Forums

Home Forums General Configuration Port Stealth

Port Stealth

This topic contains 10 replies, has 3 voices, and was last updated by  plook 3 years, 3 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #574

    plook
    Participant

    Hi, I’m an IT professional, so this is not my first router configuration rodeo. So far I am pleased with the pcWRT and the parental controls it offers above the open-source openWRT.

    I have Time Warner internet service with my pcWRT router connected directly to a modem port getting the full 35+/5+ Mbps speed I’m paying for. This is much better than some other routers I’ve used. However, whenever I configure a router, I use the free web utility from GRC called “Shields Up” to scan all internet-visible ports to ensure there are no “holes”. (I’ll not post the link here as it is easy to find by Googling “shields up”.) The website scans all TCP/IP ports of your IP and, preferably, no port will reply (“open” or “closed”) but rather give no answer at all (“stealth”). This is ideal because the hacker/attacker can’t be sure anything’s there.

    Unlike the other routers I’ve used, the pcWRT replies “closed” for nearly every port, with a handful of ports reporting “stealth” (no reply). While there are no open ports, having unused ports that actually reply “closed” are the next worst thing. Some routers have a checkbox for turning off ports like IDENTD, but I don’t see where pcWRT has any option for controlling the desired default behavior of ports. There are 7 ports already “stealth” (eg. ports 444 and 593) so it would appear that allowing the remaining ports to simply not respond to the request is possible.

    Is it possible to default ports to stealth in a future firmware release? Thanks.

    ———————————————————————-

    GRC Port Authority Report created on UTC: 2016-04-14 at 14:38:50

    Results from scan of ports: 0-1055

    0 Ports Open
    1049 Ports Closed
    7 Ports Stealth
    ———————
    1056 Ports Tested

    NO PORTS were found to be OPEN.

    Ports found to be STEALTH were: 135, 136, 137, 138, 139, 445,
    593

    Other than what is listed above, all ports are CLOSED.

    TruStealth: FAILED – NOT all tested ports were STEALTH,
    – NO unsolicited packets were received,
    – A PING REPLY (ICMP Echo) WAS RECEIVED.

    GRC Shields Up!

    #575

    support
    Participant

    Thanks for bringing this up. We’ll look into this and reply here.

    #578

    support
    Participant

    @plook Thanks for the suggestion. We’ll switch to stealth mode in a future update…coming in about a week.

    #580

    support
    Participant

    @plook Release v1.20.1 switched the WAN side ports to “stealth” mode. You should be able to upgrade to this version by clicking the “Check for Updates” button in System settings.

    #583

    plook
    Participant

    Thank you for your fast response. I have to say that in all my experience with hardware vendors, I’ve never experienced this level of quick turnaround on a firmware issue. Kudos to the pcWRT team!

    Unfortunately, I must tell you that the latest firmware did not correct the port stealth issue. After updating, rebooting and then power cycling the router, I see the same 7 ports as stealth and the remainder as closed. Firmware version is reported as: pcWRT TORONTO-N v1.20.1

    My hardware configuration for testing is as follows:

    1. GRC Sheilds Up in Chrome browser
    2. Windows 7 Pro x64 on i5 laptop over wifi connection to pcWRT
    3. pcWRT WAN port connected to LAN port 2 of Time Warner cable modem:
    4. ARRIS TG1672G Touchstone Residential Gateway (Version 6 / DOCSIS 3.0 / PacketCable 2.0)

    My Linksys router on Port 1 of the cable modem shows all ports in stealth mode.
    When I have some time, I will move the pcWRT router to another modem port and/or connect a different router to Port 2 of the modem to see if the problem follows the router or stays with the port, just to make sure the problem is not mine.

    I should also point out that the pcWRT responds to an ICMP ping request whereas the Linksys router does not. This is another important factor in true stealth as ping is the most common and readily available test of an IP in use. I’ve attached the most recent scan results below:

    ----------------------------------------------------------------------
    
    GRC Port Authority Report created on UTC: 2016-04-17 at 17:55:16
    
    Results from scan of ports: 0-1055
    
        0 Ports Open
     1049 Ports Closed
        7 Ports Stealth
    ---------------------
     1056 Ports Tested
    
    NO PORTS were found to be OPEN.
    
    Ports found to be STEALTH were: 135, 136, 137, 138, 139, 445, 
                                    593
    
    Other than what is listed above, all ports are CLOSED.
    
    TruStealth: FAILED - NOT all tested ports were STEALTH,
                       - NO unsolicited packets were received,
                       - A PING REPLY (ICMP Echo) WAS RECEIVED.
    
    ----------------------------------------------------------------------
    
    • This reply was modified 3 years, 4 months ago by  plook.
    • This reply was modified 3 years, 4 months ago by  plook.
    • This reply was modified 3 years, 4 months ago by  plook.
    • This reply was modified 3 years, 4 months ago by  plook.
    #589

    support
    Participant

    Just so I understand your setup, your connections are like this:

    Arris TG1672G
    |  
    |----- Linksys
    |----- pcWRT
    |----- 
    |----- 
    

    When you connect your PC to Linksys and do Shields Up test via the Chrome browser, all ports are reported in stealth mode.

    When you connect your PC to pcWRT and do Shields Up test via the Chrome browser, all ports are reported closed, except for the 7 in stealth mode.

    I’m thinking that the results should be the same either way, since connections from the WAN side arrive at the Arris gateway first. Unless the Linksys is a DMZ host. Can you check that?

    #591

    plook
    Participant

    Just so I understand your setup, your connections are like this:

    That is correct. Both router WAN ports connect to the LAN distribution of the Arris cable modem. Both routers are assigned internet IP addresses. However, Port 1 gets a 71.x.x.x address while ports 2,3,4 get a 24.x.x.x IP address. For this reason I want to hang a LinkSys on a port other than 1 to see if true stealth is attainable.

    When you connect your PC to Linksys and do Shields Up test via the Chrome browser, all ports are reported in stealth mode.

    Correct. See exception below.

    When you connect your PC to pcWRT and do Shields Up test via the Chrome browser, all ports are reported closed, except for the 7 in stealth mode.

    Also correct.

    I’m thinking that the results should be the same either way, since connections from the WAN side arrive at the Arris gateway first. Unless the Linksys is a DMZ host. Can you check that?

    The LinkSys is not set to DMZ, but I am serving HTTP on port 80 with a port forward. However, when I disable the port forward, I do pass Shields Up’s true stealth test. Kids are in school now, so I’ll drop a LinkSys on Port 2, run the test and report back.

    Thanks.

    #592

    plook
    Participant
    1. Put pcWRT on port 3. Scan results did not change:
    2. GRC Port Authority Report created on UTC: 2016-04-19 at 15:01:38
      
      Results from scan of ports: 0-1055
      
          0 Ports Open
       1049 Ports Closed
          7 Ports Stealth
      
    3. Put LinkSys on Port 2. Scan results full stealth.
    4. Curiously TW assigned a 71.x.x.x. to the Linksys whereas pcWRT was assigned 24.x.x.x. Must be MAC Vendor ID-dependent.

    5. Synopsis: Problem follows pcWRT router, not the Arris port.
    6. pcWRT TORONTO-N v1.20.1 does not appear to set port stealth as default. To my knowledge there is no setting for this in Setup.

    #594

    support
    Participant

    Thanks for the update. I think your Arris gateway is in bridge mode. I missed that part earlier. We’ll do some more research and report back.

    #599

    pcwrt
    Keymaster

    @plook Please try the latest version v1.20.2. We added check boxes in network settings so that you can choose to turn stealth mode on/off, or block/allow ping.

    #603

    plook
    Participant

    You guys nailed it. After I remembered to turn on stealth mode and block ping, the true stealth tests passed.

    Thanks for the timely response!

    ----------------------------------------------------------------------
    
    GRC Port Authority Report created on UTC: 2016-04-23 at 05:02:51
    
    Results from scan of ports: 0-1055
    
        0 Ports Open
        0 Ports Closed
     1056 Ports Stealth
    ---------------------
     1056 Ports Tested
    
    ALL PORTS tested were found to be: STEALTH.
    
    TruStealth: PASSED - ALL tested ports were STEALTH,
                       - NO unsolicited packets were received,
                       - NO Ping reply (ICMP Echo) was received.
    
    ----------------------------------------------------------------------
Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.