Just curious after a port scan
my port 80 shows closed with the typical ports
that show closed with shorewall after a sygate scan.
80,113,135,139,145.
One odd thing first scan showed port 22 open
Subsequent scans showed blocked or stealth on 22.
Auto defense???
Anyway unless you could be completely stealth
is there any advantage to stealth as opposed to closed
since a hacker might be more enticed by a stealth machine
anyway?
I am asking because in the above I could drop
net fw tcp 80 for stealth is would that help
my security?
Thanks,
Mike
On Sunday 28 September 2003 21:00, Mike Lander wrote:> Anyway unless you could be completely stealth is there any advantage to > stealth as opposed to closed since a hacker might be more enticed by a > stealth machine anyway?Well it takes longer to probe for a "stealthed" port, as you just don''t send anything back. For a closed port you get a packet back from the OS (RST ACK) telling you the port ist closed. With DROP, you just don''t get an answer. Good idea to put a reject rule on port 113 if you regularly connect to IRC servers. Or on any of the "proxy ports" some irc servers check for so you don''t have to wait for aeons.> I am asking because in the above I could drop net fw tcp 80 for stealth > is would that help my security?Well maybe you hide something behind that Port 80 with DROP? Or maybe you just put DROP to make someone think you have to hide something? Maybe the port is just closed if it says closed or maybe you just exhibit the same behaviour as the OS would by itself if the port is closed but it really isn''t and you just have a reject rule? Honestly I don''t know what to tell you but this: Whatever you do, Murphy will help the attacker think what is right for him :P Alex