP address on your
network. For example, some routers refuse to stealth port 113. I have
the DHCP server on my LAN set to distribute IP addresses to LAN clients
of 192.168.83.2 - 192.168.83.200. Therefore, IP addresses ending in 201
- 254 should never exist on my LAN. I had a router that would not
stealth port 113. I used the port forwarding function to forward TCP
and UDP packets coming in on port 113 to address 192.168.83.250. Since
there is no computer at this address, this has the effect of stealthing
the port.
B) I currently own a wireless router that absolutely refuses to allow me
stealth one particular port that is reporting as closed. If I try to
forward it to a nonexistent address, it refuses and says the port is in
use. However, I cannot find any place in the control panel where this
is set. In this case, I placed another wired router between the
wireless router and the cable modem. That last router is acting as the
firewall to my whole network, and now I have all the ports facing the
internet stealthed like I want them.
If you need to probe a port other than the common ones, or the first
1056, you can use the "User Specified Custom Port Probe" button on the
ShieldsUp! page. Then, you can enter the port number, or range of
numbers you wish to probe, up to 64 ports total.
Finally, a note about how the UBUNTU Firewall deals with incoming port
scans. I am running the firewall in Ubuntu, configured by the
Firestarter application. I have it configured to drop unsolicited
packets silently, block ICMP, and block broadcasts. If I connect the PC
directly to my cable modem, and run the ShieldsUp! port scan, I find
that almost all the ports are closed, rather than stealth. Also, I find
that the system is responding to pings. This is very annoying, since I
wish for the machine to be totally stealthed. If anyone knows how to
fix this, I'd love to know.
However, when I'm behind my firewall, my machine is totally invisible to
anyone I'm not specifically contacting, or anyone in the communications
path from me to the remote machine. That's the way I like it.
Sincerely,
Ron
On 02/09/2011 10:01 PM, Ron Frazier wrote:
> Hi Chris,
>
> I gave a router recommendation in a prior post. I wanted to add
> this. Make sure you set the router's security features properly to
> protect yourself from outside attack. The settings are as follows.
<snip>
>
> On 02/09/2011 03:12 PM, C Hendry wrote:
>> Need to replace downed 2wire Wireless router.
>>
>> Looking at amazon and Fry's, lots to choose from any good
>> recommendations?
>>
>> Thanks in advance.
>>
>> Chris
>
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110210/cd20a67d/attachment-0001.html
More information about the Ale
mailing list