Some open ports, how to close them?

Discussion in 'other firewalls' started by Percival, Sep 19, 2009.

Thread Status:
Not open for further replies.
  1. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    I'm running NIS 2007. I thought everything was well, until I ran Symantec's online security check. In the "Hacker Exposure Check" it told me I had four open ports.

    This online security check used to say that everything was "stealth", this is the first time I get a less than perfect result.


    Here's the result:

    Test overview:
    http://img185.imageshack.us/img185/6097/securitycheck0.jpg

    http://img185.imageshack.us/img185/307/securitycheck1.jpg


    Here's the four open ports.
    http://img185.imageshack.us/img185/5240/securitycheck2.jpg


    The following images are of the other (stealthed) ports.
    http://img185.imageshack.us/img185/1006/securitycheck3.jpg
    http://img185.imageshack.us/img185/835/securitycheck4.jpg


    I have poked around in the Norton firewall settings, but I am unsuccessful at closing the ports. I don't know what to do.

    I have uninstalled and reinstalled NIS and it changed nothing.


    XP Professional, SP1
     
  2. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    How serious is this? Should I stay offline until I get it fixed? :doubt:

    It is possible that these ports have been open for a long time (many months), but I don't know. It seems as no one has taken control of my PC yet.. :doubt:
     
  3. wrongway67

    wrongway67 Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    45
    but do you use a router or a modem?
    because if you use a router, they scan your router, not your pc: if it is so, you have to check the router's configuration
     
  4. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I have windows XP firewall and got a "safe" result.

    I'm surprised at yours , maybe turn on the windows firewall just to see what results you get ?

    (& don't have a router )
     
    Last edited: Sep 19, 2009
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Exactly.
    Percival, all of your open ports are due to a router configuration. I can say that my router had FTP and Telnet server enabled by default, so check that. Port 80 is opened due to web-based interface of the test (the timeout for returned HTTP packets was still valid).

    EDIT:

    No.

    Taking control of a PC is not a trivial matter. Even if the ports are opened, a process which listens on these ports must be active/started. And even then, that process must have a vulnerability that can be exploited.
    But it is better to be safe than sorry, so close the ports.
     
    Last edited: Sep 19, 2009
  6. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    I'm using a Thomson Speedtouch 546T router modem.

    When in bridged mode, it works as a modem. I had it in bridged mode until July. After that I've been using it in a non-bridged mode, which probably means it works as a router.

    It is not wireless.

    My ISP recommended using it in the default mode which is non-bridged (router). Maybe this was bad advice and I should start using it as a modem again.




    What do you mean? I should not have a router? Or you don't have a router?
     
  7. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    I was unaware of the router firewall. I managed to enable it, and now the test result shows no open ports. Thanks! :) :thumb:

    What differs a router from a modem? I understand that a modem is just a device that lets the pc use the phone line. Isn't this exactly what the router does too?

    A broadband modem does not have a firewall?

    If the router has a firewall, am I less dependant on a firewall installed in Windows?
    The firewall installed in Windows (Norton in my case), are updated regularly. I can't update the firewall in the router.
     
  8. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    In an attempt to fix the problem earlier, I made a change in the Norton firewall settings. I might have done something wrong.

    Here is a screenshot of the settings, the firewall doesn't talk English but I have done some translations on the screenshot.

    The two settings that I'm in doubt about, are those in the green box. I suspect that both of them used to be "Allow", at least one of them was "Allow" until I poked around.
    http://img33.imageshack.us/img33/6443/firewallgeneralrules1.png
    Should both of them be "Allow"? Right now both are "Block".

    Please don't give advice unless you really understand this.

    I don't know what ICMP is, nor do I know what it should be allowed to do.
     
  9. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I block ICMP because it is not needed.
     
  10. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    Ok..



    I understand not so much of it, but it sounds as I don't need this, at least not incoming. Not sure if I'll ever need to allow outgoing ICMP.
     
  11. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Not all ICMP packets are dangerous.Some of them are just used to finish some crime.For example,ICMP code 0 type 8 is used to probe if target computer is alive.
     
  12. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Not need for transfers, but ICMP is good for diagnosing connection problems. An ICMP packet will tell you, for example, exactly why your connection isn't working or why you cannot establish a connection to a given host.

    The most popular application of ICMP protocol is when you perform a traceroute. If you block all ICMP packets, then this will not work, so whether ICMP will be needed or not depends on your personal needs. Simply stating that ICMP is "not needed" is pretty much incorrect.

    Yes.
    ICMP protocol is not a state-oriented protocol, so your firewall has no way of knowing if inbound ICMP packets belong to an outbound request or are simply unsolicited. There are ways to circumvent this by creating a state-table that will allow ICMP inbound for a certain amount of time, based on what has been requested by outbound.
    Unfortunately, Norton firewall simply generalizes all ICMP and gives you an option to "allow" or "block".
    As I said above, if you have a need at least for a traceroute to work properly, you would need to leave this tick on "allow" (inbound). If not, then untick it, this will not affect normal browsing, downloading, DNS resolving and other network functions.

    Cheers,
     
  13. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    A router will enable you to connect more than 1 PC to the net. It does so by creating a local network and assigning each of your PCs an internal network address. It then uses a NAT technique to "route" inbound packets to each address they belong to, based on what has been requested by the outbound.

    Some do, some don't, but you have a combo.

    Basically speaking (from a common user perspective) by using your device in NAT-mode, you are safe without a software firewall, as NAT will drop all unsolicited inbound requests.
    However, tests have shown that Windows firewall proved to be a worthwhile effort.

    Router inbuilt firewalls will stop ALL unsolicited connections even if the ports are technically still opened (your case), so you're good to go even if you didn't disable the router features (FTP and Telnet servers) that open these ports. But take care, if you need to use any server application in the future (example: torrent), you would need to disable the firewall and correctly setup your router for the server app to work properly.

    It was a good advice. You just need to setup your router correctly.

    On behalf of everyone involved, you are welcome.

    Cheers,
     
  14. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    Although you don't say so, I get the understanding that both outbound and inbound should have the same setting and be blocked (or allowed).
     
  15. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    I really appreciate the good answers I get from you guys. :D



    So the router is actually a modem with multi user capability.


    Okay! :) Is it because the router firewall won't work if I use it as a modem and not as router? o_O
    I do not run a server, no torrents, and I have only one pc. So I do not see nor understand the benefit of using the router mode. I guess I must have missed something?

    However I do see a tiny tiny disadvantage with the router mode:
    Now when I use it as router, I have to physically unplug the pc from internet, or switch off the router.
    When I use the router in bridged mode (use it as a modem), I get this nifty icon on the desktop letting me connect and disconnect internet.
     
  16. Michael York

    Michael York Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    56
    Hi Percival,

    This is Mike from the Norton Authorized Support team.

    It looks like you have received assistance from the other forum members regarding your initial posting. I provide technical support for Norton products, and I just wanted to let you know that, as long as you have a valid subscription to Norton Internet Security, that you are entitled to a free update to the 2010 version which was recently released.

    The 2010 version of Norton Internet Security contains many enhancements and new features that did not exist in the 2007 version, and I would strongly encourage you to update.

    Please NOTE, while this process will update your software to the latest version, it will not extend your subscription.

    To update to the latest version, please visit the Norton Update Center at the link below.

    Norton Update Center

    The new installer will automatically recognize that you have a previous version installed and, to keep your computer protected, the older version will not be removed until you reboot your system after the update is complete.

    Thank you,
    Mike
     
  17. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    I'm sorry if I wasn't clear enough. For ping, traceroute, to work as they should, both outbound and inbound ICMP should be allowed (in Norton's case). There may be cases where, for example, you wish to remain unresponsive to pings, then inbound ICMP should be disabled.

    That's the basic idea of NAT - to reduce the consumption of WAN addresses by placing hosts on a LAN.
    But even with a single PC, NAT will provide a good line of defense - all inbound will be blocked (not processed by NAT) if it's not requested by the outbound. Outbound-inbound solicitation is defined by a timeout.

    No, in bridge mode, firewall won't work. Bridge mode is a direct connection, and all unsolicited comms pass through.

    In a similar vein, you can set the network icon to show in the taskbar (from NIC properties), then enable/disable the connection from the taskbar with r-click :D

    Cheers,
     
  18. JohnnyDollar

    JohnnyDollar Guest

    Hey Percival,

    I just wanted to add a little something about your Norton product. From what I can remember NIS 07 was a heavy son of gun in terms of resource usage and system slowdown. Unless you have killer hardware specs then I would suggest installing sp2 and then doing a free upgrade to NIS 2010. I think it is a lot lighter. Not sure but think it requires sp2 and net framework 2.0, at least I think NIS 08 did. You will probably notice a big difference in performance, especially if you have older hardware.
     
  19. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    Hi!
    Are you volunteers, similar as MSVP's?
    I'm getting a new NIS lisence for free each and every year, so I've been using NIS since 2002 or 2003. The reason that I didn't install the 2008, 2009 and 2010 versions is that NIS 2007 is the latest version that works with XP SP1.

    I just couldn't be bothered with upgrading to SP2 yet. For a long time I shunned SP2 because its reputation, and later I didn't bother upgrading because of a number of other reasons. I have decided to upgrade to SP2 (perhaps even SP3), but my pc is not ready.
    The pc could have been ready a long time ago, had I not been lazy. "Why do today what I can do tomorrow?" :p

    I have buried myself behind a few security tools, and with the help of others edited the registry to fix a few security issues that Microsoft fixed in SP2.



    Hi!
    Lol, what do you say about 800 MHz and 384 MB RAM, is that "killer hardware"? :p
    It's slow going and I think NIS is much to blame for it.
    This notebook had originally 64 RAM and was shipped with Windows 2000, the upgrade path has not much more to offer.

    I'm trying to use light weight software, for example I replaced Adobe Reader with Foxit Reader. If the new NIS is less of an elephant then I look forward to try it. I had been considering going back to an even older version of NIS, or replacing NIS with light alternatives like Zone Alarm and AVG. But maybe NIS 2010 will be my saviour. :)

    Funny that the newer versions needs Net Framework, but I already got Net installed.
     
  20. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    I think you know more than my ISP tech support. The guy I spoke with knew that router mode is better than bridged, but he was unable to explain why. Some of the people at tech support are experts, some other seems to possess somewhat limited knowledge.
    Perhaps it's not a coincidence that NIS has not reported port scans in a very long time now (I've been using router mode for a few months). ;)



    I'll try that! :D

    ----------------
    I have read that the average online pc is "attacked" every two seconds. So I've wondered if a pc can be vulnerable for a brief moment during booting and shutdown. :doubt:

    In this thread I learned that the router firewall offers good protection, but let's say that someone used a modem with no hardware firewall.

    NIS Autoprotect can be set to load at system startup, which probably means before Windows login. I'm not sure if the firewall loads before Windows login, but probably it does.

    Logging out of Windows / shutdown I am more unsure about. I don't know at what point NIS is unloading and at what point the ports are powered down. Logging out or shutting off the pc takes long time sometimes. I'm not sure if this is a theoretical risk or not.
     
  21. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    There is a utility from Sysinternals called LoadOrder that you can use to check how soon in the startup process your NIS drivers are being loaded. In this example, you can see my firewall (L'n'S), in it's group of TDI drivers, is loading at system startup just after TCP/IP and IPSEC drivers (the exact load order in a group is determined by a driver Tag, the lower the number, the sooner the driver will load) -

    LO250909.png

    The login prompt (winlogon.exe) loads only after all these services/drivers are successfully started, with all your startup applications following.
    To fully understand the boot order of drivers/services, take a look at GroupOrderList and ServiceGroupOrder registry values.

    On system shutdown, service control manager sends every service a shutdown command (SERVICE_CONTROL_PRESHUTDOWN control code). A service has to respond in a timely fashion to this message or service control manager will just kill it after the timeout expires. The end result of this is that there is no defined order of services shutting down.
    It is important to know that your NIS drivers are loaded as services, so they will be unloaded on shutdown as services as well, that is, after the user logout.

    Cheers,
     
  22. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    If you want to be certain that NOTHING connects before everythings loaded, then don't have your Router/Modem physically plugged in to the wall etc socket until afterwards.

    Also you can arrange to only connect after you've personally enabled it. See my screenie.

    netw.png

    And before you shutdown the PC r-click on the taskbar icon and close the connection.


    Seer

    Thanx for the Load Order tip, very useful.
     
  23. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China

    I think it is just a physical device's(network card) dial-up.When you turn on your modern or router,them will connect the Internet to register a IP address automatically.
    And then you can dial up with your account.At that time,you can surf on the Internet via web brower etc.
     
  24. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    What means NIC? I was confused by the name since I don't have that. But I have a folder in the XP Control Panel, it has a name that means "network connections". It seems as this is what you called "NIC" and I'm curios what NIC means.

    From the network connections folder, making a shortcut from the "LAN Connection" to the desktop worked.

    I discovered something new beside the Lan Connection that was not there when I used the router in bridged mode. The new thing is categorized as "Internet-gateway" (actually in English heh). What is this? Its properties have almost no options. The Internet-gateway disappears when I disconnect the router and comes back when I turn on the router.
     
  25. Percival

    Percival Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    47
    That connection is not in use when I use a router. :) Some months ago when I used the router in bridged mode, I used to have a shortcut to that connection on the desktop. It worked then, but not now.
     
Loading...
Thread Status:
Not open for further replies.