Help with exposed NAT Router please :)-Solved

[spydespiser]

Hi guys i'm back

Have been ill for a while so have not been able to sit at pc much but have dropped in now and again just to check up on gossip,jokes and issues

B/Bands active now. Yippee
PC's fast on the net. Yippee
Dumped AOL (ha) Yippee Serves em right P*s*in me about
Bought a NAT,F/W modem Great

I used to go to Gibbo's shields up and get a full stealth pass rating but since switching to my new Zoom 5551 Modem/Gateway/Router/Firewall i get closed ports with port 80 open

i have read his bit about defaults on the WAN side but cannot seem to find necessary setting to close or re-stealth said ports

I am currently using LAN connector at the moment as i cant seem to be able to get a connection with the USB/BT Yahoo B/Band side of things yet(no dial up tone)


Any help,ideas appreciated

[spydespiser]

Well after many hours of not being able to connect and banging my head under desk and trying this and that i am now back in stealth mode at GRC(just got to try the others)

the only thing i did that i hadn't already tried numerous times for last 24hrs was strip pc of every last trace of AOL's software, makes you think doesn't it?

Pc is a lot happier too, for last week or so i have had nothing but crashes and chkdsk's on bootup

Still cant sign in to my BTyahoo services as they dont like the fact that i didn't want to spend my money on their poxy modem but have found a way to backdoor the browser and get to my email account(all their browser files force you through a dial-up login screenwhich is of absolutely no use to my modem(even usb with no phone/filters cant get dial tone required and modem is already by default to their specs)
must of set up at least 20 different B/band configurations.no joy

however i still have one concern.
When i was using ahem AOL's ahem trial they scrambled my IP each time i connected so it always showed up at GRC differently but an IP the same as my BTyahoo account profile is displayed, have even powered down and disconected everything and then resubmitted again but it remains the same
Is this my actual IP? or one devised by hardware f/w?

I see cochise finally got his gif, i looked all over but due to 56k took ages just loading pages, and could only find a couple of chiefs

Lost me paint shop animator as well

SpyD

[CrazyM]

Hi spydespiser

Quote:

I am currently using LAN connector at the moment as i cant seem to be able to get a connection with the USB/BT Yahoo B/Band side of things yet(no dial up tone)

Not being familiar with this modem/router/firewall could you explain a little more about your current set up and connection type.

Quote:

however i still have one concern.
When i was using ahem AOL's ahem trial they scrambled my IP each time i connected so it always showed up at GRC differently but an IP the same as my BTyahoo account profile is displayed, have even powered down and disconected everything and then resubmitted again but it remains the same
Is this my actual IP? or one devised by hardware f/w?

Is your concern that your WAN IP appears to remain the same?
Even though the ISP may say your IP is dynamic, it is not unusual for some to stay the same. Depending on your set up, the router will usually obain your public (WAN) IP from your service provider and systems behind it on the LAN will have private IP addresses assigned by the DHCP server in the router.

Regards,

CrazyM

[spydespiser]

Hi CrazyM

I've just got back from ADSLGuides site and their reveiw of my product has answered more questions than manual does

I have now got usb/network side working now
Port 80 is back on display(dont know why i got it stealthed yesterday)

Quote:

Is your concern that your WAN IP appears to remain the same?
Even though the ISP may say your IP is dynamic, it is not unusual for some to stay the same. Depending on your set up, the router will usually obain your public (WAN) IP from your service provider and systems behind it on the LAN will have private IP addresses assigned by the DHCP server in the router.

Errrr dunno
Active ports shows me this so maybe everythings all right(please note since having dealings with aol i have had to go find and reinstall a lot of apps recently so didnt have tools to investigate matter)

[CrazyM]

Hi spydespiser

Quote:

Port 80 is back on display(dont know why i got it stealthed yesterday)

By display do you mean it's showing as open or closed to scans?
You might want to double check all your advanced settings to make sure no options are selected that may cause your router to listen/hold that port open on the WAN side.

You Active Ports screenshot shows your system having a private LAN IP address (10.0.0.3). This is normal and the way it should be. Your router should have a status page somewhere which will show what your current WAN (public) IP is.

Regards,

CrazyM

[spydespiser]

thanx crazym

port 80 is open and the others are closed, they did stealth at one point with new modem/router but dont know what i did and all my settings are default (same as when they stealthed)

the only setting page with any reference to ports is the one at first post (everything is left at default as advised by manual as it says only to change any other settings if advised to do so by ISP)

all adv settings pages contain either router ips 000etc or subnet masks 255255255etc
except wan status which shows my public ip (varies cause i have to keep resetting firmware when i change something it dont like)
and a Static Ip add in my permanent VC settings

i just cant uderstand why yesterday it stealthed and today it fails as all i have done since is change from LAN to USB connector, no settings have been changed as there were none to change, it was all preconfigured by default and i'm not even sure it decloaked at that point, it could have been earlier for all i know

could i have a background programme such as yahooMess(i read somewhere) or something?, i dont know as i cant fully access account as btyahoo wont support or techhelp on modems you dont buy from them i.e. i cant switch to other subaccounts i have(sign in)use/access all features of account

thanx for looking at this for me

SpyD

EDIT- maybe its just replying with blocking, my software f/w used to do that at first then learnt to ignore/stealth probes

[CrazyM]

Hi SpyD

Have you tried more than one online scan site?
For a convenient list: http://www.wilderssecurity.com/showthread.php?t=6341

Does the router have logging capabilities? If so, what do they show, in particular, does it show the port 80 scan?

Does the software firewall on your system log any scans getting past the router?

Regards,

CrazyM

[spydespiser]

crazym

tried the blackcode one as well same result,(will try rest but thought maybe post query as i might be a while)

just before coming back to wilders i found this but can no longer see s/w f/w in current avtivity page, they disappeared when scr/grab taken

[spydespiser]

gotta do this seperate as i had trouble posting img before with yahoo browser

did a trace on akamai but no registrant(dont know what it is)
212dot23dot32dot13
have a lot of new files since chaning to yahoo

they both hilighted as being outbound to port 80

they are back now i have done security check with f/w("optimal")

i also had grc & wilders show up in Ybrowser section of current activity screen but now sign of f/w, does that mean that when i took scr/shot f/w disabled and grc & wilders were behind it(these were only 2 browsed in that time, these also hilighted as out bound 80

unit does not seem to have logging capab's

Quote:

Does the software firewall on your system log any scans getting past the router?

have recently cleared log but will maintain same connection and monitor while trying other scan sites

thanx

SpyD
p.s. sorry it in two bits will have to visit test forum and mess with new browser(or change it )

[CrazyM]

Hi SpyD

The screenshots from your firewall would appear to be of current connections. The destination port 80 (http) and source port (ephemeral) are consistent with that and nothing to worry about.

After doing the tests at the scan site, check the software firewall logs on your system to see if anything is showing up there. It is unfortunate if your router does not have any logging.

...also check your IM here on the board.

Regards,

CrazyM

[spydespiser]

Hi CrazyM
only just got back

have done a few of the other tests and checked warning logs just before reading your post

only one warning and that was when browser requested permission to access hacker whackr

most came up clear auditpc found my public ip but nowt else
one found port80 but then explained it could be nat/server
and other similar finds(which sounds right)

so i think its ok,but still dont understand how ext modem stealth itself yesterday if i cant configure or instruct to allow/block trraffic (everything stays at default except ISP username and p/word)
It is also NAPT(network address port translation) by default

Quote:

It is unfortunate if your router does not have any logging.

I suppose you get what you pay for, although £80 could have had other uses Vodka LOL

Thanx again for helping out

SpyD

[CrazyM]

Hi Spyd

Your router could be holding open port 80, but restricting access. If this is the case, make sure you have changed any default user names and passwords to access the configuration pages. Also check if there are any remote administration options. If so, make sure it is disabled.

You could try contacting Zoom support and ask if it is normal for your unit to show port 80 (http) open on the WAN side and what access, if any, there is.

Regards,

CrazyM

[spydespiser]

Hi CrazyM

Quote:

Your router could be holding open port 80, but restricting access.

That was what i was praying for and have already changed all default user/pass names (did that on first failed scan, first thing i do after messing with anything)

i will contact them as this isnt in their FAQ/scenario's

and i think i already have remote admins and such in order but will check all settings again

Thought i would let you guts have a crack at it as you may have come across similar threads/Hardware on travels

Thanx again for time/feedback on issue

KC now i can (do you want chocolate chips in it?)

SpyD

Whats a Remote OS guess, is it stuff thats trying me or possible stuff i'm using to restrict?

[CrazyM]

Hi SpyD

Quote:

i will contact them as this isnt in their FAQ/scenario's

I had a quick look around the site as well and could not see anything covering it. Let us know what you hear back.

Quote:

Thanx again for time/feedback on issue
KC now i can (do you want chocolate chips in it?)

Thanks, glad to help out

Quote:

Whats a Remote OS guess, is it stuff thats trying me or possible stuff i'm using to restrict?

Scannners best guess at OS or what you may be using to restrict access.

Regards,

CrazyM

[spydespiser]

Update

Emailed zoom on sunday got reply that i should have questions answered 1-3 business days, hopefully should have answers today/tonight(the 3rd day)

SpyD

[Pilli]

Hi spydespiser, There is a way of creating a black hole on most NAT routers,
If you have a DMZ (Demilitarised Zone) capability in the router set up pages.
Here is how to do it:
Open to the DMZ IP address and add a local IP address that will not be an actual PC for instance if your PC's address is 10.0.0.3 create a DMZ IP of 10.0.0.200
You dhould then go to the forwarding page if there is one and forward port 80 TCP & UDP to that IP you will then show Stealth on ALL the scan sites.

All network traffic aimed at your real IP will be diverted to the .200 blackhole PC but all wanted traffic will be as normal.

I am not familiar with your router so you may have to dig a bit for similar terms in your routers documentation.

My experience is only with Linksys & 3COM and recently whilst testing another product part of which involved attacking my IP - They did not succeed though this did not include denial of service attacks.

HTH Pilli

[spydespiser]

Thanx Pilli

I have DMZ

(pressed return by mistake and sent 1/2 a post)

Am looking for forwarding port process screen/configuration

[Q Section]

Hello Pilli
What about a router that has only one address in the DMZ page and another cannot be added? The existing one can only be changed.

[Pilli]

Hi Q-Section, True, most home routers have just 1 DMZ address, usually for a PC used as a server or for other uses but most NAT routers allow other methods for VPN etc.
For most home users the Black hole method is very effectve.

[Q Section]

Pilli
So you are saying to make the only address on the DMZ page the DMZ non-existant one?

[spydespiser]

Hi Pilli,Q-section

would this be the port forwarding setup screen

I,m treading completely new territory here as i've only been online a few week and have only just learnt s/w f/w's by hanging out here

Text on DMZ
>A DMZ cconfiguration bypasses the modem's NAT firewall and allows the computer to accept all incoming packets
CAUTION! Use the DMZ feature with utmost care. It exposes the DMZ computers entire contents to the internet; there is no firewall protection whatsoever

I take it the "Blackhole" alleviates this

Quote:

All network traffic aimed at your real IP will be diverted to the .200 blackhole PC

Quote:

but all wanted traffic will be as normal.

Wanted as in stuff/procs i initiate?
what would happen if i had spyware or such, could it phone home or invite in unwanteds?

Am posting this even though not fully complete as i have that many browsers/documentation open i've forgot what im doing

Must try harder!
EDIT-according to documentation i can open multiple ports(for a maximum of 20) but have to configure each one individually
Would i do 1 for UDP
then 1 for TCP?

[spydespiser]

Me

[Pilli]

Q-Section, Yes you place the non existant one in the DMZ the Black hole

Spydispiser, I do not think that the screanie you show is port forwarding, maybe port triggering VPN whatever?

In the Linksys it is called port forwarding & is in a table format as stated above:

port no: From | To | TCP | UDP |port| IP address BH

In the 3com just has a place for the DMZ IP address & automatically routes normal traffic.

Note the warning on the screenie below, which obviously applies if you have a "real" pc in the DMZ

[spydespiser]

Still no E-mail (don't often get angry but when i do somebody got some explaining to do!)

Hi Pilli

sorry reply took so long

tried something got booted off net
server locked up and had to hard reset firmware
had to dig out passwords
had to reverse property settings manual told me to change
coffee grew a layer of ice
Ashtray set on fire LOL

Quote:

I do not think that the screanie you show is port forwarding, maybe port triggering VPN whatever?

Tried a setup anyway cos documentation ref said Vitrtual server(port forwarding) so thought would try anyway
Failed!
All i seem to have is a NAT screen

EDIT- some To**ers just cold called me on my new number that only 2 people should have!
Time to remind BT who's paying their wages methinks

[spydespiser]

might as well add main screen while i'm bloating this thread with screenies




I dont think that guy will ring back anymore