Port 113 Auth/Ident Port

Discussion in 'other firewalls' started by FireDancer, Aug 11, 2003.

Thread Status:
Not open for further replies.
  1. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi all,

    I recently decided to run a test of my fire wall (Kerio)
    at the Shields Up web site and found that with a common ports test that port 113 came up just closed not stealhed like the rest and this botherd me.

    I have recently read as well, in some very heated debates I might add, :) as to the accuracy of these fire wall test.. Is there a test out there that is 100% accurate?

    Is there any thing to worry about? Should I make a rule for port 113 is it really needed? I read that there are
    problems stealthing port 113 as it is needed for Auth/Ident for incoming connections and querys.

    Can I stealth port 113 ? or does it need to stay the way it is?

    Best Regards,
    FireDancer ;)
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    One of the people who knows Kerio will probably come along and discuss the different rule options for that port - it is an interesting port given the type of desired functionality versus the access to it you grant...

    As for the accuracy of online tests, I think people's experiences vary a lot. I've seen many people say that www.pcflank.com is inaccurate for them, but I've tested it extensively and it's always been accurate for me. The new GRC scanner was very accurate against my system, but some people say no.

    The best advice is to use a few different port scanning sites and compare the results. At PCFlank there is an Advanced Port Scanner option where you can give it a specific list of ports you want to check.

    If one site gives you a questionable result, go to another and see if it confirms it or not.
     
  3. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    There should be no need to make a rule to block this port under most configurations. Kerio will not allow a non-listening port to be seen as closed unless your rules permit it, and if a program is listening that is something you need to prevent if your program does not call for the communication to work correctly.

    Check your firewall status for any program listening on the port first, there is a chance you might have a program listening which is allowed in your rules, but only accepts the packets when it waiting for it. In which case you would have to make a rule to block it above the rule that would allow the communication. If you use any kind of IRC program it might be what it was.

    There is also a chance that your isp, or a router in your network configuration could be blocking this before it reaches your computer.

    If you want to test this, just make a rule to block it at the top of your ruleset which is logging, and alerting, then, see what happens on that next scan.

    Note that closed is a good as stealth, as it wouldn't allow a server communication, but it shows that something is responding. Not a big worry either way, but might as well make it stealth.
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi FireDancer

    Your sig shows you have a Linksys router. When running any of the online scans, it is the router that will deal with these unsolicited inbound connections, not Kerio. Unless of course your system is set in the DMZ or you have forwarded any traffic through the router.

    It will be the Linksys that is resulting in the closed response for port 113. This is not a risk, but if you want to stealth the router/gateway, forward port 113 to a non-existent LAN IP (one that will not be used by the DHCP server). This will stealth port 113.

    Regards,

    CrazyM
     
  5. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hello,
    BlitzenZeus, LWM and CrazyM

    Thanks all for your replys I am sorry I did not get back to you sooner. Here is what I have come up with so far as you suggestions went.

    With LWM suggesting I try www.pcflank.com I went there first and found that this site has it seems a more stringant
    set of test it seems then Sheilds up. (just my opinion)
    The first test I ran at pcflank was a what they call a quick test.

    The test consist of a scan that looks for useable ports,
    a trojan horse check and a privacy test.
    My results were in my own mind a little less then desirable.

    Results:

    Port Scan found that port 135 and 139 had responded to communication :( which I find a little bothering, due to the fact that when tested at sheild up those particular ports come up steathed.

    I have 2 particular rules for set in Kerio that block at least one of these ports which is

    Block Net Bios 137-139 (Log) UDP/TCP both any/any 137-139

    Next test was Trojan Horse Check:
    Results were outstanding :) it came up safe

    Browser Privacy test came back at 50% which is less then desireable (this test is not offerd at sheilds up)
    This means to me that I need to manage cookies and what not a bit better and that is a area I am still learning as far as privacy issues.

    I use Mozzila 1.4 and have cookies set for session only and to flag or deny all 3rd party cookies. Do I need to rethink this? :)

    The Stealth Test:
    Passed with flying colors as my computer did not respond to any Ping Packets, TCP Null Packets,
    TCP FIN Pacakets, TCP XMAS Pacets or UDP packets.

    The GIF Trojan Test I could not use due tot he fact that it is set up for IE 5.0 or higher.

    The Browzer Test:
    Scanned for cookies on the HDD.. NONE found :)

    Referre Test was a big fat FAIL.. browser reveals privat info :( (suggestion: Adjust FireWall) hmmm ?? block browser sending info. What is Referre? and how can I better adjust the sending info on my browser?

    Trojan Test:
    All ports scanned for trojan accsess
    Results: PASS no ports found

    Advance Port Scan Test:
    TCP SYN Scan
    Scanned 20 random ports/ and Typical vunerable trojan ports.
    Results: All come back steathed .. even 137-139 this is questionable in as much as 139 came back in quick test that 139 had responded!
    Ports checked where as follows..
    21, 23, 80, 135 rpc, 137-139, 1080, 1243, 3128, 12345, 12348, 27374, 31337.

    Exploits Test:
    I selected all for all known exploits and came back a PASS on all.

    I took BlitzenZues' advise and made a rule to test the port 113 to see what happened on next scan..
    Results: made a rule block port 113 TCP/UDP any/any any/any. put at top of my rule list and sure enough it cam back stealthed. Also port 113 does not show up in firewall status listening to anything and I do not use any kind of IRC program.

    So I belive at this point port 113 is not a threat but I will keep watching.

    As much as CrazyM suggested that I could stealth the router/swtich by forwarding port 113 to a non exsistant LAN-IP I am not sure I understand that method nor, how to apply it if needed (what the rule would read like).

    I feel like pcflank did a much wider array of test, but gives me maybe a bit of a sence that my security needs work. I feel the test is also contradicting as far as ports 139 goes. Maybe someone can offer some advise?

    Shields Up gave a feeling that my security was more then adaquite as it could not connect to me at all.
    Now I sit here wondering if I am up to par or not with the firewall :). I want to thank you all for your responces as I respect your knowledge and capabilitys in theis area. Huge Thanks for www.wilderssecurity.com
    for being there to help!!!

    Any more recommendations or comments would be greatly appreciated.

    I am off to do some reading :) BBL to check in with anything new that I might find

    Very Best Regards to you all,
    FireDancer ;)
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi FireDancer

    Well I am puzzled by this. If you are behind a router it should be dealing with these unsolicited connection attempts. Ideally the software firewall on your system should not see any inbounds. Have you forwarded any traffic through the router or put your system in the DMZ? (Are all the scans you performed showing up in the Kerio logs?)

    Go to the port forwarding options in the web interface and select port 113 and forward to a LAN IP that will not be used.

    Regards,

    CrazyM
     

    Attached Files:

  7. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    CrazyM, it was offered as a suggestion since I didn't read his sig.

    Its a test to see if the firewall is actually blocking the packet, or if an outside source was.

    "If you want to test this, just make a rule to block it at the top of your ruleset which is logging, and alerting, then, see what happens on that next scan"

    Anyway, you posted with the router information which turned out to be correct :cool:
     
  8. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi CrazyM,

    I went ahead as you showed in your GIF and set my port forwarding for 113 and port comes up stealth not closed with a new scan :) and no i did not put anything into the DMZ, should I have?


    Regards,
    FireDancer :D
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Nope, not unless you need your system exposed directly to the Internet.
    Just to clarify, are you seeing any of these scans show up in your Kerio logs? If your router is configured properly, they should not be getting through to your system and Kerio.

    Regards,

    CrazyM
     
  10. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    CrazyM,

    No I am not seeing them :)

    Regards,
    FireDancer
     
Loading...
Thread Status:
Not open for further replies.