OT: Should these ports be open, on dsl router? |
|
Porsche, and the Porsche crest are registered trademarks of Dr. Ing. h.c. F. Porsche AG.
This site is not affiliated with Porsche in any way. Its only purpose is to provide an online forum for car enthusiasts. All other trademarks are property of their respective owners. |
|
OT: Should these ports be open, on dsl router? |
swood |
May 19 2004, 02:55 PM
Post
#1
|
Senior Member Group: Members Posts: 1,839 Joined: 6-February 03 From: Strong Beach Member No.: 251 Region Association: None |
21 FTP - we access, but don't support our own ftp server
23 Telnet - we do not use telnet I swear we're getting infiltrated. Gotta button the ship up. |
r_towle |
May 19 2004, 03:12 PM
Post
#2
|
Custom Member Group: Members Posts: 24,585 Joined: 9-January 03 From: Taxachusetts Member No.: 124 Region Association: North East States |
shut down everything but port 80 (http) and port 25
smtp. I cannot remember what port POP is, but that also needs to be open. You use both smtp and pop send a recieve email. You might need another few ports open for establishing the connection with your ISP, but you will find out soon enough. Windows XP has a built in firewall you need to turn on. Rich |
Pnambic |
May 19 2004, 03:22 PM
Post
#3
|
Honk if you like obscene gestures! Group: Members Posts: 914 Joined: 9-April 03 From: Atlanta, GA Member No.: 546 Region Association: South East States |
POP is generally port 110.
Are you using a router? What makes you think you are being infiltrated? |
swood |
May 19 2004, 03:35 PM
Post
#4
|
Senior Member Group: Members Posts: 1,839 Joined: 6-February 03 From: Strong Beach Member No.: 251 Region Association: None |
I used the symantic security check (may be cheesy i know) and that's the results it came up with. We're getting all sorts of virus activity and we're just arguing about why that is.
Yes we have a router, I'm not sure what type, but we have about 12 pc's connected to it. |
airsix |
May 19 2004, 03:44 PM
Post
#5
|
I have bees in my epiglotis Group: Members Posts: 2,196 Joined: 7-February 03 From: Kennewick Man (E. WA State) Member No.: 266 |
Did you scan from inside or outside your network? You can't get an accurate scan unless you do it from the outside.
Open ports are only for initiating connections. If you are not hosting a service you don't need to open a port for it. In other words, you only need port 80 open if you are HOSTING a web-server. The router will still forward web traffic because the request came from the inside. Open ports are only for requests coming from outside. PM your router's external IP if you would like me to scan it from the outside. Your virus problem is probably coming through web browsing (Internet Exploder) or email (Lookout). Nothing your router can do to stop IE/OL exploits. -Ben M. |
vortrex |
May 19 2004, 03:48 PM
Post
#6
|
Senior Member Group: Members Posts: 1,687 Joined: 24-December 02 From: SF, CA Member No.: 4 Region Association: None |
airsix is right. any services you are accessing in the outside world (ftp, http, etc) will reply back to you on a random port above 1024. the only service I can think of that you will need open is udp port 68 (bootpc) if your machines are doing dhcp.
|
swood |
May 19 2004, 04:12 PM
Post
#7
|
Senior Member Group: Members Posts: 1,839 Joined: 6-February 03 From: Strong Beach Member No.: 251 Region Association: None |
QUOTE(airsix @ May 19 2004, 01:44 PM) PM your router's external IP if you would like me to scan it from the outside. Your virus problem is probably coming through web browsing (Internet Exploder) or email (Lookout). Nothing your router can do to stop IE/OL exploits. -Ben M. How do I find out my router IP? I'll send it you you. We use IE and Outlood virus sponges. Probably how we get infections. Also use Etrust antivirus that updates daily. |
vortrex |
May 19 2004, 04:15 PM
Post
#8
|
Senior Member Group: Members Posts: 1,687 Joined: 24-December 02 From: SF, CA Member No.: 4 Region Association: None |
|
skline |
May 19 2004, 05:01 PM
Post
#9
|
Born to Drive Group: Members Posts: 7,910 Joined: 26-December 02 From: Costa Mesa, CA Member No.: 17 Region Association: Southern California |
You can always go to www.grc.com and do a test on your network. Its Gibson Research and they can check your connection and tell you what ports are open and if you netwrok is vulnerable. I use to test clients networks all the time.
|
SirAndy |
May 19 2004, 05:04 PM
Post
#10
|
Resident German Group: Admin Posts: 41,669 Joined: 21-January 03 From: Oakland, Kalifornia Member No.: 179 Region Association: Northern California |
QUOTE(swood @ May 19 2004, 01:55 PM) 21 FTP - we access, but don't support our own ftp server 23 Telnet - we do not use telnet NOTHING on your DSL router should be open INBOUND unless you host your own Web-Server or FTP-Server or Quake-Server ... you don't need ANY inbound port open to access outside ressources! Andy |
SirAndy |
May 19 2004, 05:08 PM
Post
#11
|
Resident German Group: Admin Posts: 41,669 Joined: 21-January 03 From: Oakland, Kalifornia Member No.: 179 Region Association: Northern California |
of course, some DSL providers leave those ports open so they can remote access and troubleshoot the router ...
i had a guy from my provider boost my download throughput once while i was on the phone with him. he just telnetted (sp?) into the router and changed the settings ... but, if you have access to the router (usually through a web-interface) from the inside of your network, just close all open ports on the outside ... Andy |
bperry |
May 19 2004, 06:20 PM
Post
#12
|
Lurker Group: Members Posts: 477 Joined: 16-February 04 From: Dallas, Tx Member No.: 1,661 |
Ah, finally a topic i'm very familiar with...
Would help to know a bit more about your topology and if this is for a home or business environment along with the type of routing you are doing. Are you doing any sort of NAT or NAPT? Many small home routers such as Linksys do not allow you seperately filter inbound/outbound ports so you have to be careful and sometimes creative with what you filter because their filtering capabilities are so limited. Also, there is alot more than just HTTP, POP, & SMTP that you are going to want to allow to have a working/functioning system and a good WEB browsing experience. (HTTPS, & DHCP immediately come to mind) There are other things like instant messaging stuff, RealVideo/Audio etc.... The main thing is to block the nasty areas that are easily exploited on Microsoft machines. The big one is multicast/broadcast protocols such as NetBT which is microsloth's NETBUI stuff slammed out in broadcast UDP packets. If you can explain your environment and what your are wanting to do in more detail, I'm sure we can fix you up. But keep in mind that most viruses are spread due to microsofts lack of any security in things like IE and Outlook and Outlook Express. --- bill |
airsix |
May 19 2004, 10:38 PM
Post
#13
|
I have bees in my epiglotis Group: Members Posts: 2,196 Joined: 7-February 03 From: Kennewick Man (E. WA State) Member No.: 266 |
QUOTE(bperry @ May 19 2004, 04:20 PM) Many small home routers such as Linksys do not allow you seperately filter inbound/outbound ports so you have to be careful and sometimes creative with what you filter because their filtering capabilities are so limited. Also, there is alot more than just HTTP, POP, & SMTP that you are going to want to allow to have a working/functioning system and a good WEB browsing experience. (HTTPS, & DHCP immediately come to mind) There are other things like instant messaging stuff, RealVideo/Audio etc.... The main thing is to block the nasty areas that are easily exploited on Microsoft machines. The big one is multicast/broadcast protocols such as NetBT which is microsloth's NETBUI stuff slammed out in broadcast UDP packets. Umm... all that stuff is already blocked. You don't need to create filters for it. In fact you can't manually block it. It's already blocked. All you can do is OPEN it. All the little residential/SOHO routers like the models from Linksys and D-link have all this stuff setup correctly right out of the box. You don't have to set up packet filters for any of this stuff be cause all inbound requests are ignored by default with the exception of ICMP reuqests which can be turned off if you wish with a single check-box click. Then 100% of all inbound traffic is dropped and all outbound traffic is masqueraded. In other words everybody can get out and nothing can get in. Do a port scan on the public side of a Linksys router right out of the box and all you'll get is ICMP response. Turn ICMP off and it's invisible - won't respond to or forward ANYTHING (from outside to inside). You're done. Exhale. -Ben M. |
campbellcj |
May 19 2004, 10:49 PM
Post
#14
|
I can't Re Member Group: Members Posts: 4,547 Joined: 26-December 02 From: Agoura, CA Member No.: 21 Region Association: Southern California |
QUOTE(SirAndy @ May 19 2004, 04:04 PM) QUOTE(swood @ May 19 2004, 01:55 PM) 21 FTP - we access, but don't support our own ftp server 23 Telnet - we do not use telnet NOTHING on your DSL router should be open INBOUND unless you host your own Web-Server or FTP-Server or Quake-Server ... you don't need ANY inbound port open to access outside ressources! Andy Need to add email to your list...again smtp and pop3 (possibly imap) ports. Since you are running Windows, you really do not even need to open pop3 or imap (or anything but smtp) if you "can" require your external users to connect via a vpn (pptp) account. Generally you want your "internal" network to run on a non-routable IP block such as 192.168.xxx.xxx and you only want to hang external IP's on the machines hosting your Internet services such as smtp, http, ftp or whatnot. The port scanner at www.grc.com is a great quick test to see if everything is basically "ok". The test at www.dnsreport.com is also very handy. |
SirAndy |
May 19 2004, 11:28 PM
Post
#15
|
Resident German Group: Admin Posts: 41,669 Joined: 21-January 03 From: Oakland, Kalifornia Member No.: 179 Region Association: Northern California |
QUOTE(campbellcj @ May 19 2004, 09:49 PM) Need to add email to your list...again smtp and pop3 (possibly imap) ports. i know, i know ... i was just trying to make a point, not compile a comprehensive list ... (IMG:style_emoticons/default/wink.gif) bottom line is, if he doesn't run any servers himself, he doesn't need ANY port to be open inbound ... Andy |
bperry |
May 20 2004, 08:59 PM
Post
#16
|
Lurker Group: Members Posts: 477 Joined: 16-February 04 From: Dallas, Tx Member No.: 1,661 |
I respectfully disagree that all the small
SOHO routers come properly configured to block everything that you may want right out of the box - At least they didn't when I bought mine. (mine is over a year old) The problem is with multicast/broadcast packets. Mine came with multicast passthrough ENABLED. This allowed all the layer 2 protocols that use multicast or broadcast packets to pass back and forth through the router directly to and from the LAN. The easy solution is to block the multicast packets from being bridged but if you don't or can't do that, then you will need to block some ports. I can gurantee you, if you don't have NETBT blocked and you have/leave multicast passthrough enabled, there are all kinds of things that an evil person on your broadcast segment could do to your machine. This isn't just an issue for the folks running Cable Modems. This can be true even on some of the DSL networks, Some DSL providers used ethernet backends in the CO so that even though you have isolation within the ATM layer PVC circuits inside the DSL DSLAM, you still have broadcasts on the back side of the DSLAM that end up crossconnecting between the circuits (subscribers) during broadcasts and multicasts can be going right back out to other subscribers. Some of those DSL providers are running bridging with spanning tree learning which helps, but even then, you do get some cross talk between ports especially when the central office bridges all the multicast packets. -------- As an example, here is a real life example of what a knowledgeable evil person can do with a layer 2 multicast packet: Some DSL networks that have ethernet back ends also run PPPoE (PPP over Ethernet). The PPPoE protocol has a message to terminate the session. Due to a limitation in the PPPoE protocol a subscriber can send a sligltly malformed version of the message as a broadcast packet and if the central office bridges this packet around to other subscribers, every single subscriber that receives this message will be disconnected from the network. In this example, the DSL provider (who shall remain nameless) should have done a better job in his topology, configuration, and filtering. ------------- You have to remember, you are not just trying to block people that are using protocols in normal & standard ways but those that are exploiting mechanisms within the protocols or even bugs within the implementation to gain access or cause harm. Personally, I chose to explicitly block certain ports because I do not want to advertise to my entire neighborhood that I have a Microsloth machine with printer and file sharing enabled. In particular, Layer 2 protocols that depend on multicast packets, tend to be trusted protocols and since I don't trust a public network, I chose to filter them all out. I also don't completely trust peoples implementations of NAPT. In some implementations it is possible to send a multicast packet from the WAN through the router which generates a unicast response from the LAN which "opens" up the port for further use. Most of this filtering and port stuff depends on your router, your topology and what you are trying to do. If you have the simple SOHO router running NAT or more likely NAPT, then just make sure that you don't bridge over the layer 2 protocols and the multicast packets, and you should be Ok. Perhaps the newer boxes do come with this stuff already disabled. if so, then....., nevermind.... --- bill |
campbellcj |
May 20 2004, 10:05 PM
Post
#17
|
I can't Re Member Group: Members Posts: 4,547 Joined: 26-December 02 From: Agoura, CA Member No.: 21 Region Association: Southern California |
This is OT to this thread but further illustrates how f*ed up some of the BIG companies are, technically.
I have a Sony-Ericsson GSM digital phone from AT&T Wireless. It generally works OK and they have actually increased cell coverage/strength in my area in the last year or two. BUT...I get incessant nonsense spam on the SMS (text messaging). So first I called and unsubscribed from text messenging, which is an optional service. Spam still comes. Second call...Third call...OH... so unsubscribing from SMS only means you can't "send" text messages but can still receive (WTF?). Fourth call..fifth...sixth... Finally get to some kind of supervisor who states that "we are aware of the text message spam problem but WE DO NOT HAVE THE TECHNOLOGY TO DO ANYTHING ABOUT IT AT THIS TIME." Now...what I asked for is complete blocking of SMS signals from reaching my phone, period, spam or non-spam. This is scary. In effect it means that AT&T's text messaging network is WIDE OPEN to anyone to hijack. I wish I new more about the technology as I could probably make a lot of money by jumping on the cell phone spam bandwagon. |
SirAndy |
May 20 2004, 11:43 PM
Post
#18
|
Resident German Group: Admin Posts: 41,669 Joined: 21-January 03 From: Oakland, Kalifornia Member No.: 179 Region Association: Northern California |
QUOTE(campbellcj @ May 20 2004, 09:05 PM) I wish I new more about the technology as I could probably make a lot of money by jumping on the cell phone spam bandwagon. i can give you some hints .. (IMG:style_emoticons/default/wink.gif) just don't mention my name, (IMG:style_emoticons/default/laugh.gif) Andy |
Lo-Fi Version | Time is now: 1st June 2024 - 02:54 AM |
All rights reserved 914World.com © since 2002 |
914World.com is the fastest growing online 914 community! We have it all, classifieds, events, forums, vendors, parts, autocross, racing, technical articles, events calendar, newsletter, restoration, gallery, archives, history and more for your Porsche 914 ... |