OpenWrt Forum Archive

Topic: Stealthing Ports?

The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello all. I am fairly new to OpenWRT and IPTables. I would like to say that I am very impressed with this firmware and am enjoying using it.

I have successfully setup my router and have edited /etc/firewall.user to forward the ports I want. The question I have is, is it possible to "Stealth" the ports that I have opened for forwarding? When I port scan my LAN from the WAN side, my forwarded ports show as open.

Encrypted wrote:

When I port scan my LAN from the WAN side, my forwarded ports show as open.

Seriously, what'd you expect?

Search the forum for "port knocking".

- DL

Hmm, sorry if I sound stupid. I just ran an online port scan, and it led me to believe that I should be able to hide my open ports from a scan. Now, this seams resonable to me. If we can identify an ICMP packet and drop it, well a port scan must use a protocol as well. I don't see why we couldn't use an L7 filter to drop all packets matching the signature. Am I crazy here?

Encrypted wrote:

Hmm, sorry if I sound stupid. I just ran an online port scan, and it led me to believe that I should be able to hide my open ports from a scan. Now, this seams resonable to me. If we can identify an ICMP packet and drop it, well a port scan must use a protocol as well. I don't see why we couldn't use an L7 filter to drop all packets matching the signature. Am I crazy here?

May be you should explain what exactly do you want to do and what do you mean by "open" ports (which test) ?

If something sends a valid connection request, then it will get a valid connection response back. There's not much you can do to determine if that request came from a portscan or if it was actually a valid connection.

port knocking is the closest you'll come.

- DL

mbm wrote:

If something sends a valid connection request, then it will get a valid connection response back. There's not much you can do to determine if that request came from a portscan or if it was actually a valid connection.

A connect attempt to a closed port could block connects to open ports from the same IP for minute or so.

Ok, thank you for the replies. I was at https://www.grc.com/x/ne.dll?bh0bkyd2 and their web site was telling me that there is a way to stealth the port I have open for torrents, but they don't say how. I read up on port knocking, and I don't think it is what I am looking for. I am not too worried about it. My torrent server is in its own screened subnet, and I only have one port forwarded to it. I have ISA server protecting my internal LAN. grc.com was leading me to believe that I could hide my open ports from a port scan. I just thought that would be cool. Just one more step to annonaminity.

Gibson doesn't know what he's talking about half the time.  He has no credibility whatsoever in professional security circles.  I would be skeptical of anything he says.

Craven wrote:

Gibson doesn't know what he's talking about half the time.  He has no credibility whatsoever in professional security circles.  I would be skeptical of anything he says.

Hmm, yes, it seems that way. That is not the first time I have heard somone say that.

What did he say that made you believe he is incompetent?!

On topic:
Yes, there are some firewalls that can do an "adaptive stealth" - ZoneAlarm is one example.

Yes, it would be nice to have a sort of an add-on for the iptables that would detect a port-scan and stealth an open port for that particular source IP.

Why not?

(Last edited by booBot on 2 Apr 2006, 08:00)

I don't want to venture too far off-topic so I'll just say this and be done with it.  He has acquired a less-than-savory reputation over the years among security professionals.  He is looked upon by noobs as someone who knows what he's talking about (not saying present company are noobs smile ) but he makes a lot of mistakes and then backpedals and tries to worm his way out of them.  He doesn't participate in any of the larger forums and communities dedicated to network security.  To be succinct... Gibson is to Security as Sveasoft is to Ethics.

OK. I know his reputation very well.

And what about adaptive stealthing for OpenWRT?

I'd welcome this feature.

(Last edited by booBot on 2 Apr 2006, 13:09)

I like the line that Boobot is going on. If it can't be done now, maybe in interesting add on at some point. And I like the Sveasoft analogy, that explains it all.

The discussion might have continued from here.