[pchelpers] Re: Stealth Scan

(There is "no" limit -- at least nothing short of huge -- to the length 
of an email you can send to Pchelpers, only to the length of 
consecutively quoted text. I'm sure you can send an email
that's at least 10 pages long without any problems. And if you're
quoting when answering, you can quote all of those ten pages as long as
you insert a comment after every 30th line.)


Back to firewalls and blocking all ports:

I think the trick to finding the applications listening on open ports is 
to open all programs that might need to connect to the
Internet. They can't show up in Sygate's main window if they're not running.

You also get some help from the online scan's results. You didn't quote 
what it said next to the port number. Next to 80 it probably said "web". 
So, all you have to do to completely block (i.e. hide, stealth) that 
port is to turn of "act as server" for Firefox, IE, and any other 
browser you might use.

Port 113 is a bit trickier. What does the scan say about that? You might 
need to keep "act as server" here since this sounds like what might be 
an authentication for/by your ISP:
http://www.iss.net/security_center/advice/Exploits/Ports/default.htm

Once again, however, the basic simple rule for all firewalls is this: 
turn off and shut anything you don't need. If you then have trouble 
connecting to the Internet, just turn that application or its rights 
back on again.

If you can't find any program listed in Sygate's main window that is 
listening on port 113 (despite having turned on all programs that might 
want to connect to the Internet), you should go through Sygate's list of 
programs in the application window and turn off "act as server" for all 
programs listed there. If you do it for a few each day, it won't be too 
much of a pain even if the list is long. You can save a lot of time by 
deleting any entries with a question mark. And while you're looking at 
the list, make sure nothing is listed as allowed (checkmarked) that 
you're not sure about. Everything should be blocked (marked with an X) 
unless you know what it is. There are plenty of stories of people who 
have spyware and even trojans listed in their firewalls as "allowed" 
because they clicked OK when their firewall asked the first time.

Here 
http://forums.sygate.com/vb/showthread.php?s=c7c266ead00a2fb9486fd1dc1ffec35c&threadid=9631
are the instructions again for turning off "act as server" and info 
about what few programs are an exception:

open up the SPF Applications list (Applications button, or click Tools /
Applications). Select the relevant application name, click the Advanced
button, and untick ‘Act as Server’. That will stop that application
accepting any Incoming connections, so that will close the open port –
if not, just post back to the forum, and we can advise.

It’s better to untick ‘Act as Server’ for most things unless you need
it. Browsing the Internet with eg. Internet Explorer, or collecting your
mail using eg. Outlook Express, do not need to have ‘Act as Server’
enabled, as they only need Outgoing connections, not Incoming. With all
the Windows low-level processes, it’s also better to remove ‘server’
access – if you run your own network and that stops any LAN connections,
you can restore it in a better way by creating an Advanced rule in SPF
to trust your LAN client machines. So the applications that will need
‘Act as Server’ enabled will be things like on-line chat (MSN Messenger
etc.), file-sharing apps such as Kazaa, Morpheus etc., on-line games
apps., if you use Media Players to ‘stream’ on-line, or if you prefer to
use FTP in normal mode (as opposed to Passive mode).

Basically, if you’re not sure, remove ‘server’ access, and if you get a
problem, look in your traffic logs – if you see blocked Incoming access
trying to reach the relevant application, then it might be time to
restore ‘server’ access.

Ek


DonBieber@xxxxxxxxxx wrote:
> Thanks for giving this consideration, This is what appears in the
> Sygate box: ntoskrnl.exe, UDP, listen, port 445 ntoskrnl.exe, TCP,
> Listen, port 445 ntoskrnl.exe, UDP, listen, port 138 ntoskrnl.exe,
> UDP, listen, port 137 ntoskrnl.exe, TCP, listen, port 139 lsass.exe,
> UDP, listen, port 500 lsass.exe, UDP, listen, port 4500 svchost.exe,
> UDP, listen port 1032 svchost.exe, UDP, listen port 1069 
> Thunderbird.exe, TCP, Connect, port 1342, remote port 1341 
> wwDisp.exe, UDP, Connect, local port 1071, remote port 1071
> (WindowWasher)
> 
> "hide Windows services" unchecked "hide broadcast traffic" unchecked
> 
> I rechecked the Sygate port check at 
> http://scan.sygate.com/stealthscan.html Port 80 now says closed, This
> port has responded to our probes. This means that you are not running
> any application on this port, but it is still possible for someone to
> crash your computer through known TCP/IP stack vulnerabilities. Port
> 113 now says closed, This port has responded to our probes. This 
> means that you are not running any application on this port, but it
> is still possible for someone to crash your computer through known
> TCP/IP stack vulnerabilities. The rest say blocked, This port has not
> responded to any of our probes. It appears to be completely
> stealthed.


-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

Other related posts: