Mini Rant--Some Firewall Users Are Too Trusting

Discussion in 'Software' started by Adrynalyne, Mar 8, 2004.

  1. Adrynalyne

    Adrynalyne Guest

    Well, not really a rant, but something is really bugging me.


    I keep hearing alot of people on this forum say how their firewall works good because they show 'stealth' on a firewall test.

    Do you guys(those who think this) really think that these online tests mean much at all?


    Facts:

    Online port scanners only scan a few common ports. They do not scan very many ports. They do not check to see what applications are actually getting out of your computer, only what is getting in. There are over 65 thousand ports folks, and these scanners barely touch the tip of the iceburg.

    These tests are not what I would call very useful at all, and do not mean you are secure. I can't stress that enough.

    So many people think that if you show 'stealth' on grc.com, or dslreports or 'insert online scanner here' that it means they are protected.

    This is so far from the truth, it isn't funny.


    Give me any online port scanner.


    I'll show 'stealth' even for the infamous IDENT port that most NAT routers have closed but not stealthed.


    All I am using is a router. Does it mean I am protected? Heck no.

    IMO, the only accurate test is if someone uses a REAL port scanner (i.e. nmap) on your system and sees what comes up.


    Moral of the story?

    1. Don't rely on online port scanners for system security. They don't tell the whole story.



    End rant.



    This may or may not be useful to you guys:



    This is not a surefire method on how to check what is outgoing or incoming, but its a good start. You must have Windows XP for this, preferably Pro.


    Go to Task Manager. Click ok the processes tab Go to view->select columns.

    Put a check in PID. Click OK.

    Now open a command prompt.


    Type netstat -o

    press ENTER.

    This will show current connections to your computer. It also shows the PID for the connections.


    Go back to Task Manager and look at the processes again.


    Here you will see the PID for each process.

    Match it up with what netstat shows, and you now have a way of checking what process has a connection to the outside world.

    If it shows svchost.exe, well, then its a little tougher to see, but not impossible.

    Go to a new command prompt, and type tasklist /svc (Pro only).

    Now you have a listing of the processes with PID, and a breakdown of all the services using svchost.exe.

    Then you can narrow down which it is, by stopping the services.

    You don't even have to leave the console. Type net stop name, where name is the name of the service listed.


    I've got 3 screenies to demontrate what i am saying. Who knows, maybe this info is useless to you guys, but I have found it useful.

    Task manager showing PID:
     
    Last edited by a moderator: Mar 8, 2004
  2. Adrynalyne

    Adrynalyne Guest

    Screenie of netstat -o:
     
  3. Adrynalyne

    Adrynalyne Guest

    Screenie of tasklist /svc:
     
  4. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    I have to agree with most of what your saying dude and thats some good info on the PID as for netstat im sure most of us experienced users here have played in there many a time i know i have for various reasons ;)

    However to a lot of users having some sort of firewall is better than having none and it keeps out most of the wannabe kiddie hackers and these are the kind who attack your everyday desktop user, the only way to guarantee 100% security is not to plug the phone line in :)

    BTW im liking the look of your cmd window looks sweet :D
     
  5. Adrynalyne

    Adrynalyne Guest

    Gotta give props to robo, he found it for me :D

    I know firewalls are better than nothing, that goes without saying.


    My main point is how everyone tests how good their firewall is by heading to grc.com or another scanner :rolleyes:


    You could have the crappiest firewall in the world pass these scanner tests, and a lot of people will rant and rave over how good it is because they are 'stealth'.
     
  6. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    ok see your other post about that cmd window i got to get me some of that

    I hear you man i tend to take all that my firewall is great stuff with a pinch of salt but if it makes people happy then i guess its ok
     
  7. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Nice info Adryn :)


    BUT tell us how you really feel ;)
     
  8. radiot

    radiot Private First Class

    Beyond the firewall

    Interesting thread, a bit over my head, but for me, its sink or swim.

    So what is the best hardware to keep the neighbors out? Is one router better than another?

    D
     
    Last edited: Mar 8, 2004
  9. radiot

    radiot Private First Class

    netstat question

    I ran netstat on my machine and came up with this:

    [​IMG]
    Does this mean someone is in my machine?
    Thanks,
    D
     
  10. Adrynalyne

    Adrynalyne Guest

    No.

    PID 0 is the system idle process.
     
  11. radiot

    radiot Private First Class

    Sometimes there is a foreign address and sometimes there is not. What is that about?

    Thanks Adrynalyne, I enjoy your posts and avatar.

    D
     
  12. Adrynalyne

    Adrynalyne Guest

    Well...with system idle process showing up, its plausible that its not showing up sometimes because your computer is not idle.

    I'm not actually sure there, to be honest.

    But if you look at the PID number, and match it up with the System Idle Process, its nothing to even give a second thought about.

    Localhost really isn't a foreign address, but actually your computer.

    127.0.0.1 in fact.

    I'm not positve what System Idle process is doing showing up with netstat. I'll see if I can find out more about that.

    It happens on my computer too, in the above screenies.
     
  13. Kodo

    Kodo SNATCHSQUATCH

    AFAIK idle process should always be present.
     
  14. Adrynalyne

    Adrynalyne Guest

    I thought so too Kodo, but it isn't on the workstation I am presently sitting at.

    Not in netstat -o, that is.
     
  15. Kodo

    Kodo SNATCHSQUATCH

    that's odd. I have never seen a workstation with out running.
     
  16. Nothing

    Nothing Private E-2

    yeah i agree firewalls arent the best protection any one with experience can hack past thme but thanks for the tricks Adrynalyne i wont post my screen shot because for some reason its really really really long but i have 3 firewalls and a port manager running but still this is not the best security is there really any security measure that works?
     
  17. Robster12

    Robster12 The Horse Whisperer

  18. Adrynalyne

    Adrynalyne Guest

    I'm no security expert, so I can't really comment there Robster.
     
  19. Robster12

    Robster12 The Horse Whisperer

    Well, I gotta start somewhere...

    You could have fooled me, Adrynalyne

    I guess its all a matter of perspective. I tell you, though, you have found your calling in life.
     
  20. viark

    viark Private E-2

    I don't understand, when I do netstat -o it always comes up blank. Why?
     
  21. Adrynalyne

    Adrynalyne Guest

    Erm..


    Not using Windows XP?
     
  22. viark

    viark Private E-2

    Running winxp pro on cable modem. I've tried this 5 or 6 times and all it shows is the headers, nothing on any connection.
     
  23. Jabman

    Jabman Private First Class


    I absolutely agree :). Here is a _very_ nice thread on Stealthed vs Closed ports.

    Best regards,
    Jade.
     
  24. goldfish

    goldfish Lt. Sushi.DC

    Ive got a netbios link from "System" to my server, but other than that nothing else. :)
     
  25. snakefoot

    snakefoot Sergeant Major

    I also think the least trouble will be coming from the outside, but more from the inside (User having activated applications(Windows Services included) which contact malicous places or act as entry points for control) But I guess even with a strict firewall then it would only require a trojan to control a typical application like Internet Explorer to get access outside.

    Also those using Win2k/Win9x without the "netstat -o" can use this application to see what applications are making connections (Though a good firewall should provide this information already):

    http://www.sysinternals.com/ntw2k/source/tcpview.shtml
     
  26. Jabman

    Jabman Private First Class

    Here is another good free TCP/UDP port-to-process mapper :).

    Regards,
    Jade.
     
  27. Adrynalyne

    Adrynalyne Guest

  28. Vlad902

    Vlad902 Guest

    Never heard of it, personally I'd recommend you read stuff online, and just pick stuff up, as I think it's a much better way of learning, but if you really are focused on getting a book, then I'd have to ask more about type of security you are talking about, network security, router security, firewall security, setting up a single box securely, etc.
     
  29. Robster12

    Robster12 The Horse Whisperer

    Wow, thanks for responding Vlad. (I haven't seen you post recently, good to see that again).
    Yes, I bought the book from Amazon.com two days ago with my debit card. The reviews there said it was a good one for beginners, so it will be a place to start, I guess.

    I really just want to begin to secure my one dial-up box. I know that I can't make my computer impervious to attack, I just don't want to be a sitting duck, etc...

    Also, it will teach me more about the services, so that I can cut out the ones that are not needed, perhaps improve the performance, even if it is not perceptable.

    Oh, and I figure that in about another month, I'll be able to start to write a bash script. I'm picking some of that up now, too. Yes!
     
  30. Vlad902

    Vlad902 Guest

    This really isn't complex enough for a book to be needed, I recommend reading some papers online, some good ones inlclude stuff by the honeynet project, CERT, etc. Just look online for security stuff and it'll help you out, you don't really need a book for this, as online stuff covers it pretty well and can be considered more up-to date
     
  31. Robster12

    Robster12 The Horse Whisperer

    Thank you, Vlad.
    I most certainly will do that. However, I am happy to say that the book came today in the mail. (What is simple material to some of you guys just seems to make my head spin with confusion. So, believe me, it'll get me started).
    You guys would be surprised how cheap I got this thing off amazon.com. It was slightly messed up, what savings.

    Yes, It will be interesting to learn about these things.

    Soon I will be able to read the Cert stuff, etc.
    Looking forward to it.

    Setting up Tripwire, and all that kind of thing...
     
  32. Vlad902

    Vlad902 Guest

    Baah, tripwire, as you delve deeper into security you see why I "Baah" it :)
     
  33. Robster12

    Robster12 The Horse Whisperer

    Yes, Right now I just see names that I recognize. Its a real thrill to read about them, etc.
    The book came with a cdrom with some security apps or something on it.
    The chapter on services, runlevels, etc... is exciting enough for me. The ports, so on.
    In that other thread's link I read where you just close the ports down. Don't worry about stealthing them. Just close them down. Don't wait for them to timeout. People can somehow tell that they are just stealthed anyway. Very interesting stuff.
     
  34. Robster12

    Robster12 The Horse Whisperer

    Also, I only have one swap partition and one root partition with everything on it. A newbie's choice.
    But, when Fedora Core 2 is released, but not "beta", I will reformat and put seperate partitions, etc..

    Getting there, one step at a time...
     
  35. Vlad902

    Vlad902 Guest

    Hehe, on my Linux test partition (My main desktop is FreeBSD) I just have one root partition, no swap :)


    As for the stealhting/closing, I don't agree, FreeBSD has two options to not return an RST on connect (Meaning the port is closed), or the equivalent for UDP connections (net.inet.tcp.blackhole, net.inet.udp.blackhole if anyone cares), and I use it on my server mainly for the fact that they will know that, most port scanners by default don't set a timeout option unless prompted (For obvious reasons), and I see no reason why not to, really no one except me needs to connect to that server, and I know what ports need to be connected to, so no reason as to why not let people connecting time out
     
  36. Robster12

    Robster12 The Horse Whisperer

    Its a pleasure to get feedback from you, Vlad. You're my "USENET" :)
    There's so much to learn.
    But it can be done, I'm not giving up.
    Oh, while I "have your ear", I plan to familiarize myself generally with the linux, including the bash shell, get to write a few scripts, THEN I figure....
    C language. Isn't that the one? Doesn't ESR elude to writing a device driver as being a lofty goal?
    But anyway, even if I'm scrambling right now, I am at least aquiring some know-how.

    Oh, and I STILL must read The Cathedral and the Bazaar . Man, what a gas this whole OSS thing is! I just surely hope the "Darth Vaders" of the world (you know who they are) don't win...

    You're a Guru, Vlad, a guru, no less!!! :cool:
     
  37. Vlad902

    Vlad902 Guest

    Not a device driver (Although my C is still too rusty to even write one so it would be a goal for me), he says that the expert hacker would write his own kernel, but few actually reach this goal and most get stuck in the eternal land of debugging. Would be much more productive to hack a kernel rather then just hack up your own, but hey, if sodomy is your thing. :)


    EDIT: Just remember too, UDP is connection-less so it needs a special reply to signify that the port is closed (Forgot the proper name), so if you make UDP a blackhole every port turns up as open, this is actually one of the problems with Windows, it doesn't send back the reply (Not conforming to the RFC) so it's a bit screwy.
     
    Last edited by a moderator: Mar 17, 2004
  38. Robster12

    Robster12 The Horse Whisperer

    Well, if I ever get to the point where I can run linux comfortably, and then participate in the "debugging festivities" the right way... logs, the whole bit, in order to help out even just a little,
    I'll be happy w/ myself.

    Now about that sodomy thing...
    No, I think I'll let others hack their own kernel! :p

    Me, I just want to get the config scripts worked out right! :p :p
     
  39. morlok

    morlok Private E-2

    Try LPS - local port scanner:
    <snip>
    Copyright 1997-2001 JPSoft DK, All rights reserved.
    Internet: http://www.jpsoft.dk
    Email: info@jpsoft.dk
    <snip>

    It scans at least 32K of them.
    You might see about getting it on MG.

    edit: I forgot to add, it's freeware
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds