January 16th, 2004, 11:50 PM
What am I scanning?
Hi everyone, I have been playing with my own network at home trying to teach myself something about computer security, anyway working inside my own network is fine and I've learned a few things. Today I asked my boss if I could scan my home network from work, he said OK, (I work in an auto dealer and they let me install a WAP so I could use my laptop in the shop) So I scan my network and all ports come back as filtered, I am running behind a router/firewall and IP's are 192.168.1.*, I'm scanning the IP that my ISP assigns me, not 192.168.1.*.
Basicly I wanted to see what a hacker/cracker would see if they scanned my IP.
First, am I actually scanning my firewall or one of my ISP's servers? Second, could I safely assume that since all ports show filtered that I would be safe from a cracking attempt?
If not how would someone go about getting inside my network if they don't know that it exist? Is using the out of the box default settings on a router/firewall(Linksys) a good idea?
January 17th, 2004, 12:03 AM
I find it always a good habit to be in, is to always change the default admin password whenever possible.
Is using the out of the box default settings on a router/firewall(Linksys) a good idea?
Otherwise, unless you need certain things opened up because you want to run your laptop as a webserver or something silly like that - then the default firewall setup is normally quite good....
January 17th, 2004, 12:08 AM
Sorry old chap there are two things wrong here?
1. You should NOT know the address of your home computer, as it should be dynamic, and switched off when you are not there.
2. If you have a properly configured firewall, it should tell you that there is no computer there.
Try doing a google for GRC.com and run "shields up"........that will tell you something about your firewall settings
January 17th, 2004, 12:23 AM
Even though my IP is dynamic, it hasn't changed since I got broadband about 6 months ago.
I have gone to the grc site and they say everything is peachy, but are they scanning me or a server somewhere up the line? From what I can tell I'm not very vulnerable even though I've left a ton of services open on my XP box because I can't find it and I know where it's supposed to be, so am I still vulnerable to some cracker surfing the net?
January 17th, 2004, 12:47 AM
I think what nihil means is not your address from your ISP, but the subnetted addresses in your LAN
You should NOT know the address of your home computer, as it should be dynamic, and switched off when you are not there.
A mind full of questions has no room for answers
January 17th, 2004, 12:50 AM
Most likely your router is a NAT device with a firmware firewall (so thats what you are really scanning). So the only thing your router MIGHT respond to is a ping.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
January 17th, 2004, 12:50 AM
Well, here is what I know about the linksys router (note that I'm not a pro in security) :
First, if someone scan you from the Internet, they will "scan" your router. It will never reach your computer. So if you let the settings as they are, you are pretty safe for what I know. If you want to see what happens when someone scan your computer, you can activiate the DMZ and install zonealarm, you'll see really quickly that your computer will now receive packets that pops up zone alarm. But don't let the DMZ activated, it's better for security to let it off. If you want to monitor just some ports on your computer (like port 80 or whatever), you can activate port fowarding for just specific ports.
And yes, grc.com is really scanning you (but it just get to your router, and not your computer). Like I said, activate the DMZ and go back there, you'll see a lot of differences. So a hacker that scans you doesn't know a lot about your computer or your network I think.
Please correct me if this information is not accurate. Those are based on my own experience and what I concluded by trying and using my router. :P
January 17th, 2004, 05:56 AM
Stupid question. Doesn't the router keep logs? If it does, then all you have to do is go through the logs and you'll know if you're getting scanned. If it can, but logging is turned off, turn it on. If it can't you shouldn't be using such a crap piece of hardware anyway, dump it and get a 386 running Slackware.
Edit: I meant that my question was stupid ("Doesn't the router keep logs"), not yours. On rereading the post it seemed to me that it might have been misinterpreted.
January 17th, 2004, 07:08 AM
Gotta agree with you on that cgkanchi, why go through all that trouble when you can throw together a cheap as solution and sit back and know your safe so to speak?
Originally posted here by cgkanchi
If it can't you shouldn't be using such a crap piece of hardware anyway, dump it and get a 386 running Slackware.
Umm they said i should put my signature here.
And now all i got is a heap of White Out on the Monitor..
January 17th, 2004, 02:48 PM
Port scanning from behind a DNAT (masquerading-style) NAT router is a VERY BAD idea.
Even assuming you wanted to do so for legit and sensible purposes, you stand a really good chance of causing a DoS attack against the local router:
a DNAT router has a finitie number of ports (64k or thereabouts). Each outgoing connection (or connection attempt) will use up one of these for the lifetime of the attempt (until timeout). It is EASY with most scanning tools (nmap for instance) to have much more than 64k connections outgoing that haven't yet timed out.
Result? The DNAT router runs out of ports, and can no longer NAT outgoing connections (until some of the old ones time out), so it starts dropping legitimate outgoing traffic by other users.
Bear this in mind when port scanning behind such a router/ firewall.
Note that routers / firewalls that DON'T do NAT (or ones which do static 1-to-1 mappings) don't have this problem as they don't need to do connection tracking and port mapping.