Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.sys.raspberry-pi > #9216 > unrolled thread

Changing network ports from closed to stealthed

Started byDavid <wibble@btintenet.com>
First post2015-07-30 19:27 +0000
Last post2015-07-31 10:51 +0000
Articles 20 on this page of 27 — 11 participants

Back to article view | Back to comp.sys.raspberry-pi


Contents

  Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-30 19:27 +0000
    Re: Changing network ports from closed to stealthed Martin Gregorie <martin@address-in-sig.invalid> - 2015-07-30 20:53 +0000
      Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 10:52 +0000
        Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-08-02 16:20 +0000
          Re: Changing network ports from closed to stealthed Martin Gregorie <martin@address-in-sig.invalid> - 2015-08-02 18:42 +0000
            Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-08-02 19:23 +0000
            Re: Changing network ports from closed to stealthed mm0fmf <none@mailinator.com> - 2015-08-02 20:26 +0100
              Re: Changing network ports from closed to stealthed Martin Gregorie <martin@address-in-sig.invalid> - 2015-08-02 20:08 +0000
              Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-08-03 08:34 +0100
            Re: Changing network ports from closed to stealthed Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2015-08-02 19:45 -0400
    Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-30 21:13 +0000
      Re: Changing network ports from closed to stealthed Michael J. Mahon <mjmahon@aol.com> - 2015-07-30 17:12 -0500
        Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-30 22:22 +0000
          Re: Changing network ports from closed to stealthed Michael J. Mahon <mjmahon@aol.com> - 2015-07-30 19:15 -0500
            Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-07-31 10:19 +0100
              Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-31 09:33 +0000
                Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-07-31 11:23 +0100
                Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 10:57 +0000
            Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 11:07 +0000
              Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-31 11:15 +0000
              Re: Changing network ports from closed to stealthed Roger Bell_West <roger+csrp201507@nospam.firedrake.org> - 2015-07-31 11:22 +0000
              Re: Changing network ports from closed to stealthed Graham. <me@privicy.net> - 2015-08-01 17:03 +0100
              Re: Changing network ports from closed to stealthed druck <news@druck.org.uk> - 2015-08-01 23:30 +0100
    Re: Changing network ports from closed to stealthed druck <news@druck.org.uk> - 2015-07-31 09:46 +0100
      Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-07-31 10:13 +0100
        Re: Changing network ports from closed to stealthed I R A Darth Aggie <n0b0dy@invalid.invalid> - 2015-08-02 16:24 +0000
      Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 10:51 +0000

Page 1 of 2  [1] 2  Next page →


#9216 — Changing network ports from closed to stealthed

FromDavid <wibble@btintenet.com>
Date2015-07-30 19:27 +0000
SubjectChanging network ports from closed to stealthed
Message-ID<d1vc4jFj3hiU7@mid.individual.net>
I've been using Shields Up to check which ports are visible from the 
Internet.

With my NAT router set up as normal, all ports show as "stealthed" in 
Shields Up i.e. a probe to the port gives no response. This is viewed as a 
good thing.

When I DMZ to my Pi (running a VPN server as a test) I can see all the 
ports as "closed" apart from the VPN port. As I understand it the Pi is 
sending a negative response to a request to open the port. This tells the 
far end that there is a device there managing the ports, which is an 
invitation to try again and expand the range of ports probed.

I would like to tell the Pi to ignore all connection requests and stealth 
the ports.

Google is not currently my friend. Does anyone know how to do this?

Cheers

Dave R

-- 
Windows 8.1 on PCSpecialist box

[toc] | [next] | [standalone]


#9217

FromMartin Gregorie <martin@address-in-sig.invalid>
Date2015-07-30 20:53 +0000
Message-ID<mpe2t5$rt4$1@dont-email.me>
In reply to#9216
On Thu, 30 Jul 2015 19:27:15 +0000, David wrote:

> I've been using Shields Up to check which ports are visible from the
> Internet.
> 
> With my NAT router set up as normal, all ports show as "stealthed" in
> Shields Up i.e. a probe to the port gives no response. This is viewed as
> a good thing.
> 
> When I DMZ to my Pi (running a VPN server as a test) I can see all the
> ports as "closed" apart from the VPN port. As I understand it the Pi is
> sending a negative response to a request to open the port. This tells
> the far end that there is a device there managing the ports, which is an
> invitation to try again and expand the range of ports probed.
>
Where did you run this second scan from? Was it another Shields Up! scan, 
i.e. the probe came from Gibson's site, or was it run from from somewhere 
else?

If I want to scan something on my LAN, I run nmap locally.


-- 
martin@   | Martin Gregorie
gregorie. | Essex, UK
org       |

[toc] | [prev] | [next] | [standalone]


#9232

FromDavid <wibble@btintenet.com>
Date2015-07-31 10:52 +0000
Message-ID<d212bmFj3hiU9@mid.individual.net>
In reply to#9217
On Thu, 30 Jul 2015 20:53:57 +0000, Martin Gregorie wrote:

> On Thu, 30 Jul 2015 19:27:15 +0000, David wrote:
> 
>> I've been using Shields Up to check which ports are visible from the
>> Internet.
>> 
>> With my NAT router set up as normal, all ports show as "stealthed" in
>> Shields Up i.e. a probe to the port gives no response. This is viewed
>> as a good thing.
>> 
>> When I DMZ to my Pi (running a VPN server as a test) I can see all the
>> ports as "closed" apart from the VPN port. As I understand it the Pi is
>> sending a negative response to a request to open the port. This tells
>> the far end that there is a device there managing the ports, which is
>> an invitation to try again and expand the range of ports probed.
>>
> Where did you run this second scan from? Was it another Shields Up!
> scan,
> i.e. the probe came from Gibson's site, or was it run from from
> somewhere else?
> 
> If I want to scan something on my LAN, I run nmap locally.

Both cases running Shields Up from a Windows PC on my local LAN - once 
when there was no DMZ configuration and once when there was.

So same test under two different configurations of the router.

Cheers

Dave R

-- 
Windows 8.1 on PCSpecialist box

[toc] | [prev] | [next] | [standalone]


#9272

FromDavid <wibble@btintenet.com>
Date2015-08-02 16:20 +0000
Message-ID<d26uacFj3hiU17@mid.individual.net>
In reply to#9232
On Fri, 31 Jul 2015 20:21:06 +0000, Martin Gregorie wrote:

> On Fri, 31 Jul 2015 19:06:09 +0000, David wrote:
> 
>> I think you have the wrong end of quite a bundle of sticks.
>>
> I can't imagine why think that scanning the LAN-side of your router or
> your RPi tells you anything useful about your LAN security.
<snip>

I have absolutely no idea where you got the impression that I was, or am, 
scanning the LAN side of my router.

I have repeatedly said that I am using Shields Up - and you do apparently 
know what that is and that it looks from the WAN side.

I also know the difference between the DMZ setting on a SoHo router and a 
real DMZ with two firewalls - I am obviously talking about the DMZ setting 
on a SoHo router which directs all incoming calls to a nominated internal 
IP address.


-- 
Windows 8.1 on PCSpecialist box

[toc] | [prev] | [next] | [standalone]


#9274

FromMartin Gregorie <martin@address-in-sig.invalid>
Date2015-08-02 18:42 +0000
Message-ID<mplob9$sbl$1@dont-email.me>
In reply to#9272
On Sun, 02 Aug 2015 16:20:28 +0000, David wrote:

> I also know the difference between the DMZ setting on a SoHo router and
> a real DMZ with two firewalls - I am obviously talking about the DMZ
> setting on a SoHo router which directs all incoming calls to a nominated
> internal IP address.
>
Never seen that meaning of DMZ before. The NAT routers I've used have 
called that Port Forwarding and none have provided the option of mass 
forwarding ALL the ports to an internal IP.
 

-- 
martin@   | Martin Gregorie
gregorie. | Essex, UK
org       |

[toc] | [prev] | [next] | [standalone]


#9276

FromRob <nomail@example.com>
Date2015-08-02 19:23 +0000
Message-ID<slrnmrsrhm.9ou.nomail@xs9.xs4all.nl>
In reply to#9274
Martin Gregorie <martin@address-in-sig.invalid> wrote:
> On Sun, 02 Aug 2015 16:20:28 +0000, David wrote:
>
>> I also know the difference between the DMZ setting on a SoHo router and
>> a real DMZ with two firewalls - I am obviously talking about the DMZ
>> setting on a SoHo router which directs all incoming calls to a nominated
>> internal IP address.
>>
> Never seen that meaning of DMZ before. The NAT routers I've used have 
> called that Port Forwarding and none have provided the option of mass 
> forwarding ALL the ports to an internal IP.

Then you have not seen many routers!

[toc] | [prev] | [next] | [standalone]


#9277

Frommm0fmf <none@mailinator.com>
Date2015-08-02 20:26 +0100
Message-ID<I9uvx.93782$Ch1.21302@fx40.am4>
In reply to#9274
On 02/08/2015 19:42, Martin Gregorie wrote:
> On Sun, 02 Aug 2015 16:20:28 +0000, David wrote:
>
> Never seen that meaning of DMZ before.

You need to see more home routers then as it's been standard on every 
D-Link, Netgear, TP-Link & Linksys home router I've ever seen.

> The NAT routers I've used have
> called that Port Forwarding and none have provided the option of mass
> forwarding ALL the ports to an internal IP.
>

DMZ is the extreme case of port forwarding. The difference being that 
whilst the item in the DMZ is on the LAN side, it is isolated from all 
the other LAN traffic.

[toc] | [prev] | [next] | [standalone]


#9278

FromMartin Gregorie <martin@address-in-sig.invalid>
Date2015-08-02 20:08 +0000
Message-ID<mpltbr$m8b$1@dont-email.me>
In reply to#9277
On Sun, 02 Aug 2015 20:26:29 +0100, mm0fmf wrote:

> DMZ is the extreme case of port forwarding. The difference being that
> whilst the item in the DMZ is on the LAN side, it is isolated from all
> the other LAN traffic.
>
Understood Thks for the explanation.


-- 
martin@   | Martin Gregorie
gregorie. | Essex, UK
org       |

[toc] | [prev] | [next] | [standalone]


#9286

FromThe Natural Philosopher <tnp@invalid.invalid>
Date2015-08-03 08:34 +0100
Message-ID<mpn5i6$udc$1@news.albasani.net>
In reply to#9277
On 02/08/15 20:26, mm0fmf wrote:
> On 02/08/2015 19:42, Martin Gregorie wrote:
>> On Sun, 02 Aug 2015 16:20:28 +0000, David wrote:
>>
>> Never seen that meaning of DMZ before.
>
> You need to see more home routers then as it's been standard on every
> D-Link, Netgear, TP-Link & Linksys home router I've ever seen.
>
>> The NAT routers I've used have
>> called that Port Forwarding and none have provided the option of mass
>> forwarding ALL the ports to an internal IP.
>>
>
> DMZ is the extreme case of port forwarding. The difference being that
> whilst the item in the DMZ is on the LAN side, it is isolated from all
> the other LAN traffic.
yes. the theory being if it gets hacked it doesn't expose the rest of 
the LAN.



-- 
New Socialism consists essentially in being seen to have your heart in 
the right place whilst your head is in the clouds and your hand is in 
someone else's pocket.

[toc] | [prev] | [next] | [standalone]


#9280

FromDennis Lee Bieber <wlfraed@ix.netcom.com>
Date2015-08-02 19:45 -0400
Message-ID<fiatradulehr2blgs5a9u3ufalo28dh9fq@4ax.com>
In reply to#9274
On Sun, 2 Aug 2015 18:42:49 +0000 (UTC), Martin Gregorie
<martin@address-in-sig.invalid> declaimed the following:

>On Sun, 02 Aug 2015 16:20:28 +0000, David wrote:
>
>> I also know the difference between the DMZ setting on a SoHo router and
>> a real DMZ with two firewalls - I am obviously talking about the DMZ
>> setting on a SoHo router which directs all incoming calls to a nominated
>> internal IP address.
>>
>Never seen that meaning of DMZ before. The NAT routers I've used have 
>called that Port Forwarding and none have provided the option of mass 
>forwarding ALL the ports to an internal IP.
> 
	Whereas all the routers I've owned (Linksys) have ALL had DMZ mode

"""
 Applications and Gaming – DMZ

The DMZ feature allows one network device to be exposed to the Internet for
use of a special-purpose service, such as online gaming. The Router
forwards all the ports at the same time to the DMZ device.

Note: After you have made your changes, click Save Settings to apply your
changes.

DMZ

Enabled/Disabled

To expose one computer as the DMZ device, select Enabled. 
"""

Whereas selective port forwarding only showed up on the newer routers.

"""
Applications and Gaming - Single Port Forwarding

Single Port Forwarding allows you to customize port services for various
applications. When users send these types of requests to your network via
the Internet, the Router will forward those requests to the appropriate
computers (also called servers).

Note: After you have made your changes, click Save Settings to apply your
changes.

Single Port Forwarding

Application Name

Select the preset application, or enter the name of the custom application.
External Port

For a custom application, enter the external port number that accepts
incoming traffic.

Internal Port

For a custom application, enter the internal port number that accepts
traffic forwarded by the Router.

Protocol

For a custom application, select the protocol(s) used.
"""
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

[toc] | [prev] | [next] | [standalone]


#9218

FromRob <nomail@example.com>
Date2015-07-30 21:13 +0000
Message-ID<slrnmrl4s2.j2t.nomail@xs9.xs4all.nl>
In reply to#9216
David <wibble@btintenet.com> wrote:
> I've been using Shields Up to check which ports are visible from the 
> Internet.
>
> With my NAT router set up as normal, all ports show as "stealthed" in 
> Shields Up i.e. a probe to the port gives no response. This is viewed as a 
> good thing.

Only by the creator of that site.  Most other experts view that
as baloney.

[toc] | [prev] | [next] | [standalone]


#9219

FromMichael J. Mahon <mjmahon@aol.com>
Date2015-07-30 17:12 -0500
Message-ID<797262953459987062.522882mjmahon-aol.com@news.giganews.com>
In reply to#9218
Rob <nomail@example.com> wrote:
> David <wibble@btintenet.com> wrote:
>> I've been using Shields Up to check which ports are visible from the 
>> Internet.
>> 
>> With my NAT router set up as normal, all ports show as "stealthed" in 
>> Shields Up i.e. a probe to the port gives no response. This is viewed as a 
>> good thing.
> 
> Only by the creator of that site.  Most other experts view that
> as baloney.

Interesting. And how is it a good idea to reveal unnecessarily the
existence of a port?
-- 
-michael - NadaNet 3.1 and AppleCrate II: http://home.comcast.net/~mjmahon

[toc] | [prev] | [next] | [standalone]


#9220

FromRob <nomail@example.com>
Date2015-07-30 22:22 +0000
Message-ID<slrnmrl8s8.pdn.nomail@xs9.xs4all.nl>
In reply to#9219
Michael J  Mahon <mjmahon@aol.com> wrote:
> Rob <nomail@example.com> wrote:
>> David <wibble@btintenet.com> wrote:
>>> I've been using Shields Up to check which ports are visible from the 
>>> Internet.
>>> 
>>> With my NAT router set up as normal, all ports show as "stealthed" in 
>>> Shields Up i.e. a probe to the port gives no response. This is viewed as a 
>>> good thing.
>> 
>> Only by the creator of that site.  Most other experts view that
>> as baloney.
>
> Interesting. And how is it a good idea to reveal unnecessarily the
> existence of a port?

There is no "revealing the existence of a port".

[toc] | [prev] | [next] | [standalone]


#9221

FromMichael J. Mahon <mjmahon@aol.com>
Date2015-07-30 19:15 -0500
Message-ID<1427606894459994389.731455mjmahon-aol.com@news.giganews.com>
In reply to#9220
Rob <nomail@example.com> wrote:
> Michael J  Mahon <mjmahon@aol.com> wrote:
>> Rob <nomail@example.com> wrote:
>>> David <wibble@btintenet.com> wrote:
>>>> I've been using Shields Up to check which ports are visible from the 
>>>> Internet.
>>>> 
>>>> With my NAT router set up as normal, all ports show as "stealthed" in 
>>>> Shields Up i.e. a probe to the port gives no response. This is viewed as a 
>>>> good thing.
>>> 
>>> Only by the creator of that site.  Most other experts view that
>>> as baloney.
>> 
>> Interesting. And how is it a good idea to reveal unnecessarily the
>> existence of a port?
> 
> There is no "revealing the existence of a port".

Enlighten me. If I probe a port and get a NAK, doesn't that reveal that
something is there?  And doesn't that invite further probes?

I'm seriously curious. 
-- 
-michael - NadaNet 3.1 and AppleCrate II: http://home.comcast.net/~mjmahon

[toc] | [prev] | [next] | [standalone]


#9228

FromThe Natural Philosopher <tnp@invalid.invalid>
Date2015-07-31 10:19 +0100
Message-ID<mpfejg$8gc$1@news.albasani.net>
In reply to#9221
On 31/07/15 08:47, Rob wrote:
> Michael J  Mahon <mjmahon@aol.com> wrote:
>> Rob <nomail@example.com> wrote:
>>> Michael J  Mahon <mjmahon@aol.com> wrote:
>>>> Rob <nomail@example.com> wrote:
>>>>> David <wibble@btintenet.com> wrote:
>>>>>> I've been using Shields Up to check which ports are visible from the
>>>>>> Internet.
>>>>>>
>>>>>> With my NAT router set up as normal, all ports show as "stealthed" in
>>>>>> Shields Up i.e. a probe to the port gives no response. This is viewed as a
>>>>>> good thing.
>>>>>
>>>>> Only by the creator of that site.  Most other experts view that
>>>>> as baloney.
>>>>
>>>> Interesting. And how is it a good idea to reveal unnecessarily the
>>>> existence of a port?
>>>
>>> There is no "revealing the existence of a port".
>>
>> Enlighten me. If I probe a port and get a NAK, doesn't that reveal that
>> something is there?  And doesn't that invite further probes?
>
> It is not important.
>
> ALL ports with a valid port number "exist".
> But you can only connect to them when sending a TCP SYN results in
> receiving a TCP SYN ACK.  You then send a TCP ACK and from there you
> have an open connection over which you can exchange data.
>
> All other replies, no matter if it is TCP RST, ICMP Destination Unreachable
> (with a subtype of "protocol not reachable", "port not reachable",
> "host not reachable", "network not reachable", "communication
> administratively prohibited" or whatever other subtype) mean that you
> do not get the connection.
>

But *no reply at all* does not even reveal that a service exists on that 
port, nor does it waste any CPU or network bandwidth.

Better still it wastes attacker's time listening for a response that 
never comes.

Like trolls, denial of service attackers are best ignored, not given 
negative responses, because, like internet trolls, what they want is a 
response - any response.


> That does not bring the other side any nearer to a connection.  It just
> does not matter if there is a reply or not from the port.  There is
> no "further probe" that will yield anything useful (a connection) when
> there is one of those replies that would not be possible when there is
> no reply.
>
No one is talking about a connection, we are talking about denial of 
service attacks.

Repeated hits on a port that sends a NACK have in some cases resulted in 
vulnerabilities being exposed.

All this was discussed in length back in the 90's. The consensus was 
that dropping packets ra5her than nacking them was ultimately the safest 
approach in a hostile world.

It was rude to people who had made a genuine mistake, true, but thats 
life :-(

-- 
New Socialism consists essentially in being seen to have your heart in 
the right place whilst your head is in the clouds and your hand is in 
someone else's pocket.

[toc] | [prev] | [next] | [standalone]


#9229

FromRob <nomail@example.com>
Date2015-07-31 09:33 +0000
Message-ID<slrnmrmg7p.u8.nomail@xs9.xs4all.nl>
In reply to#9228
The Natural Philosopher <tnp@invalid.invalid> wrote:
> But *no reply at all* does not even reveal that a service exists on that 
> port, nor does it waste any CPU or network bandwidth.

Again, there is no "revealing" here.  Either you provide a service
or you don't, and it does not matter if you tell that you don't or if
you don't reply at all.

Those responses do not require noticable resources, especially when
compared to normal operation of the system.

> No one is talking about a connection, we are talking about denial of 
> service attacks.
>
> Repeated hits on a port that sends a NACK have in some cases resulted in 
> vulnerabilities being exposed.
>
> All this was discussed in length back in the 90's. The consensus was 
> that dropping packets ra5her than nacking them was ultimately the safest 
> approach in a hostile world.

I know that it has been discussed, but my opinion is that the result
is baloney.  There is no reason to panic when that website finds something
and marks it "not stealth".  Really.

When you are going to provide a service, it can be detected.  That is
the purpose of providing a service.  The OP wanted to open a VPN service,
so of course it is detected as not stealth.  Nothing to see here,
move along.

[toc] | [prev] | [next] | [standalone]


#9230

FromThe Natural Philosopher <tnp@invalid.invalid>
Date2015-07-31 11:23 +0100
Message-ID<mpfiaq$f5k$1@news.albasani.net>
In reply to#9229
On 31/07/15 10:33, Rob wrote:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> But *no reply at all* does not even reveal that a service exists on that
>> port, nor does it waste any CPU or network bandwidth.
>
> Again, there is no "revealing" here.  Either you provide a service
> or you don't, and it does not matter if you tell that you don't or if
> you don't reply at all.
>

well in theory yes, in practice no one hangs a service on a port that 
simply says 'no' for no good reason

> Those responses do not require noticable resources, especially when
> compared to normal operation of the system.
>

We are not talking about normal operation: we are talking about DOS attacks.

>> No one is talking about a connection, we are talking about denial of
>> service attacks.
>>
>> Repeated hits on a port that sends a NACK have in some cases resulted in
>> vulnerabilities being exposed.
>>
>> All this was discussed in length back in the 90's. The consensus was
>> that dropping packets ra5her than nacking them was ultimately the safest
>> approach in a hostile world.
>
> I know that it has been discussed, but my opinion is that the result
> is baloney.  There is no reason to panic when that website finds something
> and marks it "not stealth".  Really.
>

No, there is no reason to panic, but there is a reason to pause and 
consider.

> When you are going to provide a service, it can be detected.  That is
> the purpose of providing a service.  The OP wanted to open a VPN service,
> so of course it is detected as not stealth.  Nothing to see here,
> move along.
>
*shrug* its possible to restrict a ports response to a range of sender 
addresses and firewall the rest out by silently dropping a packet.

I personally prefer to silently shut everything out except for ports you 
actually need, from ip addresses you actually need.




-- 
New Socialism consists essentially in being seen to have your heart in 
the right place whilst your head is in the clouds and your hand is in 
someone else's pocket.

[toc] | [prev] | [next] | [standalone]


#9233

FromDavid <wibble@btintenet.com>
Date2015-07-31 10:57 +0000
Message-ID<d212kcFj3hiU10@mid.individual.net>
In reply to#9229
On Fri, 31 Jul 2015 09:33:45 +0000, Rob wrote:

> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> But *no reply at all* does not even reveal that a service exists on
>> that port, nor does it waste any CPU or network bandwidth.
> 
> Again, there is no "revealing" here.  Either you provide a service or
> you don't, and it does not matter if you tell that you don't or if you
> don't reply at all.
> 
> Those responses do not require noticable resources, especially when
> compared to normal operation of the system.
> 
>> No one is talking about a connection, we are talking about denial of
>> service attacks.
>>
>> Repeated hits on a port that sends a NACK have in some cases resulted
>> in vulnerabilities being exposed.
>>
>> All this was discussed in length back in the 90's. The consensus was
>> that dropping packets ra5her than nacking them was ultimately the
>> safest approach in a hostile world.
> 
> I know that it has been discussed, but my opinion is that the result is
> baloney.  There is no reason to panic when that website finds something
> and marks it "not stealth".  Really.
> 
> When you are going to provide a service, it can be detected.  That is
> the purpose of providing a service.  The OP wanted to open a VPN
> service, so of course it is detected as not stealth.  Nothing to see
> here,
> move along.

So the way to go may be to configure a firewall to silently drop any 
incoming requests which are not from a chosen IP address (or address 
range)?

So that all generic probes will just get no response, as if there is no 
device connected to that IP address, and only the chosen few can go 
through the protocol to start a session.

That is, the whole port range is stealthed to virtually all the Internet 
and there is a single port visible to the select few.

Cheers

Dave R



-- 
Windows 8.1 on PCSpecialist box

[toc] | [prev] | [next] | [standalone]


#9234

FromDavid <wibble@btintenet.com>
Date2015-07-31 11:07 +0000
Message-ID<d2138fFj3hiU11@mid.individual.net>
In reply to#9221
On Fri, 31 Jul 2015 07:47:54 +0000, Rob wrote:

> Michael J  Mahon <mjmahon@aol.com> wrote:
>> Rob <nomail@example.com> wrote:
>>> Michael J  Mahon <mjmahon@aol.com> wrote:
>>>> Rob <nomail@example.com> wrote:
>>>>> David <wibble@btintenet.com> wrote:
>>>>>> I've been using Shields Up to check which ports are visible from
>>>>>> the Internet.
>>>>>> 
>>>>>> With my NAT router set up as normal, all ports show as "stealthed"
>>>>>> in Shields Up i.e. a probe to the port gives no response. This is
>>>>>> viewed as a good thing.
>>>>> 
>>>>> Only by the creator of that site.  Most other experts view that as
>>>>> baloney.
>>>> 
>>>> Interesting. And how is it a good idea to reveal unnecessarily the
>>>> existence of a port?
>>> 
>>> There is no "revealing the existence of a port".
>>
>> Enlighten me. If I probe a port and get a NAK, doesn't that reveal that
>> something is there?  And doesn't that invite further probes?
> 
> It is not important.
> 
> ALL ports with a valid port number "exist".
> But you can only connect to them when sending a TCP SYN results in
> receiving a TCP SYN ACK.  You then send a TCP ACK and from there you
> have an open connection over which you can exchange data.
> 
> All other replies, no matter if it is TCP RST, ICMP Destination
> Unreachable (with a subtype of "protocol not reachable", "port not
> reachable",
> "host not reachable", "network not reachable", "communication
> administratively prohibited" or whatever other subtype) mean that you do
> not get the connection.
> 
> That does not bring the other side any nearer to a connection.  It just
> does not matter if there is a reply or not from the port.  There is no
> "further probe" that will yield anything useful (a connection) when
> there is one of those replies that would not be possible when there is
> no reply.

Just to be sure, are you saying that the random probes running all the 
time to try and locate vulnerable hosts probe all possible ports on every 
IP address right up to the highest possible port number? That is, up to 
65535?

I was expecting that the probes would check the first 1056 ports at first 
pass and then proceed to look higher only if they got some kind of 
response to the initial range.

They might even check a few "common ports" initially to decide if they 
should expend further resource.

In which case being stealthed in the lower ranges might save you from 
being probed by aliens!

Cheers

Dave R



-- 
Windows 8.1 on PCSpecialist box

[toc] | [prev] | [next] | [standalone]


#9235

FromRob <nomail@example.com>
Date2015-07-31 11:15 +0000
Message-ID<slrnmrmm6i.5pl.nomail@xs9.xs4all.nl>
In reply to#9234
David <wibble@btintenet.com> wrote:
> Just to be sure, are you saying that the random probes running all the 
> time to try and locate vulnerable hosts probe all possible ports on every 
> IP address right up to the highest possible port number? That is, up to 
> 65535?
>
> I was expecting that the probes would check the first 1056 ports at first 
> pass and then proceed to look higher only if they got some kind of 
> response to the initial range.
>
> They might even check a few "common ports" initially to decide if they 
> should expend further resource.
>
> In which case being stealthed in the lower ranges might save you from 
> being probed by aliens!

I do not base my system configuration on some observation someone
made in the nineties, and I see no reason why a scanner would stop
when they get no reply on some port, and continue when they get
"not reachable".

This is just as stupid as "do not reply to ping!".

[toc] | [prev] | [next] | [standalone]


Page 1 of 2  [1] 2  Next page →

Back to top | Article view | comp.sys.raspberry-pi


csiph-web