Novice user requires help/advice

Discussion in 'LnS English Forum' started by noel1947, Jun 6, 2003.

Thread Status:
Not open for further replies.
  1. noel1947

    noel1947 Registered Member

    Joined:
    May 13, 2003
    Posts:
    41
    Location:
    Australia
    Hi

    This is my first post and apologize for the length of my query. I should state that I am a novice with regards the complexities regarding rule creation.

    Since installing "Look 'n' Stop" I have used the Sygate online security scan and all the results have shown all my ports have been completely stealthed. Great, that is what I assume a firewall's primary function is.

    I have just set up a server on my home computer (Pentium 4 2.53 gig WinXp cable modem - no router) using Serv-U program as my FTP server. Everything is tested, runs OK (password protected as only 1 person in Japan will have access). Fine so far.

    I followed the Look 'n' Stop Rule example : Authorizing an FTP Server from the FAQ section of the homepage and the rule was created. Looks Ok.

    I then retested Sygate online security scan and the following results are now:


    FTP DATA 20 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
    FTP 21 OPEN File Transfer Protocol is used to transfer files between computers. A misconfigured FTP server can allow an attacker to transfer files, Trojan horses, and virus programs at will.
    SSH 22 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
    TELNET 23 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
    SMTP 25 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
    DNS 53 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
    DCC 59 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
    FINGER 79 CLOSED This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
    WEB 80 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
    POP3 110 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
    IDENT 113 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
    NetBIOS 139 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
    HTTPS 443 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
    Server Message Block 445 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
    SOCKS PROXY 1080 BLOCKED This port has not responded to any of our probes. It appears to be completely stealthed.
    SOURCE PORT 3022 BLOCKED This is the port you are using to communicate to our Web Server. A firewall that uses Stateful Packet Inspection will show a 'BLOCKED' result for this port.
    WEB PROXY 8080 BLOCKED This port has not responded

    My server will only be online on a request from the other party basis.

    My questions are:
    1. With the results above, am I still protected fully from attack while server is running?
    2. Have I missed something in the the setup of the rule creation?
    3. In the application filtering section of Look 'n' Stop I have authorized the following applications associated with Serv-U (FTP Serv-U Administrator, ServUT~1.exe and ServUDaemon.exe). I assume that these permitted applications are essential to have my server access the internet. Does anyone use Serv-U and have I correctly permitted these applications?

    I think that about covers my queries. I had used the search function for my queries but came away confused, thus this post.

    Any assistance/advice would be greatly appreciated and my apologies again for such a long post.

    Regards

    noel1947
     
  2. Phant0m

    Phant0m Guest

    Hey noel1947

    If you send me your rule-set via E-mail Phant0m@phant0m-looknstop.com I’ll be happy to take a look at it… :)
     
  3. gkweb

    gkweb Guest

    Hi

    There is no problem here.

    To be totally stealth is possible (even if an experienced hacker can see you anyway), your first test show it.
    But keep in mind that you can't offers services and in the same time have a total security, service = door opened = less security, you can't have both in the same time.
    Imagine that you would be totally stealth with your FTP service activated, how to connect to you if we can't see you ?

    CLOSED port and BLOCKED port aren't a security issue, there are just viewabled and compromise a little your invisibility, and the OPEN port is needed to allow people to connect to you.

    So, there is no security issue, you didn't do something wrong, you have done the things right ;)

    Want to be totally stealth? disable all services, but who want to jail himself nowadays ?

    definitly not me! and you ? ;)
     
  4. Phant0m

    Phant0m Guest

    Hey noel1947

    Sygate Online Scans is known to give out false Alerts; For the rule “TCP : Authorize a FTP Server” you can tighten that up a bit by using “Equal my @” for source. The rules “UDP : Authorize name resolution (DNS)” & “UDP : BOOTP / DHCP” could also be tighten up by specifying Destination IP Addresses… Also the FTP rules could be fixed up to use IP Masks, that would also tighten things up a bit too…

    Take a look at http://www.Phant0m-looknstop.com in FAQs / Master Rule-set

    Fix it up and re-scan, get secondary opinion (try another web-scan like Shields UP!!).
     
  5. noel1947

    noel1947 Registered Member

    Joined:
    May 13, 2003
    Posts:
    41
    Location:
    Australia
    Thanks gkweb and Phant0m for your assistance and advice. Much appreciated.

    noel1947
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  7. gkweb

    gkweb Guest

Thread Status:
Not open for further replies.