Topic: Stealthing Ports?

Hello all. I am fairly new to OpenWRT and IPTables. I would like to say that I am very impressed with this firmware and am enjoying using it.

I have successfully setup my router and have edited /etc/firewall.user to forward the ports I want. The question I have is, is it possible to "Stealth" the ports that I have opened for forwarding? When I port scan my LAN from the WAN side, my forwarded ports show as open.

Re: Stealthing Ports?

Encrypted wrote:

When I port scan my LAN from the WAN side, my forwarded ports show as open.

Seriously, what'd you expect?

3

Re: Stealthing Ports?

Search the forum for "port knocking".

- DL

- old enough to know better (yet I do it anyway)

Re: Stealthing Ports?

Hmm, sorry if I sound stupid. I just ran an online port scan, and it led me to believe that I should be able to hide my open ports from a scan. Now, this seams resonable to me. If we can identify an ICMP packet and drop it, well a port scan must use a protocol as well. I don't see why we couldn't use an L7 filter to drop all packets matching the signature. Am I crazy here?

Re: Stealthing Ports?

Encrypted wrote:

Hmm, sorry if I sound stupid. I just ran an online port scan, and it led me to believe that I should be able to hide my open ports from a scan. Now, this seams resonable to me. If we can identify an ICMP packet and drop it, well a port scan must use a protocol as well. I don't see why we couldn't use an L7 filter to drop all packets matching the signature. Am I crazy here?

May be you should explain what exactly do you want to do and what do you mean by "open" ports (which test) ?

Re: Stealthing Ports?

If something sends a valid connection request, then it will get a valid connection response back. There's not much you can do to determine if that request came from a portscan or if it was actually a valid connection.

7

Re: Stealthing Ports?

port knocking is the closest you'll come.

- DL

- old enough to know better (yet I do it anyway)

Re: Stealthing Ports?

mbm wrote:

If something sends a valid connection request, then it will get a valid connection response back. There's not much you can do to determine if that request came from a portscan or if it was actually a valid connection.

A connect attempt to a closed port could block connects to open ports from the same IP for minute or so.

Re: Stealthing Ports?

Ok, thank you for the replies. I was at https://www.grc.com/x/ne.dll?bh0bkyd2 and their web site was telling me that there is a way to stealth the port I have open for torrents, but they don't say how. I read up on port knocking, and I don't think it is what I am looking for. I am not too worried about it. My torrent server is in its own screened subnet, and I only have one port forwarded to it. I have ISA server protecting my internal LAN. grc.com was leading me to believe that I could hide my open ports from a port scan. I just thought that would be cool. Just one more step to annonaminity.

Re: Stealthing Ports?

Gibson doesn't know what he's talking about half the time.  He has no credibility whatsoever in professional security circles.  I would be skeptical of anything he says.

Re: Stealthing Ports?

Craven wrote:

Gibson doesn't know what he's talking about half the time.  He has no credibility whatsoever in professional security circles.  I would be skeptical of anything he says.

Hmm, yes, it seems that way. That is not the first time I have heard somone say that.

12 (edited by booBot 2006-04-02 08:00:55)

Re: Stealthing Ports?

What did he say that made you believe he is incompetent?!

On topic:
Yes, there are some firewalls that can do an "adaptive stealth" - ZoneAlarm is one example.

Yes, it would be nice to have a sort of an add-on for the iptables that would detect a port-scan and stealth an open port for that particular source IP.

Why not?

OpenWRT WR RC6 powered WRT54GL v1.0 64MB RAM mod
RT31P2-EU v1.30.07/v3.1.09LId

Re: Stealthing Ports?

I don't want to venture too far off-topic so I'll just say this and be done with it.  He has acquired a less-than-savory reputation over the years among security professionals.  He is looked upon by noobs as someone who knows what he's talking about (not saying present company are noobs smile ) but he makes a lot of mistakes and then backpedals and tries to worm his way out of them.  He doesn't participate in any of the larger forums and communities dedicated to network security.  To be succinct... Gibson is to Security as Sveasoft is to Ethics.

14 (edited by booBot 2006-04-02 13:09:08)

Re: Stealthing Ports?

OK. I know his reputation very well.

And what about adaptive stealthing for OpenWRT?

I'd welcome this feature.

OpenWRT WR RC6 powered WRT54GL v1.0 64MB RAM mod
RT31P2-EU v1.30.07/v3.1.09LId

Re: Stealthing Ports?

I like the line that Boobot is going on. If it can't be done now, maybe in interesting add on at some point. And I like the Sveasoft analogy, that explains it all.