Ok, I've attached my screen captures from Kerio...I'm doing something wrong here and need some help.

I continue to fail port scan tests, especially with Port 80 as being non-stealthed.

What's more, I fear I'm probably open to other vulnerabilites.

Can someone please review my screen captures and give me some suggestions on how I can shore up my defenses and make myself stealthed accross all ports?

Also, any other suggestions on rules I can add or modify to increase my security?

Thank You! I'm stuck. :-\

screen capture 2

Screen capture 3

By double clicking on the Kerio icon in the task bar (or right clicking on it and selecting "firewall status" you can see a list of listening/connected proccesses. Under the column "local address", the number after the colon is the port being listened on. Find the proccess listening on port 80 and report back. Posting a screenie of that "firewall status" window will be of value also (as I have) don't mine the splotches.

Hi, thanks for the quick response...I can post a screen shot but are there some numbers I should black out first so I'm not posting something that could be exploited by a hacker?

If so, what things should I black out?

Thanks!!

Anything you do not wish to be public (such as you WAN IP or any remote addresses you know you are connected to that you might not want to share).

Regards,
CrazyM

Thanks! See attached.

Hi darksky

What is this ADSGONE.EXE listening on port 80?

I do not recall seeing a rule for it in the posts above. Try killing that app and testing again and see what your results are for port 80.

Regards,
CrazyM

Hi darksky:

I see adsgone.exe is holding Port 80 Open.

I presume it's a program for blocking ads, which in turn is operating on a proxy, is that right?

If so, try shutting that down, then check Kerio again, then do a scan with it off and see if Port 80 is stealthed/closed.

edit: LOL Crazy, beat me by thaaaat much!

Hi - first off, I want to thank both of you for helping me this evening...

Ok, I closed AdsGone and rebooted...open connections through Kerio no longer show anything on Port 80 - I crossed checked this with Diamond's Port Explorer. *** HOWEVER***, when I re-ran the test on PCFlank, it still fails, showing:

Warning!
The test found visible port(s) on your system: 80

Recommendation:
Install personal firewall software. If you have already installed and are using a firewall, check if it is set to make all the ports of your computer invisible (hidden). If it is, then get new firewall software and redo this test.

Help :-\

I ran an advanced port scan and it shows Port 80 as being CLOSED, but not stealthed. Is there a rule I can change in Kerio to stealth this port? Since nothing seems to be "listening" on this PORT, seems it must be more of a configuration issue, right? Port Explorer and Kerios own out shows nothing listening and no indication of a Trojan.

See attached screen capture of Adv Port Scan..

hmm... that's a bit weird.

I will leave you in Crazy's capable hands mate.

He's the Firewall expert here and maybe come up with something that's not obvious at first glance.

BTW, was that ADSGONE.EXE an ad blocking proggy like I said and did you check if it acts as a proxy, because I had a bit of trouble with AdSubstract Pro which is one and it works on Port 4444 and a Proxy.

I killed the proxy from working, and defaulted my IE back to ISP,s proxy and it still works fine.

Cheers, TAS.

Try another scan, as *sometimes* yo may get a different result like Crazy said.

Go to GRC's site and do the Port scan there, it's quick and it will for sure tell you if 80 is stealthed or just closed.

TAS.

Hi, thanks again both of you! As far as I can tell, AdsGone does not use a Proxy.

As for GRC, ran the scan and it shows Port 80 as being stealthed. Re-ran the scan on PC-Flank and it shows "CLOSED", not stealthed.

???

-{ Quote: " quoting: darksky link=board=23;threadid=6488;start=0#43350 date=1043044574]
Ok, I've attached my screen captures from Kerio...I'm doing something wrong here and need some help.

" }-

Hi,

A rule your label outgoing pin is a rule IN

Your rules about ICMP should be foor instance for ICPM
(May vary according to your needs)



Description: Out Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo
Remote Endpoint: Any
Action PERMIT

= = = = = = = = = = = = = = = =


Description: In Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action PERMIT

= = = = = = = = = = = = = = = =


Description: In Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo
Remote Endpoint: Any
Action DENY

= = = = = = = = = = = = = = = =


Description: Out Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action DENY

= = = = = = = = = = = = = = = =


Description: Block ICMP (Logged)
Protocol: ICMP
Direction: Both
ICMP Type: Echo Reply, Destination Unreachable, Source
Quench, Redirect,
Echo, Time Exceeded, Parameter Prob, Time Stamp, Time
StampReply, Info
Request, Info Reply, Address, Adress Reply, Router
Advertisement, Router
Solicitation (ALL)
Remote Endpoint: Any
Action DENY

Why don't you have rules about NetBIOS ?

You should have this 2 rules in first position :

Description: Block Inbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
Règle 2:

Description: Block Outbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Port/Range
First Port: 137
Last Port: 139
Action DENY

Rgds,

Hi darksky

Likely just the pcflank site. My results when last there were inconsistent with elsewhere and what I know they are/should be. More to follow on your rule set.

Regards,
CrazyM

Hi darksky

In regards to your rule set…

Screen capture 1

LSA Shell (Kerberos), Windows Logon, LSA Shell (LDAP), LSA Shell, Userinit Logon Applications (LDAP), Microsoft DS and Generic Host Processes for Windows.

Do you really require all these rules? If you are in doubt deny first. Determine what you really need and then make the appropriate rules. You might also want to check what services you have runnng that may not be required.

Block Inbound Simple Service Discovery Protocol. Unless you wanted to log this specifically, it is not required as it is covered by your final Block Inbound (Log).

Screen Capture 2

Finjan First Strike Security, DS Clock, RealNetworks Event Launcher, not familiar with these apps, but do they need outbound to any address any service/port?

TDS-3 Live Update can be restricted to remote service/port 80 (and specific remote addresses if desired).

NOD32CC.EXE likewise can be restricted to remote service/port 80 (and specific remote addresses if desired).

Internet Explorer TCP, you might want to add remote service/port 8080.

Internet Explorer UDP, you were likely prompted for this as it requires a UDP loopback rule. You can modify this rule to remote address 127.0.0.1, remote service/ports 1024-5000.

Block Inbound for System, Generic Host Process TCP, Unless you wanted to log this specifically, it is not required as it is covered by your final Block Inbound (Log).

Block Incoming ICMP not required as it is already covered by your earlier Block Other ICMP rule.


Block Outbound LiveUpdate Engine COM Mod…for which app is this? If you are not using it can you disable it? (the app that is, then you will not require the rule)

Screen capture 3

RealOne Player TCP, is this the same .exe as earlier? If so, this rule is not required. If not, does it require any remote service/port? Or can you limit it?

Block Inbound LSA Shell and Generic Host Process UDP, Unless you wanted to log this specifically, it is not required as it is covered by your final Block Inbound (Log).

Outlook Express UDP and the TCP out to any port.??? It has been awhile since I have used NOD32, but it could be Outlook Express is accessing email via NOD’s POP3SCAN.EXE and you got these prompts for loopback. The simplest way to determine this would be to delete the rules (temporarily disable your original for remote service/ports 25, 110, 119) and let the rule assistant prompt you again. Select customize, if you see remote end point 127.0.0.1 select it and limit the rule to that remote address. If this is the case, you can modify your rule for POP3SCAN.EXE to remote service/ports 25 and 110. Your original Outlook Express rule would only then require remote service/port 119.

That should keep you busy for awhile ;) If you should remove some of your rules to start fresh, select customize when the rule assistant pops up and pay close attention to the information provided, ie. Remote service/ports, remote end point, etc. This will allow you to make fairly specific rules.

Regards,
CrazyM

Jack,

Hey, thanks for the great info. I modified according to your suggestions and added the inbound & outbound rules for NetBios as well.

Appreciate it!

Mark

Hi Mark

A couple of sites worth checking for services running on your system:

http://www.blackviper.com/WinXP/servicecfg.htm

http://www.techspot.com/guides-os.shtml

Once you have disabled those services you may not require, it should cut down on the prompts/rules for those services and then streamline your rule set to meet your specific needs.

Regards,
CrazyM

the first pic is all of the default rules that Kerio adds when you install Kerio. they should all be deleted. you should then make your own DHCP and DNS rules for your servers only. then make the rules that Jack provided for you. as far as internet explorer goes, you only need a tcp(out) rule for that.
this is a good thread at dsl for helping you make rules for Kerio.
http://www.dslreports.com/forum/remark,2896630~root=kerio~mode=flat

- added url tags, CrazyM

-{ Quote: " quoting: CrazyM link=board=23;threadid=6488;start=15#43365 date=1043053642]
Hi darksky

Likely just the pcflank site. My results when last there were inconsistent with elsewhere and what I know they are/should be. More to follow on your rule set.

Regards,
CrazyM
" }-

You already know this. Different sites have different terminology. Closed =stealthed on some sites.

I'm began reading about the various scan methods used on websites.. Amazingly, they are less accurate than I thought they were, espically with UDP scans.. A lot of scans are based on assumptions...on how your computer reponds..Some techniques may even consider no responses because your firewall dropped the packets to be a sign the port is open....

-{ Quote: " quoting: JayK link=board=23;threadid=6488;start=15#43631 date=1043174048]
-{ Quote: " quoting: CrazyM link=board=23;threadid=6488;start=15#43365 date=1043053642]
You already know this. Different sites have different terminology. Closed =stealthed on some sites.
" }-

Hello,

Which ones ?

I never happen to meet a single one.

On any site I know CLOSED = CLOSED
And on some BLOCKED = STEALTH

TIA" }-

Hi jack:

How are you!

You asked which sites have closed = stealth?

This one for starters: http://www.blackcode.com/scan/index.php

It's a very comprehensive testing. It scans your ports 1-1000 plus scans all known trojan ports.


I do have a couple others that also state CLOSED only and on their page they say for all intents and purposes CLOSED to them = Stealthed. :)

I had over 30 testing sites, but have deleted a lot, as could not get my IP correct most of the time as my ISP is proxy, so cannot give you links to most I had now.

edit: don't worry you can see "my" IP, that's an old shot, IP long changed.

I suppose strictly speaking it says closed and nothing on site indicates it = stealthed. but for all intents and purposes with all the other sites I have tested from it's good enough for me.

also I have posted a fairly big list of testing sites.
http://www.wilderssecurity.com/showthread.php?t=6341

-{ Quote: " quoting: Tassie_Devils link=board=23;threadid=6488;start=15#43697 date=1043204117]
Hi jack:

How are you!

You asked which sites have closed = stealth?

This one for starters: http://www.blackcode.com/scan/index.php

It's a very comprehensive testing. It scans your ports 1-1000 plus scans all known trojan ports.


I do have a couple others that also state CLOSED only and on their page they say for all intents and purposes CLOSED to them = Stealthed. :)

I suppose strictly speaking it says closed and nothing on site indicates it = stealthed. but for all intents and purposes with all the other sites I have tested from it's good enough for me.

" }-

My "expert" opinion after reading FOUR (yes count them) books on TCP/IP and hacking is that the whole stealth/closed difference is a total waste of time.

I mean it's all very well to say a blocked port is one that responds with a "No" while a stealth port doesnt respond at all, but the more I read about scans, it seems it's not clear cut.

Take an "ACK" scan (very clever by the way) by Nmap. A "reset" response would indicate that the port is "unfiltered" . On the other hand, no response or a ICMP PORT UNREACHABLE message would be considered filtered.

A stateful firewall would not be fooled by a ACK scan, and would not allow the packets in, so obviously no response would be obtained. Is this stealthed or blocked? Either way, we know there's probably something there. (otherwise a router upstream would respond with ICMP destination unreachable)
So hackers would know you were there and You have a firewall..

I also read about TCP SYN scans,TCP FIN scan,TCP XMAS, NULL etc and in all of them, it's really hard to tell the difference between a blocked port and a stealthed port.

>I also read about TCP SYN scans,TCP FIN scan,TCP XMAS, NULL etc and in all of them, it's really hard to tell the difference between a blocked port and a stealthed port.

Hi JayK. Thanks for reply.

a lot of reading BTW. :)

Above statement would then make it difficult anyway for anyone to get in wouldn't it? Regardless of closed/stealthed.

but by the same token, nothing is foolproof. One can only set up their system as best as possible and use the best defence in the world, the brain, when surfing.

Cheers.

CrazyM, Tassie, Jack & the gang...

Thank you for all the helpful input. I've tested now a couple of firewals against PCFlank. Kerio, no matter what I do, continues to show warnings on their tests...When I do their Advanced Port Scan it shows port 80 as CLOSED but not stealthed. When I run the same test on grc however, it shows PORT 80 as stealthed.

I also tested SygatePro - EVERYTHING is stealthed on every test I've run against - on PCFLANK as well as 5 other sites, including PORT 80. Since SYGATE comes up full stealth on PCFLANK's tests everytime, it makes me question as to whether Kerio is simply not providing the same level of protection.

I realize if that's the case, it's probably my error in my rulesets but I can not seem to stealth that port on PCFLANK consistently no matter what I try.

This is my first try with a rules-based firewall and I'm beginning to think I'm not smart enough to use one yet. I don't want to open myself out of ingnorance because of improper settings.

Do any of you run Kerio, and if so, is it showing up as SAFE on PCFLANK's QuickTEST or are you also getting warnings?

-{ Quote: " quoting: darksky link=board=23;threadid=6488;start=15#43719 date=1043215611]
CrazyM, Tassie, Jack & the gang...

Thank you for all the helpful input. I've tested now a couple of firewals against PCFlank. Kerio, no matter what I do, continues to show warnings on their tests...When I do their Advanced Port Scan it shows port 80 as CLOSED but not stealthed. When I run the same test on grc however, it shows PORT 80 as stealthed.

I also tested SygatePro - EVERYTHING is stealthed on every test I've run against - on PCFLANK as well as 5 other sites, including PORT 80. Since SYGATE comes up full stealth on PCFLANK's tests everytime, it makes me question as to whether Kerio is simply not providing the same level of protection.

I realize if that's the case, it's probably my error in my rulesets but I can not seem to stealth that port on PCFLANK consistently no matter what I try.

This is my first try with a rules-based firewall and I'm beginning to think I'm not smart enough to use one yet. I don't want to open myself out of ingnorance because of improper settings.

Do any of you run Kerio, and if so, is it showing up as SAFE on PCFLANK's QuickTEST or are you also getting warnings?
" }-

Hello,

As largely discussed before, you are not more or less secure with Closed or Blocked.

But if a developper advertise is product can make your Stealth, it has to do what it says.

I have no problem with KPF to be in stealth mode for any port.

Rgds,

Hi darksky.

It's not often I can get PCFlank to work for me simply because I am behind my ISP's Proxy, and it states as such.

But on the occasions I have somehow managed to get the right IP I have always come up Stealthed on everything.

Iam currently using KPF no probs. I only did a full scan at Sygate's site of each of the options and all BLOCKED.

Good luck with Sygate, as I believe it is a nice FW.

I have tried Sygate, and it was great, BUT, it conflicted with my PC-cillin AV [even said in their conflicts page, that it conflicts with PC-cillin and to UNINSTALL PC-Cillin.] So I went to KPF and am not sorry in the least.

Cheers, TAS.

-{ Quote: " quoting: Tassie_Devils link=board=23;threadid=6488;start=15#43697 date=1043204117]
Hi jack:

How are you!

You asked which sites have closed = stealth?

This one for starters: http://www.blackcode.com/scan/index.php

It's a very comprehensive testing. It scans your ports 1-1000 plus scans all known trojan ports.

" }-

Does this one ever work? I've never ever accessed it before despite many tries now and in the past. All I get is some geek error message.,"403" :P

Just for fun, I've disenabled everything from webwasher ,proxo,host files, IEspyad,firewall,DNSkong,Autopac file, still no avail...

-{ Quote: " quoting: darksky link=board=23;threadid=6488;start=15#43719 date=1043215611]
CrazyM, Tassie, Jack & the gang...

Thank you for all the helpful input. I've tested now a couple of firewals against PCFlank. Kerio, no matter what I do, continues to show warnings on their tests...When I do their Advanced Port Scan it shows port 80 as CLOSED but not stealthed. When I run the same test on grc however, it shows PORT 80 as stealthed.

" }-

Hey Darksky you dont seem to get what we are saying, probably my fault.

Basically Stealth is as secure as Blocked. The idea of stealth is that by dropping packets and not responding ,hackers wont know you are there.... Supposedly this is safer than "blocked" where you respond "No" but give away the fact that you are there..

However to be truly stealthed you have to control how routers in front of you respond. You might not respond to a probe, but the lack of response itself is a dead give away to hackers, because if you were truly not there, someone (probably your isp router) would respond that noone at that ip address is there. But your router knows you are there , so it wont send the message. This is a dead give away.

The second reason is that "Some of the firewall test sites are not always consistent or correct for any number of reasons." as stated by CrazyM. You can read more about this if you are interested, but I always take the whole stealth business with a pinch of salt . I've seen people post that you can be considered stealthed on GRC, even with no firewall, which is strange when you think about it. This just tells me that scanners are inconsistent depending on what assumptions it makes..

Basically if your ports are shown to be blocked, don't go crazy if you can't get stealthed on some sites. I'll rather spend more time learning about other aspects of security, like hardening your OS, and tightening up your firewall rules.,learning about encryption, threats to privacy and more,

-{ Quote: " quoting: Tassie_Devils link=board=23;threadid=6488;start=15#43713 date=1043212022]
>I also read about TCP SYN scans,TCP FIN scan,TCP XMAS, NULL etc and in all of them, it's really hard to tell the difference between a blocked port and a stealthed port.

Hi JayK. Thanks for reply.

a lot of reading BTW. :)

Above statement would then make it difficult anyway for anyone to get in wouldn't it? Regardless of closed/stealthed.

" }-

Yes. But when you think about it though, this means that the typical user who does not run email servers or webservers doesn't need to keep many (any?) ports open.

Assuming that such a user manages to close down EVERY listening port by Windows (a great feat I'm sure), would he need a firewall? After all everything is blocked already.

Of course, the argument for using a firewall now rests solely on outbound protection to check trojans and spyware correct?

Hi,

No, not your fault at all. Your explanation is clear. The additional points you made regarding routers were also most helpful.

I was drawing the conclusion that because I was getting consisent stealth results with SyGate and inconsistent "closed" results with Kerio, that I may have misconfigured my ruleset.

From your comments it sounds as if stealth vs closed is not as big of issue as I had assumed and that my Kerio results may mean I'm not any less protected with Kerio than with Sygate.

Thanks.

Hi

Come to think of it, it's not the clarity of my responses you should be worried about,. It's the accuracy that you should be worried about.

-{ Quote: " quoting: JayK link=board=23;threadid=6488;start=15#43794 date=1043250997]
I've seen people post that you can be considered stealthed on GRC, even with no firewall, which is strange when you think about it. This just tells me that scanners are inconsistent depending on what assumptions it makes..

" }-

Hi JayK,

Yes, and not only on GRC but on all sites running stealth tests.

Depend on the provider : some (very seldom) using a transparent proxy or something of the kind, it was discussed and prooved on Kerio yahoogroups when KPF didn't yet succeeded stealth tests.

BTW, on scanner test sites, Stealth= Blocked (like Sygate and GRC for instance) (rejected request)
and Closed when the request is denied

Rgds,

>Does this one ever work? I've never ever accessed it before despite many tries now and in the past. All I get is some geek error message.,"403"

Just for fun, I've disenabled everything from webwasher ,proxo,host files, IEspyad,firewall,DNSkong,Autopac file, still no avail...

Hi JayK

LOL, You sound like I do when I try PCFlanks. I very rarely get that to work, but with Blackcode I haven't failed yet. [See page 2 of this thread and my posted pic]. I also had only scanned last night again from there and no probs.

Cheers.

-{ Quote: " quoting: Tassie_Devils link=board=23;threadid=6488;start=#43829 date=1043260185]

>Does this one ever work? I've never ever accessed it before despite many tries now and in the past. All I get is some geek error message.,"403"

Just for fun, I've disenabled everything from webwasher ,proxo,host files, IEspyad,firewall,DNSkong,Autopac file, still no avail...

Hi JayK

LOL, You sound like I do when I try PCFlanks. I very rarely get that to work, but with Blackcode I haven't failed yet. [See page 2 of this thread and my posted pic]. I also had only scanned last night again from there and no probs.

Cheers.
" }-

The problem with "Defence in depth" is that if something is blocked, you have no idea what is causing it,espically if they dont have any signals.

Still generally I have learnt how to recognise url blocked due to proxomitron,hostfile or firewall...