ZAPro ports settings

Discussion in 'other firewalls' started by Jooske, May 24, 2003.

Thread Status:
Not open for further replies.
  1. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi all,
    Using ZAPro, with the last update it was problematic and instead of upgrade it became a clean install instead.
    Have to go for a new d/l as the 3.7.159 was corrupt and refused to install properly, resulting in a mix with 3.7.098 at the moment, so asap as i get a better d/l i'll have to go through uninstalling completely and retry to get one complete version there. I do hope to be safe till then: i see so many other ports then i ever saw before portscans on, so either there is better blockage now or logging is better, since i put internet zone now on highest, which was never possible in older versions together with getting connected
    Remember the older Rnaap.dll ploblems, all internet was complaining about and not there if keeping internet zone to medium security?
    Now on high i should be stealthed and thus i'm surprised about the hundreds of --for me-- strange ports scans.


    I used to be rather happy with my blocked ports in the older version, but now i don't remember!
    Any special recommendations for the trusted and Internet zone which extra to block?

    Some time ago there was a discussion too for Outlook Express which only few ports to allow in ZAPro, can't find back the thread, so maybe others know?

    Saw today so many portscans on 17300 (default for RAT: Kuang2 The Virus says my PE) so i added that too but i think there are better ideas!
    Thanks a lot!
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Jooske

    Settings information for Outlook Express is in LWM's post Zone Alarm Plus/Pro Program Options.

    With ZAP set to High for the Internet Zone it should block everything for you. As for all the blocked inbounds you are seeing, not much you can do about those other than let ZAP do it's job. Just disable the pop alerts so you are not constantly bombarded by them. Review your logs regularly if you want to keep an eye on what's going on.

    If you have any other specific questions, ask away... :)

    Regards,

    CrazyM
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Jooske,

    Install cleanup:
    When you do get a clean download of the ZAP 3.7.159, you'll want to do a full cleanup of your previous install using these(link) instructions from Zone Labs, including all the manual steps. (Note that these instructions are still current despite that the website says these are for the previous version of ZAP.)

    Blocked probes at High:
    With the Internet Zone security set on High you will see more blocked probe alerts than at Medium. The High setting defaults to blocking and alerting on all ports probed, so there is no need to add any extra blocks manually anywhere. (At High setting in the firewall tab of ZAP, the only optional settings are to allow things in, there are no additional block settings to make.)

    To stop blocking some ports:
    If you want to allow some ports that you are not listening on, you can do that and this will reduce the alerts that you see. If you allow a TCP or UDP port in ZAP > Firewall(pane) > Internet Zone Security > Custom > Allow incoming... (lists) this will cause your system to not stealth that port. So long as you aren't allowing any program to listen (act as server) on that port, the port will respond as closed. (I have a few such ports (file sharing & SQL worm) set myself: 1214, 1433, 6346-6348 just because I don't run any of those and really don't need to see alerts on them in my log.)

    Outlook Express post:
    Hmm, seems I've heard of that thread: here :D And some extra background: here

    Anything else? ;)
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi LowWaterMark,

    I have a question -I would like to understand your statement above a little bit better. If I understand you right, not all of your ports aren't stealthed, some of them respond as closed. Don't you regard this as a weakness in your system (security)? Perhaps I'm paranoid, but I always try to stealthen every port on my computer. The reason is, that when an attacker is performing a portscan, he won't have any response from my system. Like that he thinks that there's no computer at this special IP address or the computer is down. So he continues to attack other computers. What do you think about all that?

    Thanks for enlightening me! ;)

    Best regards,

    Patrice
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Patrice,

    As you know, there are differing opinions regarding the value of stealth. I'm one of those that does not believe that stealth makes you more secure. Since I have no control over what the last router inline to my system does and does not respond to, (i.e. it will not send the normal "ICMP Destination Unreachable (Host Unreachable)" message that would be returned if no computer was actually at my IP), I can never truly be stealthed.

    By making a single connection attempt, on a single port that is stealthed by ZA on my system, a knowledgeable person would know there is a system running a firewall there simply by not receiving that ICMP message.

    Now, the reason I run stealth at all is merely because stealth comes with the High setting in ZA. I set High because of the other benefits it provides. (In ZA, a High setting is a complete set of default settings, and while stealth is part of it, there are actually other defaults there I prefer, so that's why I use it.)

    In any case, there are also times I prefer to respond to some connection attempts. For example, I have a dynamic IP address that changes daily or more often (at any reconnection, in fact), and I find that file sharing systems keep retrying almost indefinitely if I stealth those ports. But, they stop reconnection attempts very quickly if they get a normal closed response from my system. So, I prefer showing closed on those. Personally, I wish file sharing software was coded better in this regard. :rolleyes:
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi LowWaterMark,

    o.k. now I understand your statement! I think we already discussed once shortly about this issue. When you are talking about ICMP Destination Unreachable (Host Unreachable), about which portscanners are you talking? The ones I know don't show me this message at all. Do I miss something? I would like to test that myself as well (I'm wondering what my system sends out). ;)

    Best regards,

    Patrice
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    I don't know of any of the standard scanning sites (PC Flank, GRC, etc.) that would ever need to provide this information... After all, the systems they are scanning are supposed to be systems that are actually online (i.e. the system that initiated the scan). Also, I don't think any of them let you pick the IP address to scan - (they figure out the address of the system making the request and test only it) - therefore, you can't target these scanners at some other real IP address.

    I think to test this you'd need to use something like nmap, and scan a known IP address that is being routed to, but where the system at that address is currently down and the network it is on has not black-holed the address. (Or, maybe I'm just making this more complicated than it needs to be. Perhaps someone else can suggest a easier testing scenario.)
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    LWM
    I think you would likely need a static IP or fixed DNS name for that test to work. Most home users have dynamic IP's and no fixed DNS. But as you note, alot can happen along the Internet highway with the way things are routed and what traffic ISP's might be blocking that effect the hole stealth debate.

    Regards,

    CrazyM
     
  9. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi LowWaterMark & CrazyM,

    sorry I didn't specifiy the portscanners well enough. I wasn't talking about online scanning sites (tools for kids :D) but about real port scanning tools like you mentioned in the second half of your post (nmap, Superscan,...). I'm using those to check computers for vulnerabilities. They don't provide me with the information ICMP Destination Unreachable (Host Unreachable) if a computer doesn't respond. Either I'm doing something wrong (this is probable :doubt:) or they don't receive such a signal and therefore don't show it.

    CrazyM you don't need to have a static IP or fixed DNS name to test that as far as I know. For example if I have your IP address you have at the moment I can try to scan your IP. If you are secured well enough I won't get any response of your system. But if there's a closed port, which is going to respond me, then I know that a computer is up & running. Do you understand now, what I meant?

    Hope this makes things more clear! ;)

    Best regards,

    Patrice
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Patrice

    Have you tried scanning a known system/IP that is off-line to see what response you get?

    This is what I believe LWM was referring to. You scan a system/IP, the host is off-line, you could get a Host Unreachable from the network = someone is there, just not up and runnng = so much for stealth (trying to be invisible).....or the network may drop the packets for the system/IP that is off-line and you get no response = stealth. Or you could get the Host Unreachable and think a system is there and there is no system at/using that IP. There are a lot of variables that can come in to play that effect your ability to be truly stealth. ISP's blocking certain traffic is another. Do they drop the packets, or do they respond in one form or another?

    I realize that, but to test/demonstrate what LWM was referring to, I was suggesting it would probably be better testing known and willing participants/systems with fixed IP’s so you know when they are and are not off-line and on different networks (ISP’s) to see how they respond or don't respond. Rather than scanning random IP's on different networks with the usual unknowns and where unwilling participants and your ISP might object ;).

    Regards,

    CrazyM
     
  11. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi CrazyM,

    thanks for your answer! I once did such tests where the computer wasn't/was running. But I don't remember exactly, so I should redo the tests to be 100% sure about it before I say it's not giving me the information ICMP Destination Unreachable (Host Unreachable). I will see how I can do these tests again.

    By the way, if you have a router in front of you, it doesn't matter if your computers are up or down, because the router is always up. But I'm sure you are aware of that. In my case I will test it with the router first and then try it without the router. O.K., now I need a victim... ;)

    Best regards,

    Patrice
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Absolutely. The point I was getting at is in regards to the destination IP being completely offline, whether or not that IP belongs to a router or system doesn't matter. If a router is the target of a scan and that router is up & running, but all systems behind that router are down, that IP is still online of course, and the last ISP router before that IP address knows there is something at the target IP and delivers the packets to it. It will not respond with any type of ICMP unreachable message because something is really there.

    As CrazyM has said, a lot depends upon the configurations involved and the most important configuration is that of the ISP that owns the address / range in question. How are their routers configured? Proper (traditional) TCP/IP networking configuration would support the full range of ICMP messages, whose purpose is to inform the sender of such things as host unreachable and many other what I'd call "network health" messages.

    If some ISPs are also dropping or blocking some of the ICMP messages, (perhaps as part of a greater DoS protection scheme), than such response messages would not come back.

    Wow, did we get a long way away from Jooske's original question. ;) Sorry Jooske! Have you tried the cleanup steps from Zone Labs yet? Let me know if you have any further issues. :)
     
Loading...
Thread Status:
Not open for further replies.