port scan greater than 1024 not stealth

Discussion in 'other firewalls' started by anybody, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. anybody

    anybody Guest

    Just did a few port scans at grc.com and www.auditmypc.com. Everything below port number 1024 is perfectly stealth. But, port scan anything above that revealed occasional "CLOSE" port instead of "STEALTH" port. Is this normal?

    I have standard broadband hardware firewall, ZAP, NOD32 and BOClean
     
  2. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Question: By "anything above" 1024 do you mean going up to 1056? GRC's "all service ports" only scans as high as 1056. It sounds like only a handful of ports are "closed". Please specify which ports were not stealthed, if you can.

    In any event, I believe you should be able to achieve full stealth with lttle effort. It's likely you can do this with your hardware firewall by port forwarding the troublesome packets to a non-existant IP.

    Please let us know some specifics (products you're using, etc.) and/or keep us up-to-date on your progress.
     
  3. anybody

    anybody Guest

    Thanks for the reply.

    I did get all STEALTH upto 1056 at grc.com. After that, I decided to choose a custom range which is random selected to be 25000 - 25063. Out of the 64 ports,

    25001,25024,25028,25029,25056,25059,25062

    are marked as CLOSE , while others are STEALTH. Other ranges exhibits the same result, for example

    GRC Port Authority Report created on UTC: 2004-06-27 at 12:50:42

    Results from scan of ports: 5000-5063

    0 Ports Open
    11 Ports Closed
    53 Ports Stealth
    ---------------------
    64 Ports Tested

    NO PORTS were found to be OPEN.

    Ports found to be CLOSED were: 5004, 5005, 5024, 5034, 5035,
    5036, 5056, 5057, 5058, 5059,
    5060

    Other than what is listed above, all ports are STEALTH.

    TruStealth: FAILED - NOT all tested ports were STEALTH,
    - NO unsolicited packets were received,
    - NO Ping reply (ICMP Echo) was received.


    I don't know whether my setup qualify as a hardware firewall. It is not a standalone box but is integrated into the ADSL modem. So, I guess it is not as robust to a real hardware firewall.
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Did these ports show as having been scanned by ZAP? If so, how did ZAP classify the communications?

    Does this modem/router/firewall (whatever it is) have a traffic log? If so, what did you find in that log at the time you conducted the test?
     
  5. f123

    f123 Guest

    Also running ZA Pro 4.5.594.000. Those "closed' ports are STEATH with my setup. Make sure your internet and trusted zone settings are in HIGH mode.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,791
    Location:
    Texas
    Closed vs stealth

    Courtesy of Paranoid2000


    From a security perspective, closed and stealthed ports are almost identical - neither will permit unauthorised access. However a stealthed port will not report your presence which makes it harder for an attacker to probe your computer (the first stage of such a probe is typically a "port scan" - sending packets to a wide range of port numbers in an attempt to find out which are open). Also, since many attackers scan for a specific port number over a wide address range (looking for a trojan application that uses that port number), having stealthed ports helps the Internet community by making such scans far slower (if a response is sent by everyone, an attacker could scan thousands of addresses per second - if none are sent, the attacker would have to wait longer to check for a delayed reply, reducing their scanning speed to tens of addresses per second or less).

    LINK
     
  7. anybody

    anybody Guest

    strange enough. I conduct another scan on the same range and the result is different.

    GRC Port Authority Report created on UTC: 2004-06-28 at 00:40:06

    Results from scan of ports: 5000-5063

    0 Ports Open
    4 Ports Closed
    60 Ports Stealth
    ---------------------
    64 Ports Tested

    NO PORTS were found to be OPEN.

    Ports found to be CLOSED were: 5024, 5056, 5058, 5060

    Other than what is listed above, all ports are STEALTH.

    TruStealth: FAILED - NOT all tested ports were STEALTH,
    - NO unsolicited packets were received,
    - NO Ping reply (ICMP Echo) was received.

    ZAP did not report any traffic during the scan. I did turn on event logging. My pc is behind an ADSL rounter/modem with built-in firewall. Therefore, the probe traffic could not reach my pc I guess.
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    If nothing is showing up in the ZA logs, then the router/modem is dealing with all the unsolicited inbounds and it would not appear anything is being forwarded through to LAN systems. This is good and the way it should be.

    Does your router/modem have any configuration and logging options?

    Regards,

    CrazyM
     
  9. anybody

    anybody Guest

    Ya...I checked the network/security log in my modem. No mention of blocking anything during the test.
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Does it log automatically or is this something that may need to be enabled?
    What configuration options do you have that may affect how it responds to unsolicited inbound traffic? Make/model of your router/modem?

    As ronjor noted, you are still secure with a closed result. It would just be nice to know what, if any, configuration is available in your device.

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.