Sign in with
Sign up | Sign in
Your question
Solved

Close or stealth ports 22 & 23

Last response: in Wireless Networking
Share
March 12, 2010 4:51:54 AM

Hello,
I have a D Link DIR 615 rev.B with the latest firmware update. I am running Win 7 on an Acer Aspire 5536G and using Comodo Internet Security. I just used Steve Gibson's Shields Up and found that posts 22 & 23 are open. I have used full stealth mode with my software firewall, but the ports are still shown as open. What I need to know is this: How do I stealth these ports through my router? Any idea, anyone? TIA.

More about : close stealth ports

March 12, 2010 11:02:33 AM

If GRC is reporting those ports as open and you're behind a router, then GRC is only testing the router's firewall, not your personal software firewall. So for some reason those ports are open at the router. You need to find out why and close/stealth them there.
March 12, 2010 5:43:52 PM

eibgrad said:
If GRC is reporting those ports as open and you're behind a router, then GRC is only testing the router's firewall, not your personal software firewall. So for some reason those ports are open at the router. You need to find out why and close/stealth them there.

Yes, that was my question - "How?" - I can't find anything in the router's web-based interface; I've looked on the D-Link forum and Googled the query, but can't find an answer. Maybe my search parameters aren't right?

Should I use port-forwarding to confuse probes? If so, where should I forward them? I don't anticipate using SSH or Telnet anytime soon, but wonder if the router needs them open to function. Every other port was reported either 'closed' or 'stealthed'.
Related resources
March 12, 2010 6:04:27 PM

It's unusual for those ports to be open by default or without you having explicitly opened them. You probably have a section called Virtual Servers on the router where various well-known protocols like SSH (port 22) and Telnet (23) are defined for port forwarding at some later date should you need them, but otherwise disabled. If they are defined and enabled, then disable them.

Why might they be open if you hadn’t opened them? It’s possible you have UPnP (Universal Plug N Play) enabled and malware has gotten into your system and opened them behind your back. UPnP allows applications you trust to manage their own ports on the router's firewall. But it represents a security risk too. If malware gets into your system, it can manipulate those same ports for its own evil purposes. I'm particularly concerned in this case since SSH and Telnet are highly prized by hackers.

So to avoid any chance you might miss something, I suggest you reset the router to factory defaults, make sure UPnP is disabled (it usually is by default, but check anyway), and run your GRC tests again. And immediately check your wired and wireless clients for malware.

To reset the router to factory defaults, hold the reset button on the back of the router for 30 secs (while powered on, of course) and release. The router will be returned to factory defaults. Realize that administrative and wireless security will be disabled. These should be re-established ASAP.
March 22, 2010 12:14:05 AM

I did all of the above and those darned ports are still open. UPnP is disabled, also Remote Management. I've scanned the c**p out of my machine and nothing untoward was found. I've changed my antivirus and scanned again, just in case anything was missed - nada! Spybot and malwarebytes found nothing and I'm stumped. Thanks for trying.
March 22, 2010 12:56:19 AM

Are you sure the public IP address reported by Shields Up or http://ipchicken.com is the same public IP assigned to your router's WAN IP?
March 22, 2010 5:21:10 AM

From my router's interface:

DHCP Client

QoS Engine : Active

Cable Status : Connected

Network Status : Established

Connection Up Time : 5 Days, 6:00:52



MAC Address : 00:1C:F0:F0:39:FF

Authentication & Security :

IP Address : 192.168.88.5

Subnet Mask : 255.255.255.0

Default Gateway : 192.168.88.1

Primary DNS Server : 124.157.64.4

Secondary DNS Server : 124.157.64.5

From Shield's Up:

Your computer at IP:

124.157.108.126 Same on ipchicken.
March 22, 2010 9:48:12 AM

Well wait a second. The public IP reported @ ipchicken.com is 124.157.108.126. But you haven't proven to me the WAN IP is also 124.157.108.126 by the information that precedes it. That shows an IP address of 192.168.88.5, which is a *local* IP address. Are you sure 192.168.88.5 is the WAN IP of your router, or is that perhaps the IP configuration of your PC/client? Because if it's the former, there's your problem.

NOTE: Your router’s WAN IP information should be visible under Status->Device Info (pg. 43 of the manual).
March 22, 2010 7:14:52 PM

This is an actual screenshot from my router's web interface: http://tinyurl.com/yfc37do As you can see, that was what I cut and pasted before. I have a wireless Internet link, through a PoE adapter and a receiver on the roof, which has a built-in firewall. Maybe this is the explanation and I'm sorry, I should have mentioned that before. :??:  Duh!

Thanks for all your input.

Best solution

March 22, 2010 7:28:33 PM
Share

Noozild said:
This is an actual screenshot from my router's web interface: http://tinyurl.com/yfc37do As you can see, that was what I cut and pasted before. I have a wireless Internet link, through a PoE adapter and a receiver on the roof, which has a built-in firewall. Maybe this is the explanation and I'm sorry, I should have mentioned that before. :??:  Duh!

Thanks for all your input.


Well, there’s the problem. You're not connected directly to the public IP space! Instead, you're connected to another local network upstream (192.168.88.x) and being assigned the IP address 192.168.88.5 by the wireless ISP, who in turn is connected to some ISP. Somewhere up that chain of ISPs lies a router w/ the public IP (124.157.108.126). And that's the router Shields Up is testing, NOT your personal router. Shield Up only knows about and tests the router directly connected to the public IP space. That’s just one of the limitations of an ISP who places you behind his own private network (e.g., 192.168.x.x).

So in all likelihood, your router is probably completed closed and stealthy. What’s not is the router directly exposed to the public IP space. Ironically, this is NOT a good thing if you need remote access, into gaming, etc., since you typically need various ports OPEN, so now that ISP is an impediment to those activities since you don’t control his router’s firewall.

March 22, 2010 8:00:38 PM

Aah - that sounds like the answer! I'll stop worrying now; I'm not an online gamer, so that's not an issue. My heartfelt thanks :-)
March 29, 2010 4:10:19 AM

Best answer selected by Noozild.
!