Port Stealth

[plook]

Hi, I’m an IT professional, so this is not my first router configuration rodeo. So far I am pleased with the pcWRT and the parental controls it offers above the open-source openWRT.

I have Time Warner internet service with my pcWRT router connected directly to a modem port getting the full 35+/5+ Mbps speed I’m paying for. This is much better than some other routers I’ve used. However, whenever I configure a router, I use the free web utility from GRC called “Shields Up” to scan all internet-visible ports to ensure there are no “holes”. (I’ll not post the link here as it is easy to find by Googling “shields up”.) The website scans all TCP/IP ports of your IP and, preferably, no port will reply (“open” or “closed”) but rather give no answer at all (“stealth”). This is ideal because the hacker/attacker can’t be sure anything’s there.

Unlike the other routers I’ve used, the pcWRT replies “closed” for nearly every port, with a handful of ports reporting “stealth” (no reply). While there are no open ports, having unused ports that actually reply “closed” are the next worst thing. Some routers have a checkbox for turning off ports like IDENTD, but I don’t see where pcWRT has any option for controlling the desired default behavior of ports. There are 7 ports already “stealth” (eg. ports 444 and 593) so it would appear that allowing the remaining ports to simply not respond to the request is possible.

Is it possible to default ports to stealth in a future firmware release? Thanks.

———————————————————————-

GRC Port Authority Report created on UTC: 2016-04-14 at 14:38:50

Results from scan of ports: 0-1055

0 Ports Open
1049 Ports Closed
7 Ports Stealth
———————
1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be STEALTH were: 135, 136, 137, 138, 139, 445,
593

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED – NOT all tested ports were STEALTH,
– NO unsolicited packets were received,
– A PING REPLY (ICMP Echo) WAS RECEIVED.

[support]

Thanks for bringing this up. We’ll look into this and reply here.

[support]

@plook Thanks for the suggestion. We’ll switch to stealth mode in a future update…coming in about a week.

[support]

@plook Release v1.20.1 switched the WAN side ports to “stealth” mode. You should be able to upgrade to this version by clicking the “Check for Updates” button in System settings.

[plook]

Thank you for your fast response. I have to say that in all my experience with hardware vendors, I’ve never experienced this level of quick turnaround on a firmware issue. Kudos to the pcWRT team!

Unfortunately, I must tell you that the latest firmware did not correct the port stealth issue. After updating, rebooting and then power cycling the router, I see the same 7 ports as stealth and the remainder as closed. Firmware version is reported as: pcWRT TORONTO-N v1.20.1

My hardware configuration for testing is as follows:

1. GRC Sheilds Up in Chrome browser
2. Windows 7 Pro x64 on i5 laptop over wifi connection to pcWRT
3. pcWRT WAN port connected to LAN port 2 of Time Warner cable modem:
4. ARRIS TG1672G Touchstone Residential Gateway (Version 6 / DOCSIS 3.0 / PacketCable 2.0)

My Linksys router on Port 1 of the cable modem shows all ports in stealth mode.
When I have some time, I will move the pcWRT router to another modem port and/or connect a different router to Port 2 of the modem to see if the problem follows the router or stays with the port, just to make sure the problem is not mine.

I should also point out that the pcWRT responds to an ICMP ping request whereas the Linksys router does not. This is another important factor in true stealth as ping is the most common and readily available test of an IP in use. I’ve attached the most recent scan results below:

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2016-04-17 at 17:55:16

Results from scan of ports: 0-1055

    0 Ports Open
 1049 Ports Closed
    7 Ports Stealth
---------------------
 1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be STEALTH were: 135, 136, 137, 138, 139, 445, 
                                593

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

• This reply was modified 8 years ago by plook.
• This reply was modified 8 years ago by plook.
• This reply was modified 8 years ago by plook.
• This reply was modified 8 years ago by plook.

[support]

Just so I understand your setup, your connections are like this:

Arris TG1672G
|  
|----- Linksys
|----- pcWRT
|----- 
|----- 

When you connect your PC to Linksys and do Shields Up test via the Chrome browser, all ports are reported in stealth mode.

When you connect your PC to pcWRT and do Shields Up test via the Chrome browser, all ports are reported closed, except for the 7 in stealth mode.

I’m thinking that the results should be the same either way, since connections from the WAN side arrive at the Arris gateway first. Unless the Linksys is a DMZ host. Can you check that?

[plook]

Just so I understand your setup, your connections are like this:

That is correct. Both router WAN ports connect to the LAN distribution of the Arris cable modem. Both routers are assigned internet IP addresses. However, Port 1 gets a 71.x.x.x address while ports 2,3,4 get a 24.x.x.x IP address. For this reason I want to hang a LinkSys on a port other than 1 to see if true stealth is attainable.

When you connect your PC to Linksys and do Shields Up test via the Chrome browser, all ports are reported in stealth mode.

Correct. See exception below.

When you connect your PC to pcWRT and do Shields Up test via the Chrome browser, all ports are reported closed, except for the 7 in stealth mode.

Also correct.

I’m thinking that the results should be the same either way, since connections from the WAN side arrive at the Arris gateway first. Unless the Linksys is a DMZ host. Can you check that?

The LinkSys is not set to DMZ, but I am serving HTTP on port 80 with a port forward. However, when I disable the port forward, I do pass Shields Up’s true stealth test. Kids are in school now, so I’ll drop a LinkSys on Port 2, run the test and report back.

Thanks.

[plook]

1. Put pcWRT on port 3. Scan results did not change:

GRC Port Authority Report created on UTC: 2016-04-19 at 15:01:38

Results from scan of ports: 0-1055

    0 Ports Open
 1049 Ports Closed
    7 Ports Stealth

2. Put LinkSys on Port 2. Scan results full stealth.

Curiously TW assigned a 71.x.x.x. to the Linksys whereas pcWRT was assigned 24.x.x.x. Must be MAC Vendor ID-dependent.



3. Synopsis: Problem follows pcWRT router, not the Arris port.

pcWRT TORONTO-N v1.20.1 does not appear to set port stealth as default. To my knowledge there is no setting for this in Setup.

[support]

Thanks for the update. I think your Arris gateway is in bridge mode. I missed that part earlier. We’ll do some more research and report back.

[pcwrt]

@plook Please try the latest version v1.20.2. We added check boxes in network settings so that you can choose to turn stealth mode on/off, or block/allow ping.

[plook]

You guys nailed it. After I remembered to turn on stealth mode and block ping, the true stealth tests passed.

Thanks for the timely response!

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2016-04-23 at 05:02:51

Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
 1056 Ports Stealth
---------------------
 1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

----------------------------------------------------------------------

[Author]

Posts