Port 113 is closed

[louise]

Archived from groups: comp.security.firewalls (More info?)

Using a Linksys NAT router and Sygate Pro.

I just did a test with Shields Up and all the tested ports came
back "stealth" except for port 113, which came back closed.

My impression is that having 113 closed is probably quite ok, but I
wanted to get some opinions on this.

TIA

Louise

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

The only way you can close port 113 on a router so that it appears as
stealth, is to configure the router. If you look at the bottom of the page
after running Sheilds up, you will see some good advise from Mr. Gibson on
that topic. Also check your router manufacturer's site for a help file on
how to deal with this issue. I use a D-Link Router and their help file on
this subject can be found at
http://support.dlink.com/faq/view.asp?prod_id=1068

I hope this helps.

"louise" <nospam@nospam.com> wrote in message
news:MPG.1d82ecb0688400bc9896d5@news-server.nyc.rr.com...
> Using a Linksys NAT router and Sygate Pro.
>
> I just did a test with Shields Up and all the tested ports came
> back "stealth" except for port 113, which came back closed.
>
> My impression is that having 113 closed is probably quite ok, but I
> wanted to get some opinions on this.
>
> TIA
>
> Louise

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Sat, 03 Sep 2005 04:12:18 GMT, louise wrote:

> Using a Linksys NAT router and Sygate Pro.
>
> I just did a test with Shields Up and all the tested ports came
> back "stealth" except for port 113, which came back closed.
>
> My impression is that having 113 closed is probably quite ok, but I
> wanted to get some opinions on this.
>
> TIA
>
> Louise

With a Linksys router, it probably depends upon the firmware version, how
you achieve stealth on port 113. I have a Linksys BEFSR11 with a
configurable setting on the "Filters" tab, on the "Advanced" tab. I don't
recall that I had that option on the earliest firmware revision. This is
probably a ver.1 model; it is too old to have a ver.# on the label.

The latest firmware revision is 1.46.02, dated Aug 03 2004. It has
selectable options to block ICMP ('ping') and IDENT (port 113). Alas, I
don't see it logging packets when I approach it from the WAN port. Without
the option, all that you can do is forward port 113 to an unused IP
address.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

begin quotation
from louise <nospam@nospam.com>
in message <MPG.1d82ecb0688400bc9896d5@news-server.nyc.rr.com>
posted at 2005-09-03T04:12
> Using a Linksys NAT router and Sygate Pro.

> I just did a test with Shields Up and all the tested ports came
> back "stealth" except for port 113, which came back closed.

> My impression is that having 113 closed is probably quite ok, but I
> wanted to get some opinions on this.

This is done because many SMTP and IRC servers check port 113
(identd/auth, a Unix-centric service which returns the username opening
a given port) and to stealth that port would cause connections to those
servers to be delayed.

Maybe someone has already explained it better than I can.

--
___ _ _____ |*|
/ __| |/ / _ \ |*| Shawn K. Quinn
\__ \ ' < (_) | |*| skquinn@speakeasy.net
|___/_|\_\__\_\ |*| Houston, TX, USA

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

louise <nospam@nospam.com> wrote in news:MPG.1d82ecb0688400bc9896d5@news-
server.nyc.rr.com:

> Using a Linksys NAT router and Sygate Pro.
>
> I just did a test with Shields Up and all the tested ports came
> back "stealth" except for port 113, which came back closed.
>
> My impression is that having 113 closed is probably quite ok, but I
> wanted to get some opinions on this.
>
> TIA
>
> Louise

The stealth test means nothing. The fact the port is *closed* is all that
really counts. However, if you want to pass Gibson's worthless stealth test
for a machine setting behind a router that is already stealthed because
it's behind the router and cannot receive unsolicited inbound traffic due
to the port being *closed* on the router, you can port forward port 113 to
a dummy IP in the DMZ of the router.

Then you'll pass Gibson's worthless stealth test.

Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

louise <nospam@nospam.com> wrote:
> Using a Linksys NAT router and Sygate Pro.
> I just did a test with Shields Up and all the tested ports came
> back "stealth" except for port 113, which came back closed.
> My impression is that having 113 closed is probably quite ok, but I
> wanted to get some opinions on this.

You're fooled by your "Personal Firewall". Nothing can make a PC invisible
if it's up and running and connected to the Internet.

The "stealth" features of all "Personal Firewalls" are not working at all.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Cyber Surfer <cyber_surfer@shaw.ca> wrote:
> The only way you can close port 113 on a router so that it appears as
> stealth, is to configure the router. If you look at the bottom of the page
> after running Sheilds up, you will see some good advise from Mr. Gibson on
> that topic. Also check your router manufacturer's site for a help file on
> how to deal with this issue. I use a D-Link Router and their help file on
> this subject can be found at
> http://support.dlink.com/faq/view.asp?prod_id=1068

Unbelievable. Also DLink start now with that nonsense.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

louise <nospam@nospam.com> wrote:

> My impression is that having 113 closed is probably quite ok, but I
> wanted to get some opinions on this.

There's no point to the "stealth"-hype anyway, so no need to worry.

Historically, it has always been a good idea to keep port 113 closed
instead of "stealthed", because many servers (especially POP3, FTP and
IRC) will ask your machine on port 113 who you are if you want to
connect, and will wait for a timeout period until they allow you
through.

Juergen Nieveler
--
Remember Fluffy?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<MPG.1d82ecb0688400bc9896d5@news-server.nyc.rr.com>, louise wrote:

>I just did a test with Shields Up and all the tested ports came
>back "stealth"

Gibson's marketing babble. You can prove it yourself by using traceroute
(or the microsoft lame imitation TRACERT). This is a trace to a stealthed
host (I've deleted the hostname normally seen in the first column for
space and privacy reasons, and masked the first octet of the address to
avoid having fools attack this particular set of hosts):

14 (XXX.117.52.49) 329.807 ms 309.331 ms 309.864 ms
15 (XXX.181.218.10) 329.744 ms 329.413 ms 299.859 ms
16 * * *
17 * * *

I have another (similar) tool that tells me that hop 16 is some kind of
firewall that is NAT/Port-Forwarding to a host - hop 17 comes back with
an indication from a server, but with the address of hop 16.

Similar trace - host exists, and is reachable:

14 (XXX.117.52.49) 348.127 ms 327.441 ms 339.921 ms
15 (XXX.181.218.10) 350.116 ms 331.256 ms 333.981 ms
16 (XXX.87.184.55) 339.793 ms 529.427 ms 469.787 ms

Similar trace - host does not exist, or is turned off or disconnected

14 (XXX.117.52.49) 409.373 ms 329.452 ms 331.011 ms
15 (XXX.181.218.10) 419.833 ms !H

Here - the router at hop 15 tells me that it knows how to get "there" (or
I'd see a !N = Network Unreachable), but the host (!H) isn't there. Now
some toy routers/firewalls can be configured to mimic this response - the
only thing is that the ICMP Type 3 Code 1 (Host Unreachable) error comes
from the IP of the destination I'm tracing to - the host that "doesn't
exist". Some programmers are as st00pid as marketeers.

>except for port 113, which came back closed.

Which as the others have said is good. Ident/Auth (RFC1413) is used by
some services on the net (mail and IRC mainly), and stealthing the port
delays a connection you want - "Bullet, meet foot. Bang!"

>My impression is that having 113 closed is probably quite ok, but I
>wanted to get some opinions on this.

Having a port "closed" ends that connection attempt. A "stealth" port
causes the remote end to try again, and again - thinking that the packets
got dropped accidentally enroute. THIS DOES NOT SLOW DOWN PORT SCANS,
because port scans are run in parallel, rather than waiting for a response
before continuing.

Old guy

 

[Speeder]

Archived from groups: comp.security.firewalls (More info?)

On Sat, 03 Sep 2005 04:12:18 GMT, louise <nospam@nospam.com> wrote:

>Using a Linksys NAT router and Sygate Pro.
>
>I just did a test with Shields Up and all the tested ports came
>back "stealth" except for port 113, which came back closed.
>
>My impression is that having 113 closed is probably quite ok, but I
>wanted to get some opinions on this.
>
>TIA
>
>Louise

I agree with the other opinions already posted but would anyone see an
advantage of "stealthing" this port just to avoid device
fingerprinting? By leaving it in a state different than the other
ports an attacker can narrow what he's dealing with to a handful of
devices, no? I would prefer to not give him that information even
though it might not be to any use. Or then it could be...

Your thoughts?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<6t0kh1p0b63ldktm6gqt2aiv99ev9ch5r9@4ax.com>, speeder wrote:

>I agree with the other opinions already posted but would anyone see an
>advantage of "stealthing" this port just to avoid device
>fingerprinting?

Not so much 'device fingerprinting' as 'operating system fingerprinting'.
That's fixable on some O/S by tweaking some things. It's _VERY_ O/S
specific, and not that many have the capability.

>By leaving it in a state different than the other ports an attacker can
>narrow what he's dealing with to a handful of devices, no? I would prefer
>to not give him that information even though it might not be to any use.

You have a choice. If you do not use services that may want Ident/Auth,
OR you don't care that you get delayed up to a minute when using such
services, then by all means go ahead and stealth if that's what you want
to do.

If you have services (such as mail or IRC) that REQUIRE this port to
respond (some really do), then it gets sticky - perhaps you can change
your firewall rules on the fly, or set a rule that only allows connections
to that port from specific addresses.

>Or then it could be...

If your computer is reasonably configured, and you are not offering
services, then what does it matter? If the port is 'closed' then the
door is closed and that is that. Of course, if you are still using
earlier versions of windoze that were vulnerable to the 'ping of death'
then running an EXTERNAL hardware firewall is required - but what does
it matter?

Old guy

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Sat, 03 Sep 2005 04:39:02 GMT, "Cyber Surfer"
<cyber_surfer@shaw.ca> wrote:

>The only way you can close port 113 on a router so that it appears as
>stealth, is to configure the router. If you look at the bottom of the page
>after running Sheilds up, you will see some good advise from Mr. Gibson on
>that topic. Also check your router manufacturer's site for a help file on
>how to deal with this issue. I use a D-Link Router and their help file on
>this subject can be found at
>http://support.dlink.com/faq/view.asp?prod_id=1068
>
>I hope this helps.

I have a Dlink DI-604 and I want to close a few ports. I don't see an
option to do that in the router settings. What am I missing?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

D-Link has instructions at
http://support.dlink.com/faq/view.asp?prod_id=1068 on how to stealth Port
113. Just follow the instructions. I have the same D-Link Router as you do,
and it works flawlessly.

"Praxiteles Democritus" <no@email.here> wrote in message
news:uf5kh114ai4sugootka7j5m137k2tonclt@4ax.com...
> On Sat, 03 Sep 2005 04:39:02 GMT, "Cyber Surfer"
> <cyber_surfer@shaw.ca> wrote:
>
>>The only way you can close port 113 on a router so that it appears as
>>stealth, is to configure the router. If you look at the bottom of the page
>>after running Sheilds up, you will see some good advise from Mr. Gibson on
>>that topic. Also check your router manufacturer's site for a help file on
>>how to deal with this issue. I use a D-Link Router and their help file on
>>this subject can be found at
>>http://support.dlink.com/faq/view.asp?prod_id=1068
>>
>>I hope this helps.
>
> I have a Dlink DI-604 and I want to close a few ports. I don't see an
> option to do that in the router settings. What am I missing?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Praxiteles Democritus <no@email.here> wrote:
> I have a Dlink DI-604 and I want to close a few ports.

Are you using NAT?

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 4 Sep 2005 03:22:41 +0200, Volker Birk <bumens@dingens.org> wrote:


>Are you using NAT?
>
>Yours,
>VB.

Yes.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Cyber Surfer <cyber_surfer@shaw.ca> wrote:
> D-Link has instructions at
> http://support.dlink.com/faq/view.asp?prod_id=1068 on how to stealth Port
> 113. Just follow the instructions. I have the same D-Link Router as you do,
> and it works flawlessly.

please tell me, why you think your port is "stealth", say: invisible.
What should that be, an "invisible" port?

Is your router modifying the natural numbers, and removing one of them?
A port is a number between 1 and 65535 together with a layer 4 protocol
like UDP or TCP. With this number, your TCP/IP stack software can assign
datagrams to sockets and therefore to processes.

There is nothing, you could "stealth" at all. This is just nonsense,
basing on the misinterpretation of the term "port", wich does _not_ mean
door here, nor harbor, but just a maintenance number.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

speeder <no.spam@invalid.com> wrote:
> I agree with the other opinions already posted but would anyone see an
> advantage of "stealthing" this port just to avoid device
> fingerprinting?

I cannot see that.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Praxiteles Democritus <no@email.here> wrote:
> On 4 Sep 2005 03:22:41 +0200, Volker Birk <bumens@dingens.org> wrote:
[wanting to "close ports"]
> >Are you using NAT?
> Yes.

Hm... if you mean masquerading with NAT, please explain, what you're
meaning with "close ports".

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 4 Sep 2005 09:30:08 +0200, Volker Birk <bumens@dingens.org> wrote:


>Hm... if you mean masquerading with NAT, please explain, what you're
>meaning with "close ports".
>
>Yours,
>VB.

I mean blocking, sorry. Here's what someone posted in this group
recently and I thought I would take their advice. Is it not good
advice?

"As always, I suggest blocking both TCP and UDP ports 135 ~ 139 and
445 on *any* SOHO Router."

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Praxiteles Democritus wrote:
> On Sat, 03 Sep 2005 04:39:02 GMT, "Cyber Surfer"
> <cyber_surfer@shaw.ca> wrote:
>
>
>>The only way you can close port 113 on a router so that it appears as
>>stealth, is to configure the router. If you look at the bottom of the page
>>after running Sheilds up, you will see some good advise from Mr. Gibson on
>>that topic. Also check your router manufacturer's site for a help file on
>>how to deal with this issue. I use a D-Link Router and their help file on
>>this subject can be found at
>>http://support.dlink.com/faq/view.asp?prod_id=1068
>>
>>I hope this helps.
>
>
> I have a Dlink DI-604 and I want to close a few ports. I don't see an
> option to do that in the router settings. What am I missing?

Look up port forwarding.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message
news:431a4e13@news.uni-ulm.de...
> Cyber Surfer <cyber_surfer@shaw.ca> wrote:
> > D-Link has instructions at
> > http://support.dlink.com/faq/view.asp?prod_id=1068 on how to stealth
Port
> > 113. Just follow the instructions. I have the same D-Link Router as you
do,
> > and it works flawlessly.
>
> please tell me, why you think your port is "stealth", say: invisible.
> What should that be, an "invisible" port?
>
> Is your router modifying the natural numbers, and removing one of them?
> A port is a number between 1 and 65535 together with a layer 4 protocol
> like UDP or TCP. With this number, your TCP/IP stack software can assign
> datagrams to sockets and therefore to processes.
>
> There is nothing, you could "stealth" at all. This is just nonsense,
> basing on the misinterpretation of the term "port", wich does _not_ mean
> door here, nor harbor, but just a maintenance number.


Stealth as per Shields Up
https://www.grc.com/x/ne.dll?bh0bkyd2

Press Proceed then do
Common Ports
All Service ports
File Sharing

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Mon, 05 Sep 2005 23:56:19 -0500, optikl <optikl@invalid.net> wrote:


>Look up port forwarding.

I went here http://www.portforward.com/default.htm and read up on port
forwarding. From what I can tell from reading there I've already done
what I need to do to block certain ports, thx.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Praxiteles Democritus" <no@email.here> wrote in message
news:97nqh119q0e6gl1i690hvu038o0g29bpou@4ax.com...
> On Mon, 05 Sep 2005 23:56:19 -0500, optikl <optikl@invalid.net> wrote:
>
>
>>Look up port forwarding.
>
> I went here http://www.portforward.com/default.htm and read up on port
> forwarding. From what I can tell from reading there I've already done
> what I need to do to block certain ports, thx.

How is it that you blocked ports that were already closed by default and
will only open to inbound traffic due to a solicitation for inbound traffic
from remote site, because some application running on a machine behind the
router sent outbound traffic to the site or you port forwarded the ports
opening them, even if you sent them to a dummy IP?



May I ask what ports are you talking about?



Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Praxiteles Democritus wrote:

>
> Yes, I forwarded them to a dummy IP. Is that not how to do it? If it's
> not then someone please enlighten me.
>
>

That is how you do it.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Alt Beer <null@null.com> wrote:
> Stealth as per Shields Up
> https://www.grc.com/x/ne.dll?bh0bkyd2

Ah, OK. This just _is_ nonsense ;-)

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"