Port 113 Auth/Ident Port

Hi all,

I recently decided to run a test of my fire wall (Kerio)
at the Shields Up web site and found that with a common ports test that port 113 came up just closed not stealhed like the rest and this botherd me.

I have recently read as well, in some very heated debates I might add, as to the accuracy of these fire wall test.. Is there a test out there that is 100% accurate?

Is there any thing to worry about? Should I make a rule for port 113 is it really needed? I read that there are
problems stealthing port 113 as it is needed for Auth/Ident for incoming connections and querys.

Can I stealth port 113 ? or does it need to stay the way it is?

Best Regards,
FireDancer

 

There should be no need to make a rule to block this port under most configurations. Kerio will not allow a non-listening port to be seen as closed unless your rules permit it, and if a program is listening that is something you need to prevent if your program does not call for the communication to work correctly.

Check your firewall status for any program listening on the port first, there is a chance you might have a program listening which is allowed in your rules, but only accepts the packets when it waiting for it. In which case you would have to make a rule to block it above the rule that would allow the communication. If you use any kind of IRC program it might be what it was.

There is also a chance that your isp, or a router in your network configuration could be blocking this before it reaches your computer.

If you want to test this, just make a rule to block it at the top of your ruleset which is logging, and alerting, then, see what happens on that next scan.

Note that closed is a good as stealth, as it wouldn't allow a server communication, but it shows that something is responding. Not a big worry either way, but might as well make it stealth.

 

Hi FireDancer

Your sig shows you have a Linksys router. When running any of the online scans, it is the router that will deal with these unsolicited inbound connections, not Kerio. Unless of course your system is set in the DMZ or you have forwarded any traffic through the router.

It will be the Linksys that is resulting in the closed response for port 113. This is not a risk, but if you want to stealth the router/gateway, forward port 113 to a non-existent LAN IP (one that will not be used by the DHCP server). This will stealth port 113.

Regards,

CrazyM

 

Hello,
BlitzenZeus, LWM and CrazyM

Thanks all for your replys I am sorry I did not get back to you sooner. Here is what I have come up with so far as you suggestions went.

With LWM suggesting I try www.pcflank.com I went there first and found that this site has it seems a more stringant
set of test it seems then Sheilds up. (just my opinion)
The first test I ran at pcflank was a what they call a quick test.

The test consist of a scan that looks for useable ports,
a trojan horse check and a privacy test.
My results were in my own mind a little less then desirable.

Results:

Port Scan found that port 135 and 139 had responded to communication which I find a little bothering, due to the fact that when tested at sheild up those particular ports come up steathed.

I have 2 particular rules for set in Kerio that block at least one of these ports which is

Block Net Bios 137-139 (Log) UDP/TCP both any/any 137-139

Next test was Trojan Horse Check:
Results were outstanding it came up safe

Browser Privacy test came back at 50% which is less then desireable (this test is not offerd at sheilds up)
This means to me that I need to manage cookies and what not a bit better and that is a area I am still learning as far as privacy issues.

I use Mozzila 1.4 and have cookies set for session only and to flag or deny all 3rd party cookies. Do I need to rethink this?

The Stealth Test:
Passed with flying colors as my computer did not respond to any Ping Packets, TCP Null Packets,
TCP FIN Pacakets, TCP XMAS Pacets or UDP packets.

The GIF Trojan Test I could not use due tot he fact that it is set up for IE 5.0 or higher.

The Browzer Test:
Scanned for cookies on the HDD.. NONE found

Referre Test was a big fat FAIL.. browser reveals privat info (suggestion: Adjust FireWall) hmmm ?? block browser sending info. What is Referre? and how can I better adjust the sending info on my browser?

Trojan Test:
All ports scanned for trojan accsess
Results: PASS no ports found

Advance Port Scan Test:
TCP SYN Scan
Scanned 20 random ports/ and Typical vunerable trojan ports.
Results: All come back steathed .. even 137-139 this is questionable in as much as 139 came back in quick test that 139 had responded!
Ports checked where as follows..
21, 23, 80, 135 rpc, 137-139, 1080, 1243, 3128, 12345, 12348, 27374, 31337.

Exploits Test:
I selected all for all known exploits and came back a PASS on all.

I took BlitzenZues' advise and made a rule to test the port 113 to see what happened on next scan..
Results: made a rule block port 113 TCP/UDP any/any any/any. put at top of my rule list and sure enough it cam back stealthed. Also port 113 does not show up in firewall status listening to anything and I do not use any kind of IRC program.

So I belive at this point port 113 is not a threat but I will keep watching.

As much as CrazyM suggested that I could stealth the router/swtich by forwarding port 113 to a non exsistant LAN-IP I am not sure I understand that method nor, how to apply it if needed (what the rule would read like).

I feel like pcflank did a much wider array of test, but gives me maybe a bit of a sence that my security needs work. I feel the test is also contradicting as far as ports 139 goes. Maybe someone can offer some advise?

Shields Up gave a feeling that my security was more then adaquite as it could not connect to me at all.
Now I sit here wondering if I am up to par or not with the firewall . I want to thank you all for your responces as I respect your knowledge and capabilitys in theis area. Huge Thanks for www.wilderssecurity.com
for being there to help!!!

Any more recommendations or comments would be greatly appreciated.

I am off to do some reading BBL to check in with anything new that I might find

Very Best Regards to you all,
FireDancer

 

Hi FireDancer

Well I am puzzled by this. If you are behind a router it should be dealing with these unsolicited connection attempts. Ideally the software firewall on your system should not see any inbounds. Have you forwarded any traffic through the router or put your system in the DMZ? (Are all the scans you performed showing up in the Kerio logs?)

Go to the port forwarding options in the web interface and select port 113 and forward to a LAN IP that will not be used.

Regards,

CrazyM

 

CrazyM, it was offered as a suggestion since I didn't read his sig.

Its a test to see if the firewall is actually blocking the packet, or if an outside source was.

"If you want to test this, just make a rule to block it at the top of your ruleset which is logging, and alerting, then, see what happens on that next scan"

Anyway, you posted with the router information which turned out to be correct

 

Hi CrazyM,

I went ahead as you showed in your GIF and set my port forwarding for 113 and port comes up stealth not closed with a new scan and no i did not put anything into the DMZ, should I have?


Regards,
FireDancer

 

Nope, not unless you need your system exposed directly to the Internet.
Just to clarify, are you seeing any of these scans show up in your Kerio logs? If your router is configured properly, they should not be getting through to your system and Kerio.

Regards,

CrazyM

 

CrazyM,

No I am not seeing them

Regards,
FireDancer