Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.sys.raspberry-pi > #9216 > unrolled thread
| Started by | David <wibble@btintenet.com> |
|---|---|
| First post | 2015-07-30 19:27 +0000 |
| Last post | 2015-07-31 10:51 +0000 |
| Articles | 20 on this page of 27 — 11 participants |
Back to article view | Back to comp.sys.raspberry-pi
Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-30 19:27 +0000
Re: Changing network ports from closed to stealthed Martin Gregorie <martin@address-in-sig.invalid> - 2015-07-30 20:53 +0000
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 10:52 +0000
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-08-02 16:20 +0000
Re: Changing network ports from closed to stealthed Martin Gregorie <martin@address-in-sig.invalid> - 2015-08-02 18:42 +0000
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-08-02 19:23 +0000
Re: Changing network ports from closed to stealthed mm0fmf <none@mailinator.com> - 2015-08-02 20:26 +0100
Re: Changing network ports from closed to stealthed Martin Gregorie <martin@address-in-sig.invalid> - 2015-08-02 20:08 +0000
Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-08-03 08:34 +0100
Re: Changing network ports from closed to stealthed Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2015-08-02 19:45 -0400
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-30 21:13 +0000
Re: Changing network ports from closed to stealthed Michael J. Mahon <mjmahon@aol.com> - 2015-07-30 17:12 -0500
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-30 22:22 +0000
Re: Changing network ports from closed to stealthed Michael J. Mahon <mjmahon@aol.com> - 2015-07-30 19:15 -0500
Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-07-31 10:19 +0100
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-31 09:33 +0000
Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-07-31 11:23 +0100
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 10:57 +0000
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 11:07 +0000
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-31 11:15 +0000
Re: Changing network ports from closed to stealthed Roger Bell_West <roger+csrp201507@nospam.firedrake.org> - 2015-07-31 11:22 +0000
Re: Changing network ports from closed to stealthed Graham. <me@privicy.net> - 2015-08-01 17:03 +0100
Re: Changing network ports from closed to stealthed druck <news@druck.org.uk> - 2015-08-01 23:30 +0100
Re: Changing network ports from closed to stealthed druck <news@druck.org.uk> - 2015-07-31 09:46 +0100
Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-07-31 10:13 +0100
Re: Changing network ports from closed to stealthed I R A Darth Aggie <n0b0dy@invalid.invalid> - 2015-08-02 16:24 +0000
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 10:51 +0000
Page 1 of 2 [1] 2 Next page →
| From | David <wibble@btintenet.com> |
|---|---|
| Date | 2015-07-30 19:27 +0000 |
| Subject | Changing network ports from closed to stealthed |
| Message-ID | <d1vc4jFj3hiU7@mid.individual.net> |
I've been using Shields Up to check which ports are visible from the Internet. With my NAT router set up as normal, all ports show as "stealthed" in Shields Up i.e. a probe to the port gives no response. This is viewed as a good thing. When I DMZ to my Pi (running a VPN server as a test) I can see all the ports as "closed" apart from the VPN port. As I understand it the Pi is sending a negative response to a request to open the port. This tells the far end that there is a device there managing the ports, which is an invitation to try again and expand the range of ports probed. I would like to tell the Pi to ignore all connection requests and stealth the ports. Google is not currently my friend. Does anyone know how to do this? Cheers Dave R -- Windows 8.1 on PCSpecialist box
[toc] | [next] | [standalone]
| From | Martin Gregorie <martin@address-in-sig.invalid> |
|---|---|
| Date | 2015-07-30 20:53 +0000 |
| Message-ID | <mpe2t5$rt4$1@dont-email.me> |
| In reply to | #9216 |
On Thu, 30 Jul 2015 19:27:15 +0000, David wrote: > I've been using Shields Up to check which ports are visible from the > Internet. > > With my NAT router set up as normal, all ports show as "stealthed" in > Shields Up i.e. a probe to the port gives no response. This is viewed as > a good thing. > > When I DMZ to my Pi (running a VPN server as a test) I can see all the > ports as "closed" apart from the VPN port. As I understand it the Pi is > sending a negative response to a request to open the port. This tells > the far end that there is a device there managing the ports, which is an > invitation to try again and expand the range of ports probed. > Where did you run this second scan from? Was it another Shields Up! scan, i.e. the probe came from Gibson's site, or was it run from from somewhere else? If I want to scan something on my LAN, I run nmap locally. -- martin@ | Martin Gregorie gregorie. | Essex, UK org |
[toc] | [prev] | [next] | [standalone]
| From | David <wibble@btintenet.com> |
|---|---|
| Date | 2015-07-31 10:52 +0000 |
| Message-ID | <d212bmFj3hiU9@mid.individual.net> |
| In reply to | #9217 |
On Thu, 30 Jul 2015 20:53:57 +0000, Martin Gregorie wrote: > On Thu, 30 Jul 2015 19:27:15 +0000, David wrote: > >> I've been using Shields Up to check which ports are visible from the >> Internet. >> >> With my NAT router set up as normal, all ports show as "stealthed" in >> Shields Up i.e. a probe to the port gives no response. This is viewed >> as a good thing. >> >> When I DMZ to my Pi (running a VPN server as a test) I can see all the >> ports as "closed" apart from the VPN port. As I understand it the Pi is >> sending a negative response to a request to open the port. This tells >> the far end that there is a device there managing the ports, which is >> an invitation to try again and expand the range of ports probed. >> > Where did you run this second scan from? Was it another Shields Up! > scan, > i.e. the probe came from Gibson's site, or was it run from from > somewhere else? > > If I want to scan something on my LAN, I run nmap locally. Both cases running Shields Up from a Windows PC on my local LAN - once when there was no DMZ configuration and once when there was. So same test under two different configurations of the router. Cheers Dave R -- Windows 8.1 on PCSpecialist box
[toc] | [prev] | [next] | [standalone]
| From | David <wibble@btintenet.com> |
|---|---|
| Date | 2015-08-02 16:20 +0000 |
| Message-ID | <d26uacFj3hiU17@mid.individual.net> |
| In reply to | #9232 |
On Fri, 31 Jul 2015 20:21:06 +0000, Martin Gregorie wrote: > On Fri, 31 Jul 2015 19:06:09 +0000, David wrote: > >> I think you have the wrong end of quite a bundle of sticks. >> > I can't imagine why think that scanning the LAN-side of your router or > your RPi tells you anything useful about your LAN security. <snip> I have absolutely no idea where you got the impression that I was, or am, scanning the LAN side of my router. I have repeatedly said that I am using Shields Up - and you do apparently know what that is and that it looks from the WAN side. I also know the difference between the DMZ setting on a SoHo router and a real DMZ with two firewalls - I am obviously talking about the DMZ setting on a SoHo router which directs all incoming calls to a nominated internal IP address. -- Windows 8.1 on PCSpecialist box
[toc] | [prev] | [next] | [standalone]
| From | Martin Gregorie <martin@address-in-sig.invalid> |
|---|---|
| Date | 2015-08-02 18:42 +0000 |
| Message-ID | <mplob9$sbl$1@dont-email.me> |
| In reply to | #9272 |
On Sun, 02 Aug 2015 16:20:28 +0000, David wrote: > I also know the difference between the DMZ setting on a SoHo router and > a real DMZ with two firewalls - I am obviously talking about the DMZ > setting on a SoHo router which directs all incoming calls to a nominated > internal IP address. > Never seen that meaning of DMZ before. The NAT routers I've used have called that Port Forwarding and none have provided the option of mass forwarding ALL the ports to an internal IP. -- martin@ | Martin Gregorie gregorie. | Essex, UK org |
[toc] | [prev] | [next] | [standalone]
| From | Rob <nomail@example.com> |
|---|---|
| Date | 2015-08-02 19:23 +0000 |
| Message-ID | <slrnmrsrhm.9ou.nomail@xs9.xs4all.nl> |
| In reply to | #9274 |
Martin Gregorie <martin@address-in-sig.invalid> wrote: > On Sun, 02 Aug 2015 16:20:28 +0000, David wrote: > >> I also know the difference between the DMZ setting on a SoHo router and >> a real DMZ with two firewalls - I am obviously talking about the DMZ >> setting on a SoHo router which directs all incoming calls to a nominated >> internal IP address. >> > Never seen that meaning of DMZ before. The NAT routers I've used have > called that Port Forwarding and none have provided the option of mass > forwarding ALL the ports to an internal IP. Then you have not seen many routers!
[toc] | [prev] | [next] | [standalone]
| From | mm0fmf <none@mailinator.com> |
|---|---|
| Date | 2015-08-02 20:26 +0100 |
| Message-ID | <I9uvx.93782$Ch1.21302@fx40.am4> |
| In reply to | #9274 |
On 02/08/2015 19:42, Martin Gregorie wrote: > On Sun, 02 Aug 2015 16:20:28 +0000, David wrote: > > Never seen that meaning of DMZ before. You need to see more home routers then as it's been standard on every D-Link, Netgear, TP-Link & Linksys home router I've ever seen. > The NAT routers I've used have > called that Port Forwarding and none have provided the option of mass > forwarding ALL the ports to an internal IP. > DMZ is the extreme case of port forwarding. The difference being that whilst the item in the DMZ is on the LAN side, it is isolated from all the other LAN traffic.
[toc] | [prev] | [next] | [standalone]
| From | Martin Gregorie <martin@address-in-sig.invalid> |
|---|---|
| Date | 2015-08-02 20:08 +0000 |
| Message-ID | <mpltbr$m8b$1@dont-email.me> |
| In reply to | #9277 |
On Sun, 02 Aug 2015 20:26:29 +0100, mm0fmf wrote: > DMZ is the extreme case of port forwarding. The difference being that > whilst the item in the DMZ is on the LAN side, it is isolated from all > the other LAN traffic. > Understood Thks for the explanation. -- martin@ | Martin Gregorie gregorie. | Essex, UK org |
[toc] | [prev] | [next] | [standalone]
| From | The Natural Philosopher <tnp@invalid.invalid> |
|---|---|
| Date | 2015-08-03 08:34 +0100 |
| Message-ID | <mpn5i6$udc$1@news.albasani.net> |
| In reply to | #9277 |
On 02/08/15 20:26, mm0fmf wrote: > On 02/08/2015 19:42, Martin Gregorie wrote: >> On Sun, 02 Aug 2015 16:20:28 +0000, David wrote: >> >> Never seen that meaning of DMZ before. > > You need to see more home routers then as it's been standard on every > D-Link, Netgear, TP-Link & Linksys home router I've ever seen. > >> The NAT routers I've used have >> called that Port Forwarding and none have provided the option of mass >> forwarding ALL the ports to an internal IP. >> > > DMZ is the extreme case of port forwarding. The difference being that > whilst the item in the DMZ is on the LAN side, it is isolated from all > the other LAN traffic. yes. the theory being if it gets hacked it doesn't expose the rest of the LAN. -- New Socialism consists essentially in being seen to have your heart in the right place whilst your head is in the clouds and your hand is in someone else's pocket.
[toc] | [prev] | [next] | [standalone]
| From | Dennis Lee Bieber <wlfraed@ix.netcom.com> |
|---|---|
| Date | 2015-08-02 19:45 -0400 |
| Message-ID | <fiatradulehr2blgs5a9u3ufalo28dh9fq@4ax.com> |
| In reply to | #9274 |
On Sun, 2 Aug 2015 18:42:49 +0000 (UTC), Martin Gregorie
<martin@address-in-sig.invalid> declaimed the following:
>On Sun, 02 Aug 2015 16:20:28 +0000, David wrote:
>
>> I also know the difference between the DMZ setting on a SoHo router and
>> a real DMZ with two firewalls - I am obviously talking about the DMZ
>> setting on a SoHo router which directs all incoming calls to a nominated
>> internal IP address.
>>
>Never seen that meaning of DMZ before. The NAT routers I've used have
>called that Port Forwarding and none have provided the option of mass
>forwarding ALL the ports to an internal IP.
>
Whereas all the routers I've owned (Linksys) have ALL had DMZ mode
"""
Applications and Gaming – DMZ
The DMZ feature allows one network device to be exposed to the Internet for
use of a special-purpose service, such as online gaming. The Router
forwards all the ports at the same time to the DMZ device.
Note: After you have made your changes, click Save Settings to apply your
changes.
DMZ
Enabled/Disabled
To expose one computer as the DMZ device, select Enabled.
"""
Whereas selective port forwarding only showed up on the newer routers.
"""
Applications and Gaming - Single Port Forwarding
Single Port Forwarding allows you to customize port services for various
applications. When users send these types of requests to your network via
the Internet, the Router will forward those requests to the appropriate
computers (also called servers).
Note: After you have made your changes, click Save Settings to apply your
changes.
Single Port Forwarding
Application Name
Select the preset application, or enter the name of the custom application.
External Port
For a custom application, enter the external port number that accepts
incoming traffic.
Internal Port
For a custom application, enter the internal port number that accepts
traffic forwarded by the Router.
Protocol
For a custom application, select the protocol(s) used.
"""
--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com HTTP://wlfraed.home.netcom.com/
[toc] | [prev] | [next] | [standalone]
| From | Rob <nomail@example.com> |
|---|---|
| Date | 2015-07-30 21:13 +0000 |
| Message-ID | <slrnmrl4s2.j2t.nomail@xs9.xs4all.nl> |
| In reply to | #9216 |
David <wibble@btintenet.com> wrote: > I've been using Shields Up to check which ports are visible from the > Internet. > > With my NAT router set up as normal, all ports show as "stealthed" in > Shields Up i.e. a probe to the port gives no response. This is viewed as a > good thing. Only by the creator of that site. Most other experts view that as baloney.
[toc] | [prev] | [next] | [standalone]
| From | Michael J. Mahon <mjmahon@aol.com> |
|---|---|
| Date | 2015-07-30 17:12 -0500 |
| Message-ID | <797262953459987062.522882mjmahon-aol.com@news.giganews.com> |
| In reply to | #9218 |
Rob <nomail@example.com> wrote: > David <wibble@btintenet.com> wrote: >> I've been using Shields Up to check which ports are visible from the >> Internet. >> >> With my NAT router set up as normal, all ports show as "stealthed" in >> Shields Up i.e. a probe to the port gives no response. This is viewed as a >> good thing. > > Only by the creator of that site. Most other experts view that > as baloney. Interesting. And how is it a good idea to reveal unnecessarily the existence of a port? -- -michael - NadaNet 3.1 and AppleCrate II: http://home.comcast.net/~mjmahon
[toc] | [prev] | [next] | [standalone]
| From | Rob <nomail@example.com> |
|---|---|
| Date | 2015-07-30 22:22 +0000 |
| Message-ID | <slrnmrl8s8.pdn.nomail@xs9.xs4all.nl> |
| In reply to | #9219 |
Michael J Mahon <mjmahon@aol.com> wrote: > Rob <nomail@example.com> wrote: >> David <wibble@btintenet.com> wrote: >>> I've been using Shields Up to check which ports are visible from the >>> Internet. >>> >>> With my NAT router set up as normal, all ports show as "stealthed" in >>> Shields Up i.e. a probe to the port gives no response. This is viewed as a >>> good thing. >> >> Only by the creator of that site. Most other experts view that >> as baloney. > > Interesting. And how is it a good idea to reveal unnecessarily the > existence of a port? There is no "revealing the existence of a port".
[toc] | [prev] | [next] | [standalone]
| From | Michael J. Mahon <mjmahon@aol.com> |
|---|---|
| Date | 2015-07-30 19:15 -0500 |
| Message-ID | <1427606894459994389.731455mjmahon-aol.com@news.giganews.com> |
| In reply to | #9220 |
Rob <nomail@example.com> wrote: > Michael J Mahon <mjmahon@aol.com> wrote: >> Rob <nomail@example.com> wrote: >>> David <wibble@btintenet.com> wrote: >>>> I've been using Shields Up to check which ports are visible from the >>>> Internet. >>>> >>>> With my NAT router set up as normal, all ports show as "stealthed" in >>>> Shields Up i.e. a probe to the port gives no response. This is viewed as a >>>> good thing. >>> >>> Only by the creator of that site. Most other experts view that >>> as baloney. >> >> Interesting. And how is it a good idea to reveal unnecessarily the >> existence of a port? > > There is no "revealing the existence of a port". Enlighten me. If I probe a port and get a NAK, doesn't that reveal that something is there? And doesn't that invite further probes? I'm seriously curious. -- -michael - NadaNet 3.1 and AppleCrate II: http://home.comcast.net/~mjmahon
[toc] | [prev] | [next] | [standalone]
| From | The Natural Philosopher <tnp@invalid.invalid> |
|---|---|
| Date | 2015-07-31 10:19 +0100 |
| Message-ID | <mpfejg$8gc$1@news.albasani.net> |
| In reply to | #9221 |
On 31/07/15 08:47, Rob wrote: > Michael J Mahon <mjmahon@aol.com> wrote: >> Rob <nomail@example.com> wrote: >>> Michael J Mahon <mjmahon@aol.com> wrote: >>>> Rob <nomail@example.com> wrote: >>>>> David <wibble@btintenet.com> wrote: >>>>>> I've been using Shields Up to check which ports are visible from the >>>>>> Internet. >>>>>> >>>>>> With my NAT router set up as normal, all ports show as "stealthed" in >>>>>> Shields Up i.e. a probe to the port gives no response. This is viewed as a >>>>>> good thing. >>>>> >>>>> Only by the creator of that site. Most other experts view that >>>>> as baloney. >>>> >>>> Interesting. And how is it a good idea to reveal unnecessarily the >>>> existence of a port? >>> >>> There is no "revealing the existence of a port". >> >> Enlighten me. If I probe a port and get a NAK, doesn't that reveal that >> something is there? And doesn't that invite further probes? > > It is not important. > > ALL ports with a valid port number "exist". > But you can only connect to them when sending a TCP SYN results in > receiving a TCP SYN ACK. You then send a TCP ACK and from there you > have an open connection over which you can exchange data. > > All other replies, no matter if it is TCP RST, ICMP Destination Unreachable > (with a subtype of "protocol not reachable", "port not reachable", > "host not reachable", "network not reachable", "communication > administratively prohibited" or whatever other subtype) mean that you > do not get the connection. > But *no reply at all* does not even reveal that a service exists on that port, nor does it waste any CPU or network bandwidth. Better still it wastes attacker's time listening for a response that never comes. Like trolls, denial of service attackers are best ignored, not given negative responses, because, like internet trolls, what they want is a response - any response. > That does not bring the other side any nearer to a connection. It just > does not matter if there is a reply or not from the port. There is > no "further probe" that will yield anything useful (a connection) when > there is one of those replies that would not be possible when there is > no reply. > No one is talking about a connection, we are talking about denial of service attacks. Repeated hits on a port that sends a NACK have in some cases resulted in vulnerabilities being exposed. All this was discussed in length back in the 90's. The consensus was that dropping packets ra5her than nacking them was ultimately the safest approach in a hostile world. It was rude to people who had made a genuine mistake, true, but thats life :-( -- New Socialism consists essentially in being seen to have your heart in the right place whilst your head is in the clouds and your hand is in someone else's pocket.
[toc] | [prev] | [next] | [standalone]
| From | Rob <nomail@example.com> |
|---|---|
| Date | 2015-07-31 09:33 +0000 |
| Message-ID | <slrnmrmg7p.u8.nomail@xs9.xs4all.nl> |
| In reply to | #9228 |
The Natural Philosopher <tnp@invalid.invalid> wrote: > But *no reply at all* does not even reveal that a service exists on that > port, nor does it waste any CPU or network bandwidth. Again, there is no "revealing" here. Either you provide a service or you don't, and it does not matter if you tell that you don't or if you don't reply at all. Those responses do not require noticable resources, especially when compared to normal operation of the system. > No one is talking about a connection, we are talking about denial of > service attacks. > > Repeated hits on a port that sends a NACK have in some cases resulted in > vulnerabilities being exposed. > > All this was discussed in length back in the 90's. The consensus was > that dropping packets ra5her than nacking them was ultimately the safest > approach in a hostile world. I know that it has been discussed, but my opinion is that the result is baloney. There is no reason to panic when that website finds something and marks it "not stealth". Really. When you are going to provide a service, it can be detected. That is the purpose of providing a service. The OP wanted to open a VPN service, so of course it is detected as not stealth. Nothing to see here, move along.
[toc] | [prev] | [next] | [standalone]
| From | The Natural Philosopher <tnp@invalid.invalid> |
|---|---|
| Date | 2015-07-31 11:23 +0100 |
| Message-ID | <mpfiaq$f5k$1@news.albasani.net> |
| In reply to | #9229 |
On 31/07/15 10:33, Rob wrote: > The Natural Philosopher <tnp@invalid.invalid> wrote: >> But *no reply at all* does not even reveal that a service exists on that >> port, nor does it waste any CPU or network bandwidth. > > Again, there is no "revealing" here. Either you provide a service > or you don't, and it does not matter if you tell that you don't or if > you don't reply at all. > well in theory yes, in practice no one hangs a service on a port that simply says 'no' for no good reason > Those responses do not require noticable resources, especially when > compared to normal operation of the system. > We are not talking about normal operation: we are talking about DOS attacks. >> No one is talking about a connection, we are talking about denial of >> service attacks. >> >> Repeated hits on a port that sends a NACK have in some cases resulted in >> vulnerabilities being exposed. >> >> All this was discussed in length back in the 90's. The consensus was >> that dropping packets ra5her than nacking them was ultimately the safest >> approach in a hostile world. > > I know that it has been discussed, but my opinion is that the result > is baloney. There is no reason to panic when that website finds something > and marks it "not stealth". Really. > No, there is no reason to panic, but there is a reason to pause and consider. > When you are going to provide a service, it can be detected. That is > the purpose of providing a service. The OP wanted to open a VPN service, > so of course it is detected as not stealth. Nothing to see here, > move along. > *shrug* its possible to restrict a ports response to a range of sender addresses and firewall the rest out by silently dropping a packet. I personally prefer to silently shut everything out except for ports you actually need, from ip addresses you actually need. -- New Socialism consists essentially in being seen to have your heart in the right place whilst your head is in the clouds and your hand is in someone else's pocket.
[toc] | [prev] | [next] | [standalone]
| From | David <wibble@btintenet.com> |
|---|---|
| Date | 2015-07-31 10:57 +0000 |
| Message-ID | <d212kcFj3hiU10@mid.individual.net> |
| In reply to | #9229 |
On Fri, 31 Jul 2015 09:33:45 +0000, Rob wrote: > The Natural Philosopher <tnp@invalid.invalid> wrote: >> But *no reply at all* does not even reveal that a service exists on >> that port, nor does it waste any CPU or network bandwidth. > > Again, there is no "revealing" here. Either you provide a service or > you don't, and it does not matter if you tell that you don't or if you > don't reply at all. > > Those responses do not require noticable resources, especially when > compared to normal operation of the system. > >> No one is talking about a connection, we are talking about denial of >> service attacks. >> >> Repeated hits on a port that sends a NACK have in some cases resulted >> in vulnerabilities being exposed. >> >> All this was discussed in length back in the 90's. The consensus was >> that dropping packets ra5her than nacking them was ultimately the >> safest approach in a hostile world. > > I know that it has been discussed, but my opinion is that the result is > baloney. There is no reason to panic when that website finds something > and marks it "not stealth". Really. > > When you are going to provide a service, it can be detected. That is > the purpose of providing a service. The OP wanted to open a VPN > service, so of course it is detected as not stealth. Nothing to see > here, > move along. So the way to go may be to configure a firewall to silently drop any incoming requests which are not from a chosen IP address (or address range)? So that all generic probes will just get no response, as if there is no device connected to that IP address, and only the chosen few can go through the protocol to start a session. That is, the whole port range is stealthed to virtually all the Internet and there is a single port visible to the select few. Cheers Dave R -- Windows 8.1 on PCSpecialist box
[toc] | [prev] | [next] | [standalone]
| From | David <wibble@btintenet.com> |
|---|---|
| Date | 2015-07-31 11:07 +0000 |
| Message-ID | <d2138fFj3hiU11@mid.individual.net> |
| In reply to | #9221 |
On Fri, 31 Jul 2015 07:47:54 +0000, Rob wrote: > Michael J Mahon <mjmahon@aol.com> wrote: >> Rob <nomail@example.com> wrote: >>> Michael J Mahon <mjmahon@aol.com> wrote: >>>> Rob <nomail@example.com> wrote: >>>>> David <wibble@btintenet.com> wrote: >>>>>> I've been using Shields Up to check which ports are visible from >>>>>> the Internet. >>>>>> >>>>>> With my NAT router set up as normal, all ports show as "stealthed" >>>>>> in Shields Up i.e. a probe to the port gives no response. This is >>>>>> viewed as a good thing. >>>>> >>>>> Only by the creator of that site. Most other experts view that as >>>>> baloney. >>>> >>>> Interesting. And how is it a good idea to reveal unnecessarily the >>>> existence of a port? >>> >>> There is no "revealing the existence of a port". >> >> Enlighten me. If I probe a port and get a NAK, doesn't that reveal that >> something is there? And doesn't that invite further probes? > > It is not important. > > ALL ports with a valid port number "exist". > But you can only connect to them when sending a TCP SYN results in > receiving a TCP SYN ACK. You then send a TCP ACK and from there you > have an open connection over which you can exchange data. > > All other replies, no matter if it is TCP RST, ICMP Destination > Unreachable (with a subtype of "protocol not reachable", "port not > reachable", > "host not reachable", "network not reachable", "communication > administratively prohibited" or whatever other subtype) mean that you do > not get the connection. > > That does not bring the other side any nearer to a connection. It just > does not matter if there is a reply or not from the port. There is no > "further probe" that will yield anything useful (a connection) when > there is one of those replies that would not be possible when there is > no reply. Just to be sure, are you saying that the random probes running all the time to try and locate vulnerable hosts probe all possible ports on every IP address right up to the highest possible port number? That is, up to 65535? I was expecting that the probes would check the first 1056 ports at first pass and then proceed to look higher only if they got some kind of response to the initial range. They might even check a few "common ports" initially to decide if they should expend further resource. In which case being stealthed in the lower ranges might save you from being probed by aliens! Cheers Dave R -- Windows 8.1 on PCSpecialist box
[toc] | [prev] | [next] | [standalone]
| From | Rob <nomail@example.com> |
|---|---|
| Date | 2015-07-31 11:15 +0000 |
| Message-ID | <slrnmrmm6i.5pl.nomail@xs9.xs4all.nl> |
| In reply to | #9234 |
David <wibble@btintenet.com> wrote: > Just to be sure, are you saying that the random probes running all the > time to try and locate vulnerable hosts probe all possible ports on every > IP address right up to the highest possible port number? That is, up to > 65535? > > I was expecting that the probes would check the first 1056 ports at first > pass and then proceed to look higher only if they got some kind of > response to the initial range. > > They might even check a few "common ports" initially to decide if they > should expend further resource. > > In which case being stealthed in the lower ranges might save you from > being probed by aliens! I do not base my system configuration on some observation someone made in the nineties, and I see no reason why a scanner would stop when they get no reply on some port, and continue when they get "not reachable". This is just as stupid as "do not reply to ping!".
[toc] | [prev] | [next] | [standalone]
Page 1 of 2 [1] 2 Next page →
Back to top | Article view | comp.sys.raspberry-pi
csiph-web