Changing network ports from closed to stealthed

On Thu, 30 Jul 2015 19:27:15 +0000, David wrote:


Where did you run this second scan from? Was it another Shields Up! scan,  
i.e. the probe came from Gibson's site, or was it run from from somewhere  
else?

If I want to scan something on my LAN, I run nmap locally.

On Thu, 30 Jul 2015 20:53:57 +0000, Martin Gregorie wrote:



Both cases running Shields Up from a Windows PC on my local LAN - once  
when there was no DMZ configuration and once when there was.

So same test under two different configurations of the router.

Cheers

Dave R

On Fri, 31 Jul 2015 10:52:39 +0000, David wrote:


So, you scanned your NAT router from the inside as well? I don't see what  
that tells you since it has, or should have if it provides any security  
at all, one set of ports that are only accessible from the outside via  
the ADSL/DSL interface and a second set accessible only from the inside  
via an Ethernet chip.  

NOTE: some really cheap noname routers (and some branded ones from firms  
that should know better) don't make this distinction, which is why bad  
people can use telnet or http to reconfigure them from the outside so  
they can control your LAN and all your computers.

Scanning the router's outside ports should only reveal ports that accept  
an incoming connection. Normally there would be none unless you've  
explicitly configured them. My router has no ports visible from the  
outside and so nothing can connect inward through it.

Scanning its inside ports should normally show just the ports that are  
used to configure the router. Mine shows ftp, telnet and httpd - it can  
be configured with a web browser or telnet, but it will transparently  
pass any connection request to an external server, e.g. I can run client  
programs using http, ftp, ssh, pop3 or smtp, etc. on any of my hosts that  
connect outward to any of these types of servers.


As you don't seem to be offering any services from your RPi I'd expect  
scanning it to show no advertised ports normally, but to show the VPN  
port when you've started the VPN server. This shows that the VPN server  
is running and expecting connections.

Similarly, my RPi always advertises port 22 because its run headless, so  
the SSH server is always running and waiting for connections from other  
hosts on my LAN. If I wanted any outsider to access it, I'd advertise  
that fact by telling my router router to forward port 22 to the RPi.

Apologies if I'm telling you stuff you already know, but IME there are a  
lot of computer users  that do not understand that a router is by  
definition a two-faced device, that its internal and external faces may  
not have the same configurations and what the effect of these differences  
are.

On Fri, 31 Jul 2015 18:32:45 +0000, Martin Gregorie wrote:



I think you have the wrong end of quite a bundle of sticks.

Shields Up is a web site.
You connect out from inside your LAN to the web site and it notes your  
Internet facing IP address (the one for your NAT router, assuming you have  
one), and tells you that and also what name DNS resolves the IP address to.
You can then ask Shields Up to probe your Internet facing IP address - so  
you are asking a web based computer to try and call into your local  
network from the outside.
The web sites then reports what your personal network looks like to the  
Internet as a whole.
This should alert you to any ports left open when they shouldn't be.

The standard response from a NAT router is to ignore all the incoming  
probes, and this shows up on the Shields Up website as "stealthed".

In my case I was checking for differences between a NAT router which  
doesn't accept any incoming connections and a NAT router with a DMZ  
configured where all incoming calls are directed to my Raspberry Pi.

Hope this is now clear :-)

Cheers

Dave R

On Fri, 31 Jul 2015 19:06:09 +0000, David wrote:


I can't imagine why think that scanning the LAN-side of your router or  
your RPi tells you anything useful about your LAN security.


Exactly. Using it is the easiest way I know of seeing what the *outside*  
of your router looks like: you use an http link to ask ShieldsUp to scan  
your IP from the outside. It does so and sends the answer back to you.

Using GRC or its equivalent is the only way that you can see what your IP  
looks like from the outside.


Nope. All you saw was that there was a connection between the two. If DMZ  
has its usual meaning, what you were looking at is asking for trouble  
unless:  

1)the router has a firewall on its inside with all ports shut,
  except those that only accept connections from a second firewall  
  there is a second firewall behind the router with everything on your  
  LAN apart from the RPi behind it,  
  the RPi is also running a firewall with only the VPN port exposed.

  IOW the RPi is an armoured fort in no-mans land between  
  two impregnable walls.  

2)every host on your LAN is running a firewall.  
  The RPI's firewall only accepts connections from the VPN port and  
  your local subnet/
  All other hosts on the LAN only accept connections from your  
  local subnet.

Is that what you're running now?

As others have said, its much better and safer to configure the router to  
forward the VPN port to the RPi, but be very careful what VPN users can  
do. If they can log in to other LAN hosts from the RPi and get access to  
*their* command lines, then your site security is non-existent.

On Fri, 31 Jul 2015 20:21:06 +0000, Martin Gregorie wrote:


<snip>

I have absolutely no idea where you got the impression that I was, or am,  
scanning the LAN side of my router.

I have repeatedly said that I am using Shields Up - and you do apparently  
know what that is and that it looks from the WAN side.

I also know the difference between the DMZ setting on a SoHo router and a  
real DMZ with two firewalls - I am obviously talking about the DMZ setting  
on a SoHo router which directs all incoming calls to a nominated internal  
IP address.

On Sun, 02 Aug 2015 16:20:28 +0000, David wrote:


Never seen that meaning of DMZ before. The NAT routers I've used have  
called that Port Forwarding and none have provided the option of mass  
forwarding ALL the ports to an internal IP.
  

Then you have not seen many routers!

On 02/08/2015 19:42, Martin Gregorie wrote:


You need to see more home routers then as it's been standard on every  
D-Link, Netgear, TP-Link & Linksys home router I've ever seen.



DMZ is the extreme case of port forwarding. The difference being that  
whilst the item in the DMZ is on the LAN side, it is isolated from all  
the other LAN traffic.

On Sun, 02 Aug 2015 20:26:29 +0100, mm0fmf wrote:


Understood Thks for the explanation.

On 02/08/15 20:26, mm0fmf wrote:

yes. the theory being if it gets hacked it doesn't expose the rest of  
the LAN.

On Sun, 2 Aug 2015 18:42:49 +0000 (UTC), Martin Gregorie


    Whereas all the routers I've owned (Linksys) have ALL had DMZ mode

"""
 Applications and Gaming ? DMZ

The DMZ feature allows one network device to be exposed to the Internet for
use of a special-purpose service, such as online gaming. The Router
forwards all the ports at the same time to the DMZ device.

Note: After you have made your changes, click Save Settings to apply your
changes.

DMZ

Enabled/Disabled

To expose one computer as the DMZ device, select Enabled.  
"""

Whereas selective port forwarding only showed up on the newer routers.

"""
Applications and Gaming - Single Port Forwarding

Single Port Forwarding allows you to customize port services for various
applications. When users send these types of requests to your network via
the Internet, the Router will forward those requests to the appropriate
computers (also called servers).

Note: After you have made your changes, click Save Settings to apply your
changes.

Single Port Forwarding

Application Name

Select the preset application, or enter the name of the custom application.
External Port

For a custom application, enter the external port number that accepts
incoming traffic.

Internal Port

For a custom application, enter the internal port number that accepts
traffic forwarded by the Router.

Protocol

For a custom application, select the protocol(s) used.
"""

Only by the creator of that site.  Most other experts view that
as baloney.

Interesting. And how is it a good idea to reveal unnecessarily the
existence of a port?

There is no "revealing the existence of a port".

Enlighten me. If I probe a port and get a NAK, doesn't that reveal that
something is there?  And doesn't that invite further probes?

I'm seriously curious.  

It is not important.

ALL ports with a valid port number "exist".
But you can only connect to them when sending a TCP SYN results in
receiving a TCP SYN ACK.  You then send a TCP ACK and from there you
have an open connection over which you can exchange data.

All other replies, no matter if it is TCP RST, ICMP Destination Unreachable
(with a subtype of "protocol not reachable", "port not reachable",
"host not reachable", "network not reachable", "communication
administratively prohibited" or whatever other subtype) mean that you
do not get the connection.

That does not bring the other side any nearer to a connection.  It just
does not matter if there is a reply or not from the port.  There is
no "further probe" that will yield anything useful (a connection) when
there is one of those replies that would not be possible when there is
no reply.

On 31/07/15 08:47, Rob wrote:


But *no reply at all* does not even reveal that a service exists on that  
port, nor does it waste any CPU or network bandwidth.

Better still it wastes attacker's time listening for a response that  
never comes.

Like trolls, denial of service attackers are best ignored, not given  
negative responses, because, like internet trolls, what they want is a  
response - any response.



No one is talking about a connection, we are talking about denial of  
service attacks.

Repeated hits on a port that sends a NACK have in some cases resulted in  
vulnerabilities being exposed.

All this was discussed in length back in the 90's. The consensus was  
that dropping packets ra5her than nacking them was ultimately the safest  
approach in a hostile world.

It was rude to people who had made a genuine mistake, true, but thats  
life :-(

Again, there is no "revealing" here.  Either you provide a service
or you don't, and it does not matter if you tell that you don't or if
you don't reply at all.

Those responses do not require noticable resources, especially when
compared to normal operation of the system.



I know that it has been discussed, but my opinion is that the result
is baloney.  There is no reason to panic when that website finds something
and marks it "not stealth".  Really.

When you are going to provide a service, it can be detected.  That is
the purpose of providing a service.  The OP wanted to open a VPN service,
so of course it is detected as not stealth.  Nothing to see here,
move along.