Ports closed non-Stealth

[Guest]

[SeekingSecurity]

Hello:

I have a router (D-Link) and I enabled your firewall and select a DMZ direction (I needed for emule and others...). I installed comodo firewall and I have only configured the ports for certain programs (emule, Pando, Utorrent; as you explain in the forum)) but there is a port that is always closed (22) but no stealth; lately I see closed new ports (1037,1040,1041) ( I used Shields Up). I suppose this ports are closed in the router and is stealth in Comodo Firewall. I don't know ...

How can I do to stealth these ports definitively?, Without having to each time by telnet:

iptables -I INPUT-s 0.0.0.0 /0 -p tcp - dport 22 -j DROP

Why do I get more and more ports closed and not hidden?

I spent a couple of online anti-virus and I have a clean PC.

(Sorry, my english is not too good).

[SeekingSecurity]

I restarted the pc and now I get with no stealth and closed ports 22 and 1054 (Shields Up). 

[Ronny]

Hi SeekingSecurity,

The difference between a Stealth port and a Closed port is this.
If Shields up sends a probe request to TCP port 22 and some firewall drop's the packet silent, Shields up's request will time-out without receiving any response, hence Stealth.

If the same happens but the PC responds (Or Router in between) with a TCP RST (Reset packet) then Shields up know's the system is active and the port is Closed because of the response it received from your system.

Same goes for ICMP but then the expected response is an ICMP Packet with Type 3 Code 3 Unreachable, Port Unreachable, thus also "Closed".

I'm personally not a fan of DMZ hosts, i prefer to setup those applications with a fixed port and use port-forwarding in the router to only pass these packets to your internal system.

In regards to Iptables, is that the way to go in the D-Link router?
Do you save the Iptables with the command "iptables save"?

[SeekingSecurity]

I've seen in a forum to close ports that can be done through iptables and I do it with this statement:

Window to DOS
Telnet router address
login and password
iptables ...

I do not like is saved with iptables ...

The DMZ I've seen in another forum, since I worked at the time emule, and so I managed to use it at the time.

Thanks for responding.

[Ronny]

Does the router also support this command?

netstat -an

This should display the current connections from and to the router including the ports it's listening on.
Is port 22 listed there as LISTENING?

[SeekingSecurity]

Port 22 is not listed.

[Ronny]

Can you do a scan with a freshly rebooted router and pc and see what it comes up with...

[SeekingSecurity]

Shields Up! --> Failed. All ports Stealth less port 22, 1052 and 1055.

With netstat -an:

This ports isn't LISTENING. The port 1052 and 1055 is ESTABLISHED.

[SeekingSecurity]

I currently use a program that runs on Windows startup in Comodo enabled Define a New Trusted Application, which is called: Expect version 5.21.

I create a FILE.bat to run at the start of Windows, this contain:

Tclsh80.exe Closing22.txt


And Closing22.txt contains:

#!expect -f

set timeout 2
set remote_server 192.168.1.1
set my_user_id *****
set my_password ***********

set my_command9 "iptables -I INPUT -s 0.0.0.0/0 -p TCP --dport 22 -j DROP"

spawn telnet $remote_server
expect "login:"


send "$my_user_idr"
expect "Password:"

send "$my_passwordr"
expect "%"


send "$my_command9r"
expect "%"

send "exitr"
expect eof

It runs on Windows startup, but not always close the port. I don't know why? ...

[Ronny]

This is very strange because.

1) your router doesn't appear to be listening on port 22.
2) your normal Windows system should also not be listening on this port.

Can you check to see if your PC is listening on port 22? by using netstat -an|find /i "22"
If it doesn't find anything, can you then create the following global rule on CIS and put it all the way up to the top.

Block and Log
TCP
Src Any
SrcPort Any
Dst Any
DstPort 22

And rerun the Shield's Up test? After that check CIS firewall log if you see matches for attacks on port 22

[SeekingSecurity]

   
With netstat-an | find / i "22":

The port 22 is not listening. Only the Firefox connections.

I think it's a defect of some DLink routers, I've seen in others forums, and I'm not the only one who's wrong, (although it could be the ISP that provides the router with a closed port to access...) .

I just put in Comodo Firewall + Attack Detection Settings this rule. I run the Shields Up test, and I get port 22 closed. In Common Tasks + View Firewall Events do not see any attack on port 22.

[Ronny]

Maybe there is new firmware for your D-Link router?
Could be that something is fixed....

Does it contain some sort of Network Intrusion Detection/Prevention?

[SeekingSecurity]

Does it contain some sort of Network Intrusion Detection/Prevention? No. Only Antivirus and Antispyware (Spybot S&D, Spywareblaster).

Maybe there is new firmware for your D-Link router? I have the last firmware offered for my ISP.

I'm testing now with a laptop that I have given, still shows port 22 closed. Unfortunately it seems that my PC crashed (works power supply, motherboard LED lights up, but will not start, maybe dead micro, I think I will be busy few days).

Thank you.

[Ronny]

Does it contain some sort of Network Intrusion Detection/Prevention? No. Only Antivirus and Antispyware (Spybot S&D, Spywareblaster).

Looks like a misunderstanding, I was wondering if the D-Link router contains these features...

Maybe there is new firmware for your D-Link router? I have the last firmware offered for my ISP.

I'm testing now with a laptop that I have given, still shows port 22 closed. Unfortunately it seems that my PC crashed (works power supply, motherboard LED lights up, but will not start, maybe dead micro, I think I will be busy few days).

Thank you.

Good luck with recovering your system, do you know what you changed lately?
Maybe that caused anything...

[SeekingSecurity]

I cleaned all the components inside, and after several days by clicking on the button, has started the computer normally. There are things that computers do not understand! 

The router firewall is disabled and I use Comodo, so I can manually control and faster what interests me.

[Tags:]