Re: Do I need these services listening?

rodlinkowitz_at_whale-mail.com
Date: 03/15/05 

Date: 15 Mar 2005 04:27:01 -0800

Gerald Vogt wrote:
> rodlinkowitz@whale-mail.com wrote:
> > Well, that's exactly how my system is set up. Each computer has one
NIC
> > card, the modem is plugged into the Netgear's WAN port, and each
> > computer is plugged into the router's LAN port via Cat 6 cable, as
well
> > as their own NIC card. I may not have used the 'right' terminology
> > perhaps to describe it, in previous posts. Of course, its only the
> > first computer that has the modem & router, so I call the second
one
> > the "client". I do not use ICS and have no need to, and as is
standard,
>
> This is what I don't get. The first computer does not "have" the
modem &
> router. Both computers are connected to router. Both computers are
the
> same then. There is no difference between them in this regard. What
do
> you mean when you say "the first computer [...] has the modem &
router"?

Simply, the modem and router are -physically connected- to the first
computer. The other computer (which I call the "client" or "secondary"
computer) has only a cable attached to the first computer, hence it
receives its internet connection via the first computer. Again, this is
a standard configuration, nothing special being done here. I consider
the "server" computer as having both a public IP and a private IP,
because it contains the router, which on one side (WAN) has a public
address, and on the other side (LAN), a private one. But I believe the
way you are looking at it, its the router that has the public address,
and
both computers have a private IP. (Note that servers completely outside
my network can know about my LAN's private IP addresses, as exemplified
in the test given at AuditMyPC, although this is done via javascript).

> Your Netgear: a public IP address like 65.93.190.160 and a internal
one
> like 192.168.1.1
>
> Your computers: exactly one internal IP address like 192.168.1.2
> (gateway configured as 192.168.1.1)

Yes, that looks about right.

> > Well that's what I was thinking... but I figured (with my limited
> > understanding of network security), that if the ports look closed
even
> > to an internal port scanner, they are for sure going to be
unaccessible
>
> This is correct. Accessible from the internet are only the ports that

> are explicitly opened on your router and then forwarded to an address

> inside your LAN where there must be a server running.

I'm convinced there is no one running a mail server on my system. But
the thing I'm not sure about is why, when I turned off ALL of my
firewalls on both computers, including
the SP1 on the router (and even opened up the feature in the router's
setup to alllow "pings"), I still got a solid wall of green (stealth)
blocks at GRC's SheildsUp. Those include
the 25,110,445,135-139 ports btw, that were supposed to be "listening".
My only guess is the router's NAT feature, which can't be turned off,
is acting like a full on firewall. None of the other online security
tests I tried were able to penetrate the system either.

> The problem with 25 & 110 is that they should never ever be open in
your
> scenario unless you are running an SMTP and POP3 server which you
don't.
> This is a problem in any case. It does not help closing ports
> anywhere. You must find out why these ports are open.
>
> Am I correct to assume that the information about the open ports 25
and
> 110 are from a port scanner software that you have run inside your
> network. No external online scanner did report 25, 110 nor any of the

> other ones open? Just want to be sure.

Yes, correct. I think that may answer the question. At least two
software port scanners reported these two ports open, regardless of
whether I asked them to scan my public IP or my private IP. But NONE of
the online scanners showed
ANY ports open on my system. Maybe you should download a copy of
Advanced Port Scanner, try it on your sytem, and see what its telling
you! It might shed some light for you about how it works.

> The router does affect only the connections between the WAN and the
LAN.
> The LAN itself is connected through a switch which generally just
sends
> everything through. "Closing" NetBIOS ports on the router does not
make
> any difference in respect to the LAN file sharing traffic.

No, but your suggestion of disabling file & printer sharing on the
second computer, did. I found later that I was no longer able to "see"
the second computer from the first
computer using netbios name resolution. This prevented me from sharing
files from the first computer to the second (but the other way around
was ok). So I had to re-enable
file & printer sharing on both computers. Netbios is also enabled,
because removing it also caused LAN problems, such as my Winpopup LAN
messenger program being unable
to send messages to the other computer.

However, I think I am okay as far as net vulnerability to Netbios is
concerned. I say this because I configured my personal firewall to
close the Netbios ports (which is one or more of these:135-139,445),
and I did net Netbios vulernability tests at the Lockdown site, and
somewhere else, and passed them.

> Second, there should no need to "close" ports. By default your router

> does NAT which is technically no firewall/filter but still does
> something similar. It allows you to connect to the outside and tries
to
> figure out which of the incoming traffic from the internet is related
to
> a connection from you to the outside (i.e. is a response to your
> request) and which is just unrelated garbage or someone trying to
probe
> your IP address. That latter is usually just dropped and that's good
so.
> So by default any online scan from the internet should report no open

> ports which means they cannot find any open ports on your Netgear
from
> the internet. Only if you explicitly forward a port from the internet
to
> the inside, only then it can be open and only then if the inside
> recipient does actually run a server on this port, else it would just

> report the port as closed. So there should be no need to block
anything
> by default.

Okay, but can it hurt to block those ports I mentioned (135-139,445) on
the Netgear, or should I return it to default and just let NAT do its
thing? Maybe its purely psychological, but it makes me 'feel' more
secure to block those ports completely on the router's WAN
configuration as I did, as well as having the router block it via NAT,
not to mention its SPI, as well as having my 4 or 5 personal firewalls
block the ports as well. How else can I sleep at night?

> If you explicitely block port 25 and port 110 you block _all_ traffic
to
> port 25 and port 110 in the internet (or in both directions, the
> details depend on your Netgear router). If you block them in your
> router, your computers inside cannot access your E-Mail-Servers (SMTP

> for sending and POP3 for receiving) anymore. Again, there should be
no
> need to block here anything as long as online scans don't report open

> ports and if they do I would rather figure out why they are open
instead
> of blocking something that should not be open in the first place.

Makes sense to me. Which is why I unblocked them earlier. I'll just
have to ignore the results of the software port scanners, and assume
that they are scanning my private
IP addresses only, inside the LAN.

> I suppose you mean the WAN IP/public IP address compared to the
private
> IP address scan of your first computer. The WAN IP address is the
public
> IP address.

Yes. The public address.

> I know it may seem strange but there is a huge difference if you scan

> the public IP address from the inside or the outside. The router has
two
> IP addresses: the public IP address assigned by your ISP and the
> internal IP address which is probably 192.168.1.1 on your Netgear.

It was, until I changed it (for security purposes...).

> Both
> IP addresses go to your Netgear. Only the public address can be
reached
> from the internet, not the internal one. The internal one can only be

> reached from the inside. The router does no from which side - inside
or
> outside - traffic comes. If you connect to your router using its
public
> IP address from the inside, it notices that and considers this
traffic
> as any other inside traffic. There should no big difference except
for
> one tiny piece: the web management interface on port 80 or 443
depending
> on your router and if it uses HTTP or HTTPS.

And also the mail ports perhaps?

> You usually connect to your router with your browser with something
like
> http://192.168.1.1/ I suppose. Try the public IP address instead,
e.g.
> http://65.93.190.160/ This also gives you the normal web management
> interface. If you try to connect to this URL with the public IP from
the
> outside, the router will block that traffic and won't accept it.
>
> So what you should compare is a online scan from the internet,
scanning
> your public IP address which should belong to your Netgear and
compare
> that to your inside scan of either the private router address or the
> public IP address. The latter one should report at least port 80 as
open.

Actually from what I recall, none of the software scanners reported 80
as open.
They reported ports like the mail ports, 135-139,445, a couple in the
early one
thousand range (the Kaspersky antivirus ports), and one scanner found a
few
more ports in higher ranges (but I don't trust that scanner!).

> Anyway, if you really run the NAT router as gateway with NAT any
online
> scan scans the router from the internet. Any scan from the inside on
the
> public IP address or the internal router IP address 192.168.1.1
should
> both report the same and may have some open ports which should not
> bother you as long as they look closed from the online scan.

Okay thanks, that's pretty much what I had come to assume from all
this.
After all, it doesn't make much sense to be worried about hackers
breaking
into open ports, if they can't be seen by an online scanner.

> You cannot scan you inside computer with an online scan through a NAT

> router unless the inside computer is configured as DMZ in the NAT
> router. A DMZ computer inside basically receives any traffic to any
port
> of your public IP address. Do not configure any computer inside your
> network as DMZ unless you really do know what you are doing. I assume

> here that you don't have a DMZ configured.

No, I've read about DMZ and have no use for it. But it looks like you
also confirmed my suspicion as to why I was getting no open ports in
online scanners, even though all my firewalls were off.

> > Note that neither netsat or WIL list ports 25 and 110 (they don't
show
> > up at all, neither as listening or open). It is only from the scan
of
> > all 65535 ports with Advanced Port Scanner, that it told me the
only
> > two ports open were 25 and 110. But as I said, when I tried to
close
>
> O.K. Which IP address where you scanning? The external public IP
address
> (which is the router) or the internal IP address of your computer?

I did scans of both to be sure; and they gave me the same results.
Maybe it was reporting phantom ports, because I either had my mail
client open at the time, or closed, but opened at some point during the
session. (Although I am
running the SP2 version of XP Pro, with the latest updates). But if
APS has a problem about "reporting phantom ports", then it isn't the
only program that does, because it wasn't the only program I tried that
popped up those two mail ports as being open, during the scan. But of
the software port monitors I tried (similar to netstat), none said the
two mail ports were listening. So there's definitely
somethin' screwy here....

> But you did get an error message? And: you must try this with the
> internal IP address of your computer. With the public one you just
> checked your router. So something like telnet 192.168.1.2 smtp for
your
> inside computers give you the information whether something is
listening
> on your computer.

Well I tried it on my two private IP addresses and same result: screen
goes blank for a few seconds, and then the command prompt returns.But
no error message,
no message of any kind.