Help with LooknStop

Discussion in 'LnS English Forum' started by darksky, Jan 26, 2003.

Thread Status:
Not open for further replies.
  1. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Just installed LooknStop and tested on PcFlank.

    For results & my configuration, see attached screen captures.

    What changes can I make to stealth these ports and pass PcFlank's tests?

    Thanks...
     

    Attached Files:

  2. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Configuration here:
     

    Attached Files:

  3. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi darksky,

    My suggestion is that the network interface is not correctly selected in the options.

    Could you check that PCFlank gives you the same IP as Look 'n' Stop (in the Welcome page).
    If not, try to change the network interface (don't forget the Apply button).

    Otherwise you can the enhanced ruleset.

    Regards,

    Frederic
     
  4. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Frederic,

    Thanks for your reply -- I double checked and verified that yes, the same IP address does show up in LooknStop as in PCFlank.

    I found a link on the website for an enhanced ruleset, however when I try to save and import it, LooknStop does not recoginize it.

    The ruleset is at:
    http://looknstop.soft4ever.com/Rules/BloqueConnexionsTCPEntrantes.rie

    The page comes up, but when I save it - it does not save in an importable format.

    What ruleset should I be using to stealth these ports?

    PCFlank reports:
    If you have a firewall, check if it is set to make all your computer ports invisible (hidden). If it is, then it failed miserably...
     
  5. claire

    claire Guest

    Hi,

    I use LnS with the enhanced ruleset(available besides the standart ruleset in LnS so you don't need to import one from the site) and I passed the PCflank test with flying colors.

    Hope this can help
     
  6. claire

    claire Guest

    http://www.looknstop.com

    Go to the dowload section.

    Have a good night
     
  7. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Unfortunately, even the enhanced ruleset is failing the QuickTest on PCFlank.

    See new thread at:

    http://www.wilderssecurity.com/showthread.php?t=6720
     
  8. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Are you sure you are not running any process that could leave these ports open even with LookNstop installed ? Have you also check that you have the right Network Interface selection in Option ?

    I've went to pcflank and everything is all green. ( Might you have alterd the rule set ? )
     
  9. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Re: Network interface selection, yes I've checked and it's correct. As for altering the rule set, no - it's the Enhanced Rule Set, unaltered.

    As for another process - it's possible. But as those processes started, I simply chose the default authorizations through LooknStop... Example, my antivirus - I chose to authorize it's attempt to autoupdate itself. Those are the kinds of authorizations I've made using answering yes to LooknStop when it asks if I want to allow it. So why would that cause LooknStop to not stealth port 80o_O I ran the same processes and made the same authorizations using SyGate and it remained stealthed and bulletproof on every test I ran including PCFlank. Yet LooknStop repeatedly fails.

    Is there not some simple rule I can import that'll stealth Port 80 and yet continue to allow me surf the net? Must be something I can do?

    Thanks.
     
  10. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    I don't know why your port 80 is not stealth when if should be. But I beleive that when your browser is open at PCflank and you test it, it shows activities cause it's open ( It normally should still show stealthed..... why I don't know. ) On the other end, you might be running a proccess wich opens port 80 and that LookNstop doesn't see ?!.

    In wich case, I would recommend a complete uninstall of LookNstop and reinstall a clean copy. ( Unless that's already be attempted )

    ( Even with the default rules set it should show that everything is stealthed )
     
  11. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    No, I really am not running any process that should be preventing port 80 from being stealthed. Running an advanced port scan shows port 80 is closed but not stealthed -- all other ports so far show stealth.

    LooknStop should stealth this port or there should be some simple way to do it, but so far the solution is proving difficult.

    I'm pretty disappointed, I'd read good things about LooknStop. I still think there must be some rule that could be added to correct this.
     
  12. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    When you are doing the PCFlank test, could you confirm you have anyway a lot of alerts in the logs ?

    I don't think this a rule issue. Normally even the standard ruleset is able to block this port.

    Did you try the GRC test, the port 80 is also scanned there:

    https://grc.com/x/ne.dll?bh0bkyd2

    Thanks,

    Frederic.
     
  13. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    I would consider having yourself scanned elsewhere then PCflank ( it has been known to have a few bugs )

    Try the GRC website http://www.grc.com/

    and the Sygate scan too......... you might see something different.
     
  14. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Darsky, which OS do you operate and which LNS version ?
    Also do you run a server on your sys or an application such as FrontPage that has built in server ?
     
  15. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Hi,

    I'm my OS is Windows XP Pro, service pack one.

    My LNS version is: 2.04

    I am not running any servers (no FrontPage), or any app with a built in server that I'm aware of.

    I have scanned on GRC and it shows Port 80 as stealthed...HOWEVER, the reason I'm concerned is this:

    I've run repeated tests on PCFlank with SYGATE and it ALWAYS shows as full stealthed. Running PCFLank with LookNStop repeatedly shows Port 80 as closed but not stealthed. (SYGATE's been completely uninstalled).

    With LooknStop, my port 80 is blocked, but I can't seem to stealth it on PCFLank and my concern is that it's seeing a vulnerablity that GRC is missing.
     
  16. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Honey ! If GRC doesnt SEE it then there's nothing to worrie about. PC Flank has been know to cause bogus false alarms in cases.
     
  17. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, it is not the first time port 80 is seen closed instead stealth by PCFlank:
    http://www.pcflank.com/forums/showthread.php?s=bd45672961b1be7dbb7d935412a6cf51&threadid=82&highlight=look+pcflank

    (see the 3rd an 4th posts).

    However I don't explain why Sygate could report the port as stealth in the same time.

    Frederic
     
  18. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Well, if you go to my website and to the firewalls page, i've listed many sites were you can have your sys scanned. If no others show port 80, then you will know it's an anomaly at pcflank
     
Thread Status:
Not open for further replies.