auth / ident port 113

[oldman420]

I am a bit of a beginner,,,total beginner at linux but I am up and running suse 10.
I went to grc.com and did a port scan and failed the stealth test.
port 113
auth / ident
is closed not stealthed.
is this a problem and if it is how do I fix it?
thanks folks
om420

 

[John]

Closed is better than open

You could always forward port 113 it to an invalid LAN IP.

 

[oldman420]

but doesn't a closed port give an attacker a target to pick at?
im not overly worried as suse seems safe and stable so far but just curious.

 

[n0cmonkey]

Stealth doesn't mean anything useful. Don't worry about it.

A closed port means nothing is listening on it, and it has a MUCH MUCH MUCH MUCH MUCH MUCH smaller chance of being a target. Attackers usually go for applications utilizing ports, going after a closed port would require some HUGE hold in the kernel's TCP/IP implimentation.

 

[oldman420]

so its like a battleship floating through a bunch of inflatable boats armed with paintball guns.
that works for me sir thanks

 

[n0cmonkey]

Originally posted by: oldman420
so its like a battleship floating through a bunch of inflatable boats armed with paintball guns.
that works for me sir thanks

Basically. :beer:

 

[Corey0808]

Are you familiar with IPTables? If so and it's installed on your machine (and if your machine is not a gateway to other machines try this:

EXTIF = eth0 # Interface reaching the internet
IPT=/usr/bin/iptables # Location of the executable
$IPT -A INPUT -i $EXTIF --dport auth -m state --state new -j DROP

If your machine is a gateway add the following line
$IPT -A FORWARD -i $EXTIF --dport auth -m state --state new -j DROP

Hope this helps. Post if you have any questions.


::EDIT:: I also wanted to add my two cents to this. n0cmonkey says that stealth doesn't mean anything useful and dont' worry about it. I disagree here. If you have your computer configured to not respond to ping, yet they run a port scan and this shows up as closed and not stealthed the attacker now knows that there is a machine there. Yet, if it is stealthed there is a better chance an attacker won't realize there is a machine at that location. I hope I've helped.

 

[n0cmonkey]

Originally posted by: Corey0808
Are you familiar with IPTables? If so and it's installed on your machine (and if your machine is not a gateway to other machines try this:

EXTIF = eth0 # Interface reaching the internet
IPT=/usr/bin/iptables # Location of the executable
$IPT -A INPUT -i $EXTIF --dport auth -m state --state new -j DROP

If your machine is a gateway add the following line
$IPT -A FORWARD -i $EXTIF --dport auth -m state --state new -j DROP

Hope this helps. Post if you have any questions.


::EDIT:: I also wanted to add my two cents to this. n0cmonkey says that stealth doesn't mean anything useful and dont' worry about it. I disagree here. If you have your computer configured to not respond to ping, yet they run a port scan and this shows up as closed and not stealthed the attacker now knows that there is a machine there. Yet, if it is stealthed there is a better chance an attacker won't realize there is a machine at that location. I hope I've helped.

If there is absolutely no response they also know a machine there. No response is pretty much the same as a response. What response does someone get when there is no machine attached to an IP address the person is trying to connect to? Do they get no response from anyone?

 

[nweaver]

proper security is > "stealthing" ports

Steve might have a full sixpack, but he lacks the plastic thingy to hold it together (imho)

 

[Corey0808]

If there is absolutely no response they also know a machine there.

Could you elaborate on this a little please? I'm interested.

 

[n0cmonkey]

Originally posted by: Corey0808

If there is absolutely no response they also know a machine there.

Could you elaborate on this a little please? I'm interested.

The lack of ICMP host/network unreachables gives you away.

 

[oldman420]

ok so how do I stop my machine from responding tp ping?
that does worry me.

 

[Corey0808]

Originally posted by: n0cmonkey

Originally posted by: Corey0808

If there is absolutely no response they also know a machine there.

Could you elaborate on this a little please? I'm interested.

The lack of ICMP host/network unreachables gives you away.

That's what I figured. Thanks.

oldman420 ---

There is a couple ways you could go about making your machine not respond to a ping. I'm not that familiar with Suse 10 so I'm just shooting from the hip here. Try looking for a file called /etc/sysctl.conf. In that file there is a line that looks like the following:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Make sure it is uncommented and set to 1. Making changes to this file will be saved upon reboot so it's the optimum place to make the change. There are also some other variables in that file that should be changed to. They are:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

I hope this helps!

::EDIT:: Just a quick note. Sysctl support has to be enabled in the kernel for this file to exist.

 

[n0cmonkey]

Originally posted by: oldman420
ok so how do I stop my machine from responding tp ping?
that does worry me.

Why does that worry you?

 

[kamper]

Originally posted by: Corey0808
::EDIT:: I also wanted to add my two cents to this. n0cmonkey says that stealth doesn't mean anything useful and dont' worry about it. I disagree here. If you have your computer configured to not respond to ping, yet they run a port scan and this shows up as closed and not stealthed the attacker now knows that there is a machine there. Yet, if it is stealthed there is a better chance an attacker won't realize there is a machine at that location. I hope I've helped.

So basically security by obscurity? Even if an attacker couldn't tell the difference between stealthed ports and no machine, stealthing does no good. Assuming 113 is closed, there are two possible outcomes of a portscan: 1) every port is closed (or stealthed) or 2) some other port is open.

In case of 1) you should have nothing to worry about anyways, as n0cmonkey pointed out.

In case of 2) they're not going to care about 113, since they found another open port.

 

[Corey0808]

Originally posted by: kamper
So basically security by obscurity?

That's the name of the game. Those network configurations are typical of firewalls out in the real world. I didn't come up with this stuff. It's just common practice, as nweaver said.

 

[oldman420]

sad to say but I got used to being stealthed by zone alarm.
I am sure that it is better to be invisible vs closed and visable.
I will try the tricks listed here as I am getting a better grip on linux as the days go by.

 

[n0cmonkey]

Originally posted by: oldman420
sad to say but I got used to being stealthed by zone alarm.
I am sure that it is better to be invisible vs closed and visable.
I will try the tricks listed here as I am getting a better grip on linux as the days go by.

Want to be invisible? Unplug your connection. Anything less and you're quite visible.

 

[kamper]

Originally posted by: Corey0808

Originally posted by: kamper
So basically security by obscurity?

That's the name of the game. Those network configurations are typical of firewalls out in the real world.

Why, because it makes you feel better for having spent more time configuring them? It doesn't offer you any security.

I didn't come up with this stuff. It's just common practice, as nweaver said.

Care to point out exactly where he said that?

 

[oldman420]

Originally posted by: Corey0808

Originally posted by: n0cmonkey

Originally posted by: Corey0808

If there is absolutely no response they also know a machine there.

Could you elaborate on this a little please? I'm interested.

The lack of ICMP host/network unreachables gives you away.

I indeed fund that file and here it is
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 1
# enable ipV6 forwarding
#net.ipv6.conf.all.forwarding = 1



what is a smurf amplifier?

That's what I figured. Thanks.

oldman420 ---

There is a couple ways you could go about making your machine not respond to a ping. I'm not that familiar with Suse 10 so I'm just shooting from the hip here. Try looking for a file called /etc/sysctl.conf. In that file there is a line that looks like the following:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Make sure it is uncommented and set to 1. Making changes to this file will be saved upon reboot so it's the optimum place to make the change. There are also some other variables in that file that should be changed to. They are:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

I hope this helps!

::EDIT:: Just a quick note. Sysctl support has to be enabled in the kernel for this file to exist.

 

[Nothinman]

I went to grc.com and did a port scan and failed the stealth test.

I really wish Steve Gibson would go away. He seems like a pretty smart guy, but he picks the absolute stupidest things to focus on. I can't believe people still take him seriously after the whole chicken little thing he did about the raw sockets in XP.

There is a couple ways you could go about making your machine not respond to a ping. I'm not that familiar with Suse 10 so I'm just shooting from the hip here. Try looking for a file called /etc/sysctl.conf. In that file there is a line that looks like the following:

net.ipv4.icmp_echo_ignore_broadcasts = 1

That will only stop the kernel from responding to broadcast pings, i.e. if I ping 10.0.0.255.

sad to say but I got used to being stealthed by zone alarm.

Yes, the placebo affects from some software can be nice.

I am sure that it is better to be invisible vs closed and visable.

The result is the same as long as your box is secure. IMO you have a better chance of being attacked via email or a malicious website than you do some worm on the Internet these days. As n0c said if you want to be truly secure unplug your connection to the Internet, all of the tricks in the world won't help you if you're running old, unpatched or otherwise insecure software.