Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
1 edit | reply to chascent
Re: Port 0 and 1 Shows Closed not stealth Please helo
quote:
As stated by SYNACK, closed is as secure as "stealth".
I think a CLOSED port can be detected by a port probe AS A CLOSED PORT... A "Stealthed" port is not detected AT ALL.. (Which is safer) |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
 ·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| said by Dude111  :...(Which is safer) That's an old myth.  |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by SYNACK :said by Dude111 :...(Which is safer) That's an old myth. It is? How so?  |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
1 edit | Stealth has exactly one advantage:
It allows relatively clueless users to easily verify with online tools that the firewall software is actually enabled and running.
Here's an old discussion that might shed some light on your questions.
A very misguided effort for stealth (as suggested elsewhere) is the idea of forwarding a port to a nonexistent or stealthed machine or on the LAN. Since each probe will create a temporary entry in the NAT table of the router while the router tries to ARP or contact the nonexistent machine, it can lead to resource starvation on the router. This creates a vulnerability, because flooding that port can overload the router, knocking the entire LAN offline. What do you think is a more graceful handling of a stray packet arriving on the WAN side: (1) Having the router return a RST for a "closed" response, then going back to regular work? (2) triggering a flurry of local LAN and router activity, but resulting in a stealth response to the outside viewer? Though so!  |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by SYNACK :Stealth has exactly one advantage: It allows relatively clueless users to easily verify with online tools that the firewall software is actually enabled and running. Here's an old discussion that might shed some light on your questions.A very misguided effort for stealth (as suggested elsewhere) is the idea of forwarding a port to a nonexistent or stealthed machine or on the LAN. Since each probe will create a temporary entry in the NAT table of the router while the router tries to ARP or contact the nonexistent machine, it can lead to resource starvation on the router. This creates a vulnerability, because flooding that port can overload the router, knocking the entire LAN offline. What do you think is a more graceful handling of a stray packet arriving on the WAN side: (1) Having the router return a RST for a "closed" response, then going back to regular work? (2) triggering a flurry of local LAN and router activity, but resulting in a stealth response to the outside viewer? Though so! Interesting. So would having one or a few ports be any differences? I only have one port opened for SSH.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| said by antdude : Interesting. So would having one or a few ports be any differences? I only have one port opened for SSH. As long as you forward to a real server you're fine. |
|
jbibe
Premium,MVM
join:2001-02-22
4 edits | reply to SYNACK
said by SYNACK :A very misguided effort for stealth (as suggested elsewhere) is the idea of forwarding a port to a nonexistent or stealthed machine or on the LAN. Since each probe will create a temporary entry in the NAT table of the router while the router tries to ARP or contact the nonexistent machine, it can lead to resource starvation on the router. This creates a vulnerability, because flooding that port can overload the router, knocking the entire LAN offline. Whether or not a person should use the technique depends on how important "stealth" is to the individual, and the probability of a particular port being scanned or flooded during normal operation. In the case of port 0 and port 1, I cannot remember if I have every seen a log entry showing a scan of these ports. It seems to me that the probability of the ports being scanned is essentially zero. Therefore, the probability of exceeding the limit of the NAT is very, very small.
Personally, I don't believe that having port 0 and port 1 show closed during a scan test is important -- the device is secure. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| reply to SYNACK
said by SYNACK :said by antdude : Interesting. So would having one or a few ports be any differences? I only have one port opened for SSH. As long as you forward to a real server you're fine. Yeah, I do. I also use DenyHosts to block brute force attacks.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
chascent
join:2005-01-17
182501 | Can you run this thru the router?? |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by chascent :Can you run this thru the router?? Run what? DenyHosts? No. Linux/UNIX thing. |
|
