[ale] How to test your public internet connection for open ports

Ron Frazier atllinuxenthinfo at c3energy.com
Thu Feb 10 08:47:51 EST 2011


This is a PS to my prior reply post about configuring the router, with 
the subject of Shout Outs for good Wirless-N Router for Home.  I decided 
to give this a new subject.

Once your system is set up to connect to the internet, you want to make 
sure neither your modem, nor your router is exposing open ports to the 
world that you don't intend.  Following is an easy to use and very 
popular port scanner that you can run from Steve Gibson's website.  It's 
harmless, but will scan the most commonly used ports on your public 
address to see if any are open.  If they are, you get a red light on 
your screen for each open port number.  If they're closed, but still 
responding and saying "I'm not here" so to speak, you get a blue light.  
If they are stealthed, meaning giving no response at all to the port 
scanner, you get a green light.  From a point of view of optimum 
security, you want all stealth, or green lights.  There are any number 
of Linux utilities that you can use for this purpose as well, like 
ZenMap.  However, if you do too many port scans from your home IP, your 
ISP may think you're a cracker.  Also, port scanning your own public IP 
from inside your home LAN may not work.  This utility is easy to use, 
comes from a third party, and is outside your LAN.  Note, this will test 
the outermost device (closest to the internet) on your public IP.  If 
your modem is responding to any querys, which it shouldn't unless 
someone needs remote administration capabilities, which are a security 
risk, that will show up in the results.  Otherwise, you will be testing 
your router.

Before getting into usage, here is some data on CLOSED vs STEALTH ports 
from Steve's website at https://www.grc.com/su/portstatusinfo.htm .

quote on -->

A "Stealth" port is one that completely ignores and simply "drops" any 
incoming packets without telling the sender whether the port is "Open" 
or "Closed" for business. When all of your system's ports are stealth 
(and assuming that your personal firewall security system doesn't make 
the mistake of "counter-probing" the prober), your system will be 
completely opaque and invisible to the random scans which continually 
sweep through the Internet.

...

"Closed" is the best you can hope for without a stealth firewall or NAT 
router in place. At least the port is not "Open" for business and 
accepting connections from the probes which are continually sweeping the 
Internet searching for exploitable systems.

Anyone scanning past your IP address will detect your PC, but "closed" 
ports will quickly refuse connection attempts. Since it's much faster 
for a scanner to re-scan a machine that's known to exist, the presence 
of your machine might be logged for further scrutiny at a later time --- 
for example, when a new operating system vulnerability is discovered and 
before the potential for exploitation has been repaired.

For this reason it is important for you to stay current with updates 
from your operating system vendor since new potential vulnerabilities 
are discovered frequently.

<-- end quote

Here's how to us the ShieldsUp! service.

Go to http://www.grc.com/
Go to the services menu and click ShieldsUp!
Review the information presented.  Beware of using this on your company 
internet connection.  The IT staff may see what looks like an attack in 
their log files.
When you are ready, click the proceed button.

Click the "File Sharing" button.  The remote system will probe your 
public IP.  You should get a notice saying that your Port 139 does not 
exist.  This is good.  It means your computer is not exposing file 
sharing to the world.

Click the "Common Ports" button.  The remote system will probe a subset 
of port numbers which commonly give problems.  You should get a screen 
that says TruStealth Analysis Passed.  All ports should report as 
stealth, with green color.  The only exceptions should be ports that you 
are intentionally exposing to the world.  If you're not running any 
servers from your public IP, there should be no exceptions.  The test 
will fail if your router responds to a ping.  This is a slight security 
risk, since it will tell a passing, possibly malicious, port scanner 
that your router does exist, and may attract it's attention to do 
further scanning on your IP.  You can usually turn off ping response in 
your router's control panel.  Regardless of that, the ports should still 
show up as stealth.  Linux systems may show up as closed, rather than 
stealth, and fail this test.  See my note about Ubuntu below.

Next, click the "All Service Ports" button.  The remote system will 
probe the first 1056 port numbers at your public IP.  You will see a 
grid of colored dots, one for each port number, which shows it's 
status.  Again, they should be all green.  You should see TruStealth 
Analysis Passed.  You can hover your mouse over any dot to see it's port 
number which was tested, and you can click on the dot to see what that 
port it for.  After the test completes, a good deal of additional 
information will be presented at the bottom of the page.  It's a good 
idea to read through this.

Here's an important piece about WAN security.

quote on -->

However, the Internet or "WAN" (Wide Area Network) side connection of 
many NAT routers and DSL gateways is not as secure as it should be. Many 
routers ship with web, ftp, or Telnet management ports wide open! And 
many are still configured with their well-known default administrative 
passwords. Although the router may be protecting the machines behind it, 
it might not be protecting itself without your deliberate closing of 
remote "WAN" administration ports.

ShieldsUP! automatically tests your NAT router's WAN-side security 
because the router's WAN IP is the single public IP that connects your 
internal private network to the public Internet. When a test is 
initiated by any system behind a NAT router, we are testing the 
public-side security of the router itself and not the security of the 
individual machines which are located behind and protected by the router.

<-- end quote

So, if you find any open ports that YOU are not specifically desiring to 
have open, you need to investigate how to close them.  As the above text 
indicates, it may be  your cable / dsl modem that is the culprit, 
exposing its own management interface to the world.  This is an 
invitation for it to be hacked, even though it may be intended for use 
by your ISP.  If the modem is not misbehaving, then your router may be 
exposing open ports you didn't intend.  You should take steps to close 
or stealth those through the router's control panel.  If that cannot be 
done, there are a couple of options.

A) Forward the offending port to a non existent IP address on your 
network.  For example, some routers refuse to stealth port 113.  I have 
the DHCP server on my LAN set to distribute IP addresses to LAN clients 
of 192.168.83.2 - 192.168.83.200.  Therefore, IP addresses ending in 201 
- 254 should never exist on my LAN.  I had a router that would not 
stealth port 113.  I used the port forwarding function to forward TCP 
and UDP packets coming in on port 113 to address 192.168.83.250.  Since 
there is no computer at this address, this has the effect of stealthing 
the port.

B) I currently own a wireless router that absolutely refuses to allow me 
stealth one particular port that is reporting as closed.  If I try to 
forward it to a nonexistent address, it refuses and says the port is in 
use.  However, I cannot find any place in the control panel where this 
is set.  In this case, I placed another wired router between the 
wireless router and the cable modem.  That last router is acting as the 
firewall to my whole network, and now I have all the ports  facing the 
internet stealthed like I want them.

If you need to probe a port other than the common ones, or the first 
1056, you can use the "User Specified Custom Port Probe" button on the 
ShieldsUp! page.  Then, you can enter the port number, or range of 
numbers you wish to probe, up to 64 ports total.

Finally, a note about how the UBUNTU Firewall deals with incoming port 
scans.  I am running the firewall in Ubuntu, configured by the 
Firestarter application.  I have it configured to drop unsolicited 
packets silently, block ICMP, and block broadcasts.  If I connect the PC 
directly to my cable modem, and run the ShieldsUp! port scan, I find 
that almost all the ports are closed, rather than stealth.  Also, I find 
that the system is responding to pings.  This is very annoying, since I 
wish for the machine to be totally stealthed.  If anyone knows how to 
fix this, I'd love to know.

However, when I'm behind my firewall, my machine is totally invisible to 
anyone I'm not specifically contacting, or anyone in the communications 
path from me to the remote machine.  That's the way I like it.

Sincerely,

Ron

On 02/09/2011 10:01 PM, Ron Frazier wrote:
> Hi Chris,
>
> I gave a router recommendation in a prior post.  I wanted to add 
> this.  Make sure you set the router's security features properly to 
> protect yourself from outside attack.  The settings are as follows.

<snip>

>
> On 02/09/2011 03:12 PM, C Hendry wrote:
>> Need to replace downed 2wire Wireless router.
>>
>> Looking at amazon and Fry's, lots to choose from any good 
>> recommendations?
>>
>> Thanks in advance.
>>
>> Chris
>

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110210/cd20a67d/attachment-0001.html 


More information about the Ale mailing list