okay, so, just wondering what you guys thought about the age old debate in port scans. Do you prefer stealthed or closed or shrouded ports and why? Strictly from an administrators pov.
Printable View
okay, so, just wondering what you guys thought about the age old debate in port scans. Do you prefer stealthed or closed or shrouded ports and why? Strictly from an administrators pov.
If you use NMAP
nmap -p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389
Thats me all the time :)
Your question's answer depends on the situation to be frank. I've never done a port scan outside legal boundries.
Stealthed.
Oh I do love these threads...
A port is either opened or closed. You can nat 'em, pat 'em, knock 'em, sock 'em but no matter what you do to them, they are either opened or closed.
That being said, from a port scan point of view. As a SysAdmin - I prefer closed ports.
When I'm wearing other hats, I would prefer open ports.
I love ports 80, 110, 443-5, 3306, 3334-3337. And all things UDP!
The only reason why I'd ever scan anything is because a single threaded syn scan will always go by faster than a multithreaded attempt at actually connecting.
But what about ports 23 and 21 dinowuff!? Also, is there really any advantages to having closed ports? The biggest advantage I can think of when using stealthed and shrouded ports is the headache the attacker receives on your system =P Stealthing/Shrouding your ports also forces the attacker to be a little noisier wouldn't you say and thus easier to for IDS to detect. On my home system, I like to set up my ports to be shrouded, but have it respond on random ports for each scan. Mostly just to mess with peoples heads >.<
The advantage of a closed port is nothing can connect to that port.
Telnet - no use for it
FTP - I haven't tried a bounce scan in years. I don't know if the vulnerability of the FTP protocol that allowed that still exists.
If by messing with people's heads you mean common false positives or at best 0.00001st of a nanoseconds worth of processing then uh... no.Quote:
Mostly just to mess with peoples heads >.<
not talking about the PORT command on FTP dino >.< That is largely blocked anyhow. I was more getting along the lines of liking that port to be open as well as port 23. I am more curious on why you prefer closed ports to stealthed ports though, not open ports >.<
T-Spec, judging by your response, I would say vehemently use closed ports =P
A stealth port is an open port. The age old argument you refer to goes like this:
Side 0
-I want x ports open in case I need to use them, but want to hide them from the Internet - Reason for stealth "if hackers can't see any ports they wont try to attack"
Side 1
- Bullshit only open ports that you need open, when you need them. Reason for closing ports If a port is open you can connect to it.
I am on side 1
IMHO The Sales and Marketing departments of some "Firewall/AV/Security" Vendor came up with this stealth B.S. for no other reason than a marketing strategy. I mean, really, how hard is it to allow everything but ftp on a firewall?
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 permit ip any any
30 seconds
So if you are discussing ports, you understand firewalls and how to use them.
If you are discussing ports, because you just left grc... That's another discussion (but I wanted to see if I could get spec fired up)
That Steve Gibson is the 1337357 h4x0r on the planet. I never cease to be amazed by what comes out of that guys mouth. [for one reason or another :rolleyes:]
Unused ports can be stealthed, but ports can't be open and stealthed. :/ A stealth port simply has the firewall not respond to any probes and so the source of a scan doesn't receive any TCP or ICMP messages. Effectively this causes the attack to get a time out exception. So the attacker has to wonder whether or not the host really exists. If they know it exists, and a lot of the time if you are scanning a host you know it exists, then the attack receives information from open ports, since it is clearly impossible to stealth open ports. At this point, stealth ports seem somewhat meaningless if you are running a server of some sort, because all you have effectively done was cover up your closed ports which is useless to an attacker. However, if you incorporate port knocking strategies, you have a very good bet that you and whoever else you tell the secret knock to will be the only ones using your server(unless the attacker hijacks your TCP session etc. etc.). Now I know you can use port knocking with closed ports as well, but the great thing about stealth ports with port knocking is that the attacker doesn't know if his packets went in the order he sent them since he is not getting any response so even a brute force isn't guaranteed to open up your ports due to the congestion/packet loss/latency issues that exist in all packet switched networks. This makes stealth ports much more tactful then closed ports in my opinion.
Hence the age old debate.
kinda like horsepower vs torque
But I am not saying stealth ports stop an attacking from trying, I am saying they make it more difficult and thus are more secure when used properly. Bah. >.< I thought horse power is a by product of achieving peak torque levels in your engine >.< But I am not a mechanic. blech blech blech, ima grab me a beer
If you can read this...Quote:
If you are discussing ports, because you just left grc... That's another discussion
then your overqualified as a network and systems engineer.
I was having one of those pita nights last night.
I installed WSS on an Amazon platform. Yesterday I started configuring ssl - and it went into the night. Mother.. God... Damn... Certs.. Fuc... Arggggg - Stupid Windows...
Anyway, once all was installed and working I went over my firewall config.
Connections to the SharePoint site are only allowed from my home and work IP
Ports 80, 443, and 12345 (not really) are the only open ports.
port 12345 on the firewall points to port 3398 on the server. I didn't do this for security reasons as such, but I don't like using default ports for remote access.
Here again, the only ports that are open are the ones I or the server need to get the job done.
I mean I agree with that fully dino. Only open ports that you use, yes yes yes. I will also agree that white listing is one of the most secure practices out there, though I tend to white list MAC addresses than IPs for ultra paranoid security ;)
Still if you want a semi-public server a white list is impractical. But then again, that is the major trade off with security, functionality >.< Why are you setting up a WSS if you don't mind me asking dino?
The reason for WSS... Just checking out 2010. Mostly because there is an android app for monitoring my hardware http://www.androidguys.com/2010/02/1...2-cloud-decaf/
Now that I think about it, how ****ed up is that? Install WSS on EC2 because I want to play with the Droid app?
hahaha not f-ed at all dino >.< I have done many a ridiculous thing just to play with some little bit of software