Open Port: 21, 80 - Blocked - Correctly, or not? [Resolved]

Sorry, edit to add:

CFP 2.4.18.184 Database 3.0
Connection: Dial Up [ at ] Home; Satellite [ at ] Work
Windows XP SP2 with current updates
Logged in as Admin
Avast! Antivirus, SpyBot Search and Destroy, LavaSoft AdAware, M$ AntiSpyware
CFP Replaced EZ Firewall

Question from a NOOB . . . :BNC I just ran a port probe on my computer . . .

http://probe.hackerwatch.org/probe/probe.asp

It initially came back with a warning that Port 80 HTTP was open and acting as an Internet Server. I recalled CFP asking me if I wanted to allow firefox.exe to act as a server. I went into:

 Security
 Application Monitor

There were four entries for “firefox.exe”
1)firefox.exe - Destination: Any; Port: Any; Protocol:TCP/UDP In/Out; Allow
2)firefox.exe - Destination: Any; Port: Any; Protocol:TCP In; Allow
3)firefox.exe - Destination: Any; Port: Any; Protocol:TCP Out; Allow
4)firefox.exe - Destination: Any; Port: Any; Protocol:UDP Out; Allow

Not fully knowing what I was doing, I jumped in and made changes . . .
3)firefox.exe - Destination: Any; Port: Any; Protocol:TCP Out; Ask
4)firefox.exe - Destination: Any; Port: Any; Protocol:UDP Out; Ask

Ran the port probe again

http://probe.hackerwatch.org/probe/probe.asp

Shoot! Now Port 21 FTP AND Port 80 HTTP are open! O.K., there’s more than one way to skin a cat! Created new rule . . .

 Security
 Network Monitor
 +Add

Block & Log; Protocol - TCP/UDP In/Out; Source - Any; Destination - Any; Criteria - Where Source Port Is In [21,80] and Destination Port is ANY

Ran the port probe again and Ports 21, 23, 25, 79, 80, 110, 139, 143, 443 are all coming back, “This port is completely invisible to the outside world.”

O.K. the ports are secure . . . but did I shoot myself in the foot? Web browsing seems to be working O.K., however, I haven’t tried my FTP, or several other programs yet. Did I screw up or is this O.K.? Should I delete ALL four of the firefox.exe entries and start again, with a different answer to the ‘Act as a server’ question for firefox.exe? Should I delete or modify my new rule?

Thanks for a great product and any help.

John

Just to further obfuscate things, I ran the security check at Symantec . . .

http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

It still shows Port 80 as open and additionally also shows ICMP Ping as open. What the heck?!

John

==================================================

Your Results:
Port Description Status

ICMP Ping Ping. Ping is a network troubleshooting utility. It asks your computer to acknowledge its existence. If your computer responds positively to a ping, hackers are more likely to target your computer. Open port

21 FTP (File Transfer Protocol). FTP is used to transfer files between your computer and other computers. Port 21 should be open only if you’re running an FTP server. Stealth port

22 SSH. TCP connections to this port might indicate a search for SSH, which has a few exploitable features. SSH is a secure replacement for Telnet. The most common uses of SSH are to securely login and copy files from a server. Stealth port

23 Telnet. Telnet can be used to log into your computer from a terminal anywhere in the world. This port should be open only if you’re running a Telnet server. Stealth port

25 SMTP (Simple Mail Transfer Protocol). A protocol for host-to-host mail transport. This port should be open only if you’re running a mail server. Stealth port

79 Finger. Finger is an Internet utility that allows someone to obtain information about you, including your full name, logon status, and other profile information. Stealth port

80 HTTP (Hypertext Transfer Protocol). HTTP is used to transfer Web pages over the Internet. Port 80 should be open only if you’re running a Web server. Open port

110 POP3 (Post Office Protocol). Internet mail servers and mail filter applications use this port. This port should be open only if you’re running a mail server. Stealth port

113 Ident / Authentication. This service is required by some mail, news, or relay chat servers to allow access. A stealth result on this port could cause performance problems. Stealth port

119 NNTP (Network News Transfer Protocol). A service used by News servers to distribute Usenet articles to newsreader applications and between other servers. Stealth port

135 Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet. Stealth port

139 NetBIOS. NetBIOS is used for Windows File & Print sharing. If port 139 is open, your computer is open to sharing files over the Internet. Other components of NetBIOS can expose your computer name, workgroup, user name, and other information. To learn more about preventing connections to your NetBIOS ports, see: NetBIOS Information and Configuration Instructions Stealth port

143 IMAP (Internet Message Access Protocol). IMAP is a sophisticated protocol for electronic mail delivery. This port should be open only if you’re running an IMAP server. Stealth port

443 HTTP over TLS/SSL. A protocol for providing secure HTTP communication. It should be open only if you’re running a Web server. Stealth port

445 Windows NT / 2000 SMB. A standard used to exchange Server Message Blocks, and can be exploited in multiple ways, including gaining your passwords. Stealth port

1080 SOCKS. This protocol allows computers access to the Internet through a firewall. It is used when one IP address is shared among several computers. Generally this protocol only allows access out to the Internet. However, it is frequently configured incorrectly to allow hackers to pass traffic inwards through the firewall. Stealth port

1723 PPTP (Point-to-Point Tunneling Protocol). This service is used for virtual private networking connections. Stealth port

5000 UPnP (Universal Plug and Play). This service is used to communicate with any UPnP devices attached to your network. Stealth port

5631 pcAnywhere. This port is used by Symantec pcAnywhere when in host mode. Stealth port

Back to top

www.GRC.com has a test called " Shields Up!" Might want to try it too?

Here’s the question of the day for you ~

Are you behind a router, or a modem with router-like functions (such as NAT)?

LM

GRC was another site I had seen and lost the URL for. Thanks for posting that. Ended up with interesting results, of which I’ll write more in my reply to Little Mac . …

John

That IS a good question Little Mac! I was really getting frustrated when different ports were coming up open, sometimes with repeat firewall tests on the same site or between different test sites. After doing some more searching for the problems I was running into, both here in the forums and elsewhere, it occurred to me . . .

I’m connecting to a WAP
The WAP connects to a hub
The hub connects to the Wild Blue Satellite
From the satellite connection goes through a corporate server
Then to the Internet
And back the reverse way!

So, I connected my modem to a phone line and dialed up the same firewall test sites . . .

I passed hackerwatch.org, but with “Closed but Unsecure” for ports 21, 23, 25, 79, 80,110, 143 and 443. Port 139 was “Secure”

On ShieldsUp Ports 21, 22, 23, 79, 80, 110, 113, 119, 143, 389, 443, 1002, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1720 and 5000 were closed. Ports 25, 135, 139 and 445 were “Stealth”.

Go figure that one reports 23 as 'Closed but Unsecure" and and the other as “Stealth”!

So, how do I get ALL the ports stealthed?

John

Shields up

Tell me this, John:

Go to Start/Run and type cmd then at the prompt within the dos window, type ipconfig /all. This will show you information regarding the IP address of your Default Gateway, DHCP & DNS Servers, and your computer. That’s the important one at this point.

Computer your IP address as given there to the IP address showing in the lower-right corner of your posts here. If it’s different (I’m confident it will be), here’s your scenario…

When you do any online test, you’re not scanning your computer for open ports. You are, in fact, scanning the closest hardware in relation to the system that is doing the scanning. As you’ve noted the series of connections you go through to reach the net; thus these online tests cannot really be considered a reliable source for determining your security. ISPs also frequently provide an intercept point within their systems, to protect their customers from malicious activity.

If you want to see how many (if any) ports you have open on your system, it is best to do a resident scan using something like SuperScan by Foundstone. This will scan your localhost and report any actually open ports on your computer.

LM

PS: As to why they all report differently, I can’t really answer that. These tests are not standardized, and may depend on a number of variables. That’s why resident scanning is best. Keep in mind, too, that even if your computer does have a port open (say, by some Windows process), that doesn’t mean you’re open to the world. CFP’s layered security requires there be a matching Inbound rule in Network Monitor or no unsolicited connection will be established.

Thanks to all for the answers. Yesterday, after screwing around with new rules, moving rules up and down and deleting a couple, I ended up deciding to start from scratch. I disconnected from the Internet, uninstalled Comodo and reinstalled it. So far so good.

Today, from home, I connected through the dial up and passed ‘Audit My PC’, ‘Shields Up’, ‘HackerWatch’ and ‘Symanted Scan’ with flying colors! Not so much as an Open Port, Closed Port or echoing Ping. So, I’m not going to worry about the results I get when I’m connected at work.

Comodo is working perfectly!

John

Glad that helped you, John. I’ll go ahead and mark the topic as Resolved and close it. If you need it reopened, just PM a Moderator (please include a link back here) and we’ll be happy to do so.

LM