Status of Ports

Hello Everyone

I did a scan of ports and i got the following result:

My Ports 21, 23 and 80 are open.

My Questions are:

[]Is my PC vulnerable?
[
]Do i need to stealth it to be secure?
[]How can i stealth the ports?
[
]Will stealthing ports 21, 23 and 80 affect Internet usage in any way?

Unless your computer is a ftp (http) server, port 21 (80) should be denied for tcp in.

Unless you use telnet (almost nobody does) the windows telnet service itself should be disabled.

It is impossible to make whatever other comment, as we don’t know anything of your os, of your connecting devices (router?), of what security software you are using and of its settings, of what ports test you used and if you got whatever alerts when doing so.

I am on Windows XP SP2.
How do i know if my computer is on ftp (http) server?

I re-installed XP and then installed my drivers and softwares. I am using Avira Antivir + COMODO Firewall.
COMODO Firewall is set to proactive mode with Defense + and Firewall Security Level in Safe Mode.

I am using Broadband through splitter.
I used this site for Online Port Scan - http://www.t1shopper.com/tools/port-scan/
I clicked on Check all and it returned me the results which i posted in Post #1

What to do?

How do i know if my computer is on ftp (http) server?
If you don't know, it most certainly is not... You should however: -update to sp3 -disable all useless and vulnerable windows services,and particularly the "remote" ones. Refer to: http://www.blackviper.com/WinXP/servicecfg.htm
I am using Broadband through splitter.
Excuse me, i am a french speaker, i am not sure about "splitter": meaning you have a direct cable connexion, no router involved? (such a dispositive could have its own firewall rules, leading the test to evaluate not your computer, but the said dispositive itself).
I used this site for Online Port Scan - http://www.t1shopper.com/tools/port-scan/
lousy, as it only tests a dozen of ports; nevertheless, you fail it but should rather use a more comprehensive port scan like: https://www.grc.com/x/ne.dll?bh0bkyd2 http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym, http://www.pcflank.com/

Still not sure of what your firewall is, CIS3 or CIS4? The last one has been released but is still at the time speaking behaving like a beta version and is very buggy.

Assuming CIS3 is used, my settings are:
-proactive
-firewall in CUSTOM mode, alerts at the highest degree, everything checked but ICS: in these conditions, the firewall should ask you what to do with whatever request, and allow you to make a rule concerning that request.
My global rules are default (5 ICMP interdictions), but i added some rules resulting from the said requests, once being said that all my rules are “custom” (and not “web browser”, “mail”…)
e.g., a “netbios” rules in “system” forbids whatever as long as destination ports are 137-139, and svchost only allows bootp (255.255.255.255 udp out destination port 67) and dns (udp out port 53 only to the ip of my isp).
Similarly, your browser should only be allowed for localhost tcp out (if firefox), dns (udp out port 53 to your isp ip), and browsing (tcp out, http out ports 80 and 443).
Reminding that all rules are read from top to bottom, the last line of every set of rules should be block and log all unmatching requests.
-my defense+ are paranoid, everything checked (but alerting more and somewhat slowing the computer): secure is enough, but safe most certainly not.

i am not sure about "splitter": meaning you have a direct cable connexion, no router involved? (such a dispositive could have its own firewall rules, leading the test to evaluate not your computer, but the said dispositive itself).

I have same line for my landline phone and internet. Splitter is a small box using which we split the lines. One is connected to the phone and one is connected to the Router.

lousy, as it only tests a dozen of ports; nevertheless, you fail it but should rather use a more comprehensive port scan like:

I checked using www.pcflank.com and it showed

Danger!
The test found open port(s) on your system: 21, 23, 80

Still not sure of what your firewall is, CIS3 or CIS4? The last one has been released but is still at the time speaking behaving like a beta version and is very buggy
I re-installed my Windows XP yesterday and installed CIS v4.

-Like you said, i am using Proactive Mode and i changed my Firewall Security Level to Custom Policy Mode.
But, i don’t want to get so many alerts. So, can i leave the alerts in low mode?

-I am using default Global Rules and there are only 4 in CIS v4.(Pic attached)
-I always set things in custom mode too, when it asks me.

I restarted my PC and then did the port scan again from PCFlank.com. But, it is saying the same thing that the test found open port(s) on your system: 21, 23, 80. What to do to make these ports stealth?

[attachment deleted by admin]

I can’t answer you formally speaking of v4, i use v3 (and i am stealthed with every leaktest i tried, including all of the pc flank tests and CLT), but your v4 leaktests questions are documented in several threads in this forum, particularly involving appropriate use of the sandbox.
I won’t personnally engage such a discussion, as i am not competent concerning v4, and believe, the demonstration is made at least concerning leaktests, that v4 is not yet “production-ready” while v3 is stable and enough.

Note however that high-secured modes (and even custom modes) shall by nature show you many alerts when beginning, it’s the goal, and that these same alerts shall progressively disappear when from each of them you shall have made an appropriate rule: the firewall that protects you from everything (i did not say block everything, including internet) without ever telling you about would be very unconvenient and dangerous if it existed, but is factually not created at the day speaking.

I have, when i set v3 like i said, several icmp deny global rules: you can’t, e.g., have a global icmp ip out rule and complain that some data could get out; i don’t have any allowed global rule, and i have, e.g., a specific one denying echo request: no echo request, no ping…

Speaking of echo, you didn’t provide me any concerning closing windows vulnerable services: if you disable Telnet, port 23 does not exist anymore…

I am still not sure of your splitter thing, even if i now understood what your are speaking about: a mere box whose only function is to separate the copper wires for phone and broadband is not the device providing you the said broadband, and this very device could be the one improperly tested by the various leaktests.

@ KewlDewde

One is connected to the phone and one is connected to the Router.

Hi, if there is no record of the port scan in your firewall logs, you may need to adjust some settings in the router to achieve stealth status. :slight_smile:

Thanks for your help brucine. I don’t use Sandbox in CIS. I have it disabled.
Yes, when i was on v3, and in custom mode, at the beginning, there used to be so many alerts on how to treat an application. But, later on once the rules were set, it was fine.

Is it possible to stealth ports 21, 23 and 80 using Stealth Ports Wizard in CIS? If yes, shall i choose the 3rd option, which says “Block all incoming connections - stealth my ports to everyone”

If i choose that one, will it create any problems on my normal browsing activites? (Like i download movies, ebooks and songs from torrent sites.)

I have added rules mentioned by pandlouk for using utorrent with CIS - https://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/tutorial_for_utorrent_with_comodo_firewall_3-t15677.0.html

Thanks, but where does COMODO save its log file? How can i check the log file?

Is it possible to stealth ports 21, 23 and 80 using Stealth Ports Wizard in CIS? If yes, shall i choose the 3rd option, which says "Block all incoming connections - stealth my ports to everyone"

Yes, if the router is not the culprit, and not keeping you to enforce high security rules in CIS.

If i choose that one, will it create any problems on my normal browsing activites? (Like i download movies, ebooks and songs from torrent sites.)
No and Yes. No, the stealth port wizard does not deny any request to your ports, it merely makes them look invisible to some scanning of ports looking for a hole, or for an unsollicited request to some port, but it does not keep you to actively use these ports. Yes, cisv4 default behavior is to deny incoming packets, you would have to modify that rule.
Thanks, but where does COMODO save its log file? How can i check the log file?
I don't remember, and it has no importance whatsoever as it is a proprietary format you won't be able to read. When whatever firewall rule has a block and log status, it writes the request in firewall-events, and the same goes with defense+. As an example, it tells me that someone at 195.13.14.164 port 37922 was interested by my port 21 today 14:11:28 (i didn't use any ftp client today), windows operating system: there's no specific rule in system (it is custom) for any ports outside 137-139, nevertheless, port 21 is blocked because every ip in request is blocked and logged. I don't have the grc log because logs are washed when they have a certain size, but every request from grc at 4.179.142.xxx is definitely logged, ports source and destination, and icmp protocol if any.

Ok, so my Current Firewall Security Level is Custom Policy Mode and alert settings are set to high.

I tried the Stealth Ports Wizard’s Option #3 - “Block all incoming connections - stealth my ports to everyone”

and tested again using pcflanks.com, but it is still showing that my ports are open.

I guess the Stealth Ports Wizard is not working properly, because, when i open the Steal Ports Wizard again i see that first option is selected and not the Option #3. 88)

So, it is not possible to stealth ports using CIS v4 i guess?

So, it is not possible to stealth ports using CIS v4 i guess?

Of course it is.

But either, as said before, you did not enforce the proper firewall and windows services settings (the firewall and av should definitely warn you of the testing attempts), either your router is tested.

Go to your router settings and look if some deny rule (e.g. for ping) can be set; if not, set it for DMZ to the ip of the computer for which you are making the test, and do it again.
Ports 21 and 80 might be set open by default on the router, but i am surprised with port 23: most routers are administrated by http (http://192.168.1.1 or similar) altough some models (e.g. Netgear, if memory serves) remain administrated by some telnet command (hence on port 23): if not, you must definitely, as i said, disable the windows telnet service.

But either, as said before, you did not enforce the proper firewall and windows services settings (the firewall and av should definitely warn you of the testing attempts), either your router is tested.

I checked windows services, and under that Telnet Port is Disabled. I have attached a screenshot. It is disabled there. But still the port scanning result says it is open. What to do about port 23 now, since windows services says disabled. ???

Go to your router settings and look if some deny rule (e.g. for ping) can be set; if not, set it for DMZ to the ip of the computer for which you are making the test, and do it again. Ports 21 and 80 might be set open by default on the router, but i am surprised with port 23: most routers are administrated by http (http://192.168.1.1 or similar) altough some models (e.g. Netgear, if memory serves) remain administrated by some telnet command (hence on port 23): if not, you must definitely, as i said, disable the windows telnet service.

I am using Sterlite router. I went to my router settings and i set 192.168.1.1 in DMZ settings. How can i stealth ports 21 and 80?

[attachment deleted by admin]

Oh! I made a mistake while configuring DMZ setting. My computers IP was something else and not 192.168.1.1.
192.168.1.1 is my Default gateway. :stuck_out_tongue:
So, i put that IP in DMZ Settings in my router settings.

Now, when i scanned at grc.com it showed that all my ports are stealth ;D.

But, it failed the Ping Test

Solicited TCP Packets: PASSED — No TCP packets were received from your system as a direct result of our attempts to elicit some response from any of the ports listed below — they are all either fully stealthed or blocked by your ISP. However . . .

Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to “counter-probe the prober”, thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since “Ping” is among the oldest and most common methods used to locate systems prior to further exploitation.

What should i do to pass the ping test to be fully secure online? Any settings to be changed in CIS v4?

Make a global rule in the firewall:
ICMP, IN, source any, dest any, echo request, deny, block, log.

The DMZ story shows that under normal conditions your router is being tested, and not your computer, as it is confirmed by disabling telnet: if some malware in your computer does not force port 23 open, disabling telnet makes that you have no port 23, period, and that as a consequence, this port is tested on your router.

Some router manufacturers and isp keep deliberately these essential ports 21,23, 80 opened on the router with two goals: keeping the imprudent user to throw himself out of connexion by some wrong manipulation, and ensuring firmware updates.

Some routers have administrative options to change this settings in their menu, but most often, the said settings are hard-coded in the router, meaning that you won’t be able to access them if you don’t find on internet what file is used for that in the router, in what programming language it is coded, and with what syntax and password you could access it.

In such a situation, a “definitive” way (but, beware, throwing you out of router’s update) would be, concerning port 23, to use the virtual server function of the router to redirect it to a fictitious local ip, say 192.168.1.150: as this ip does not exist, every packet on port 23 shall be dropped.

You have no such solution for ports 80 and 21, because you would have no more http and ftp but, if you have only one computer behind the router, you can also use virtual server to redirect them to the real lan ip of your computer, say 192.168.1.2.
Of course, if you only have one computer, you can keep DMZ, but if not, you shall have to write virtual server rules.

I can’t see “deny” option. Rest of the things i have set. Have i made the rule as you said? (Pic attached) What description should i give? and where shall i place the rule? I have 4 rules in Global rules as shown in the attached pic in Reply #4

Telnet was already disabled when i checked the windows services. I did not change anything there. But, the port scan was showing that telnet port was open. After configuring the DMZ setting the scan showed that telnet port is stealthed.

I have redirected to the real LAN IP of my computer 192.168.1.2. I did nothing else. Once i redirected the DMZ to the real LAN IP, all the ports were stealthed.

Thanks, you have been very helpful :-TU

[attachment deleted by admin]

I can't see "deny" option
I meant "block", it has the same signification.
What description should i give?
Whatever you like as long as you remember what it is made for. "Block ping" would be fine.
and where shall i place the rule?
Rules are read from top to bottom: a blocking rule is ineffective if another rule at the tops says the opposite. As far as you are concerned, you have no allowing or blocking "in" rule, so the answer is where you want.

I see from your screen capture that your router has a firewall item. What are its options?

Ok, so i made the Global Rule and did the grc.com test again. But, i failed the Ping Test again.
What could be the reason of failure in Ping Test?

Firewall Tab in Router settings just has the option to enable or disable. Pic attached

[attachment deleted by admin]

Your router replies to ping, and its firewall has no option to disable it.

No solution (You could add a ICMP OUT global rule blocking echo reply, but it won’t change anything as your router replies to ping).

Ping is not a good idea, but it merely shows you exist, and is not an issue by itself if the firewall is efficient.

So, i guess Ping is not much of a security threat and firewall will take care of the things.

Thanks for your replies :slight_smile: