Do I need these services listening?

I forgot to mention, I already have my LAN connected to a router, running NAT and SP1, along with a software-based personal firewall. I guess if it is correct that the services mentioned in my first post are only listening in on the LAN and not the internet, I am safe. I am not worried about laptops since I don't own one or let anyone other than my wife use the second computer in my two-computer LAN.

HOWEVER.... according to various port scanners that I ran on my system, I have a number of ports open, one of them being the troubling port 135. I don't know if I should be asking the scanners to scan the current IP address (it is dynamically assigned every time I connect) of my ISP's DSL connection. But I assumed that I should enter the two private IP addresses used by my two-computer LAN. I ran the tests on the second computer in my LAN (the one not physically connected to the modem & router). These are the ports that the scanners "agree" are open (some scanners found more ports than this... who knows who to trust?!)

PORTS: 25,110,135,139,445, 1110,1125

Now the online scanners, such as GRC or AuditMyPC show ALL ports closed and stealthed, whether the router's FW is off or the PFW is off. Is this because I entered my LAN's private addresses in the software scanners or because the online scanners are not giving me the real truth? Because if those ports are indeed open to attack, I'm not sure how to shut them off, since my firewall rules should have covered them (particularly 135, which I went to considerable effort to ensure it is not open, after receiving a Blaster attack on this port).

Jas> > I am running XP Pro with an always-on DSL connection.

the

The best way to do that with Windows XP is to use an ADSL modem with a built in NAT router. This is sometimes referred to as an ADSL router. NAT ignores incoming requests to connect to services because it does not know where they should go unless it is configured to forward specific requests to a specific PC. I would advise you to run some of these to see how you really look to outside.

get yourself a NAT box or a modem with built in NAT and repeat the test. When you are behind NAT you don't need to worry about what services are listening because they are not listening to the Internet they are only listening to your LAN.

Jason

It is true that you need to be careful with what is on your LAN otherwise malware could spread to other computers on your LAN. I don't allow laptops brought in by others on my own LAN. They can have a separate firewalled Internet connection if they want but not a direct connection to my LAN.

Jason

It depends whether you carry laptops from the outside in. If you fear that someone/you carries in a laptop with infection these services certainly may have effects.

So it still may be a good idea to close as much as possible.

Gerald

I'm not sure what to make of those two scanning services (GRC and AMPC) because they both show me that port 1720 is open on my PC. This is despite the fact that I have disabled the netmeeting service and created an advanced rule in my firewall to block incomming traffic on that port. I've also used several port monitoring tools (active ports from sys internals), sygates built in monitor, and netstat to determine if it is indeed open. The jury is still out. :\\

At any rate you have a few choices- you can either disable the open ports using IPsec (comes with windows)

Great Tutorial:

Or maybe you can create a special rule in your firewall. (With sygate, its pretty easy)

The best way is to have a NAT router or small firewall connected to your DSL modem and then connect your network to the firewall. However if you do not have a NAT router or firewall. You can use IP security policy on your computer to control who can connect to your computer.

No. I simply have an email program, like most people. I have a very simple LAN setup, really. DSL Modem, Netgear rp614 router, and a second computer connected via Ethernet cable to the first computer (which hosts the modem and router). I was saying the second computer was not physically connected to the DSL modem, but of course, it is connected to the router via the cable. It isn't that the online scanners find open ports. I'm secure according to the online scanners. Its the software scanners that have found the prevoiusly mentioned ports open.

I ran more software scanning programs today, using my ISP's dynamic IP address instead of the private IP address on the secondary computer in my LAN (the one that does not have the modem). The results were similar, all saying ports 25 and 110 were open, and most saying 135, 139 and 445 were open. Port monitors show these ports as listening, but the big question in my mind is, is the internet able to 'hear' them, or is it only the local network? Again, online scanners show all ports stealthed, so I don't know which is more accurate.

I think I don't understand your setup correctly. You have a DSL modem that connects to the DSL splitter and the NAT router. Connected to the NAT router are the computers. All computers in your LAN (which should be really all of your computers) have private IP addresses (e.g.

192.168.1.1 or similiar anything with 192.168 in the beginning most likely.). Your NAT router then will have an assigned IP address by your ISP and if you do an online scan from any computer inside the network all that gets scanned is the NAT router which should not have any open ports. That's what I think it is supposed to be.

You write about a second computer that is not physically connected to the modem & router. This is wierd. Any computer inside your LAN must be connected to the router (wired or wireless connection). How do you connect the second computer to the router or whereever you connect it? If the second computer is not connected to the router how does it have internet connections? Which NAT router do you use?

Anyway, if a online scanner in the internet does detect an open port there is something wrong with your setup I you may be vulnerable. What I find most confusing is the reports on open ports like 25 and 110. 25 is SMTP and 110 is POP. Do you run an e-mail and POP server on your system?

Gerald

Port 135

start dcomcnfg.exe (sorry mine in German, so I hope you still find it.)

- open branch component services (the first one in my list)

- open branch computer (the only one in the sublist)

- right-click My computer and open properties.

- select the tab General/Standard Settings/Properties(??).

- deselect the checkbox "DCOM (Distributed COM)" to deactivate DCOM.

- select the tab standard protocols

- remove all protocols listed.

- OK the window

- close the dcomcnfg window.

- reboot

- this should close port 135.

Port 445 (microsoft-ds)

Add a registry entry to the key

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters

add a DWORD there named "SMBDeviceEnabled" and set the value to 0 (zero).

After a reboot this should close port 445.

That makes it a little bit more tricky. The easiest thing would be to bind file sharing services to IPX/SPX/NetBEUI protocol. This is non-routable i.e. it cannot go into the internet. If you have that you can unbind it from IP and it should close the IP ports.

If you want to stick with IP then you won't be able to close the netbios ports 137,138,139 on the serving computer. You can get them closed on the clients, however, with the disadvantage that you loose automatic netbios name resolution. If you access the server only by IP address it still works. You can create your own entries in the hosts file if you assign fixed local addresses to the computer in your network.

To do so on the client, open the properties window of the network connection (i.e. the Local Network Connection). On the client, make sure that "File- and printer sharing in microsoft networks" is disabled (no checkmark). This binding is the server side which you won't need on the client. You need the "Client for Microsoft Networks" though so leave it enabled. Next, select the "Internet Protocol (TCP/IP)" in the list (leave it checked) and click the properties button. Go to the WINS tab and select the radio button for "Deactivate NetBIOS over TCP/IP".

Also check all your other network connections. All dialups/DSL dialups should have file- and printer sharing as well as the client for MS networks always disabled. The TCP/IP WINS properties must have NetBIOS over TCP/IP always deactivated. These settings would only be a security risk as you would have file sharing or client traffic going over the dialup. Depending on what kind of other network connections you have, you could also reconfigure all the others in the same fashion. Only the network connection that is connected to your LAN really requires the client for MS networks.

If you reboot after these changes, ports 137, 138, 139 should be closed and gone on the client computer. Again, name resolution does not work anymore. You can access file shares for instance with something like \\\\192.168.1.2\\documents if 192.168.1.2 is the IP address of the serving computer. With fixed IPs and a hosts table you can get name resolution.

Start "services.msc", select the service "IPSEC-Services", right-click properties. Set the service to "Manual" and stop it. This should close port 500 and 4500.

Gerald

Well, that's exactly how my system is set up. Each computer has one NIC card, the modem is plugged into the Netgear's WAN port, and each computer is plugged into the router's LAN port via Cat 6 cable, as well as their own NIC card. I may not have used the 'right' terminology perhaps to describe it, in previous posts. Of course, its only the first computer that has the modem & router, so I call the second one the "client". I do not use ICS and have no need to, and as is standard, both machines have a distinct private IP address, with the server also having a public address from my ISP.

scanner

Well that's what I was thinking... but I figured (with my limited understanding of network security), that if the ports look closed even to an internal port scanner, they are for sure going to be unaccessible to the internet. The problem of course is when I configured my router to close open ports like 25 & 110, which the software scanners were saying were open to the net, I could no longer send or receive mail! But I also told the router to close ports 135-139 and 445, and so far, I can't determine any bad effects from this. My pc-to-pc connection still seems to work ok.

Some of the software port scanners I used include: Moorer Port Scanner, PCSuperScanner, Free Port Scanner, Super Scan 4, PC Scanner, Local Port Scanner and Advanced Port Scanner (this last one is in my estimation, the best free scanner I've come across). I AM able to scan my private IP on the second (client) computer using Advanced Port Scanner, by entering its IP address. I'm also able to scan my public IP address with APS, and in this case, it even tells me the proper host name of my ISP, which seems to indicate it is scanning my system as would an online scanner, via my public IP address. The results I get however are no different than when I enter the WAN IP address given by my ISP. Which is why I remain unsure as to whether the open ports and listening services can be "heard" from the net.

That's what I thought... except I do tend to worry about 135, because I got hit by a WORM through that port, and if it needs to remain open, I want to be sure there is no way it can be accessed by anything outside my LAN. (To this effect, I blocked off the port via my router, and have created rules in my firewalls to further block it out).

I'm quite sure I have no malware, that this system is clean. And that like you say, some ports are normal to be open. I found your netstat command gave me exactly the same results as my "WhoIsListening" port monitor, except WIL is more detailed (and prettier). It can also alert you whenever a program initiates a new connection. And this dual corroboration means that no malware program replaced my netstat. Anyway, they both show there are 5 TCP ports listening (with a remote address port of 0.0.0.0.0, which seems to indicate they are not trojans). They are:

1110

1125 (these two ports are used by my anti-virus, Kaspersky)

epmap (port 135! Use for "DCE Endpoint Resolution" (whatever that is), and also by a number of WORMS!)

microsoft-ds (port 445 Used by "Microsoft-DS" (whatever that is), and also by a number of WORMS!)

netbios-ssn (I believe this is port 139, and its necessary for communication between the two machines in my LAN)

Note that neither netsat or WIL list ports 25 and 110 (they don't show up at all, neither as listening or open). It is only from the scan of all 65535 ports with Advanced Port Scanner, that it told me the only two ports open were 25 and 110. But as I said, when I tried to close these ports through the Netgear, I couldn't use my email (which is why I had figured would happen!). When I think about it, I don't see how I can close those ports off to the net, and still expect to send and retrieve email at will.

Neat. Another trick I didn't know about. Gotta thank you for your part in my education of net security, Gerald. Anyway, this didn't show anything, no message came up, it just returned to the command prompt. I guess this confirms I'm not running a mail server! So should I be worrying about ports 135 and 445 listening?

standard,

router"?

Simply, the modem and router are -physically connected- to the first computer. The other computer (which I call the "client" or "secondary" computer) has only a cable attached to the first computer, hence it receives its internet connection via the first computer. Again, this is a standard configuration, nothing special being done here. I consider the "server" computer as having both a public IP and a private IP, because it contains the router, which on one side (WAN) has a public address, and on the other side (LAN), a private one. But I believe the way you are looking at it, its the router that has the public address, and both computers have a private IP. (Note that servers completely outside my network can know about my LAN's private IP addresses, as exemplified in the test given at AuditMyPC, although this is done via javascript).

Yes, that looks about right.

unaccessible

I'm convinced there is no one running a mail server on my system. But the thing I'm not sure about is why, when I turned off ALL of my firewalls on both computers, including the SP1 on the router (and even opened up the feature in the router's setup to alllow "pings"), I still got a solid wall of green (stealth) blocks at GRC's SheildsUp. Those include the 25,110,445,135-139 ports btw, that were supposed to be "listening". My only guess is the router's NAT feature, which can't be turned off, is acting like a full on firewall. None of the other online security tests I tried were able to penetrate the system either.

Yes, correct. I think that may answer the question. At least two software port scanners reported these two ports open, regardless of whether I asked them to scan my public IP or my private IP. But NONE of the online scanners showed ANY ports open on my system. Maybe you should download a copy of Advanced Port Scanner, try it on your sytem, and see what its telling you! It might shed some light for you about how it works.

No, but your suggestion of disabling file & printer sharing on the second computer, did. I found later that I was no longer able to "see" the second computer from the first computer using netbios name resolution. This prevented me from sharing files from the first computer to the second (but the other way around was ok). So I had to re-enable file & printer sharing on both computers. Netbios is also enabled, because removing it also caused LAN problems, such as my Winpopup LAN messenger program being unable to send messages to the other computer.

However, I think I am okay as far as net vulnerability to Netbios is concerned. I say this because I configured my personal firewall to close the Netbios ports (which is one or more of these:135-139,445), and I did net Netbios vulernability tests at the Lockdown site, and somewhere else, and passed them.

anything

Okay, but can it hurt to block those ports I mentioned (135-139,445) on the Netgear, or should I return it to default and just let NAT do its thing? Maybe its purely psychological, but it makes me 'feel' more secure to block those ports completely on the router's WAN configuration as I did, as well as having the router block it via NAT, not to mention its SPI, as well as having my 4 or 5 personal firewalls block the ports as well. How else can I sleep at night?

Makes sense to me. Which is why I unblocked them earlier. I'll just have to ignore the results of the software port scanners, and assume that they are scanning my private IP addresses only, inside the LAN.

private

Yes. The public address.

It was, until I changed it (for security purposes...).

reached

traffic

depending

And also the mail ports perhaps?

scanning

compare

Actually from what I recall, none of the software scanners reported 80 as open. They reported ports like the mail ports, 135-139,445, a couple in the early one thousand range (the Kaspersky antivirus ports), and one scanner found a few more ports in higher ranges (but I don't trust that scanner!).

should

Okay thanks, that's pretty much what I had come to assume from all this. After all, it doesn't make much sense to be worried about hackers breaking into open ports, if they can't be seen by an online scanner.

No, I've read about DMZ and have no use for it. But it looks like you also confirmed my suspicion as to why I was getting no open ports in online scanners, even though all my firewalls were off.

I did scans of both to be sure; and they gave me the same results. Maybe it was reporting phantom ports, because I either had my mail client open at the time, or closed, but opened at some point during the session. (Although I am running the SP2 version of XP Pro, with the latest updates). But if APS has a problem about "reporting phantom ports", then it isn't the only program that does, because it wasn't the only program I tried that popped up those two mail ports as being open, during the scan. But of the software port monitors I tried (similar to netstat), none said the two mail ports were listening. So there's definitely somethin' screwy here....

listening

Well I tried it on my two private IP addresses and same result: screen goes blank for a few seconds, and then the command prompt returns.But no error message, no message of any kind.

O.K. I think now I start to understand. Is there a particular reason for this strange setup? Is it right that you have two ethernet/LAN cards in your first computer?

I try to describe how I think you should set it up: You connect the dsl modem to the WAN port of the Netgear and connect each computer to the Netgear. There is no direct connection between the computers but all the traffic goes through the netgear which then will provide the internet connection to both and will also exchange the traffic between both computers. (The Netgear includes a switch which does exactly that).

As far as I understand the Netgear webpage you can easily setup the router to connect to the internet through your DSL line. Most likely, you have to configure PPPoE in the router, enter the connection information of your ISP and you are done. Both computers run inside the local network behind the Netgear with private IPs. The Netgear gets the dynamic IP address of your ISP. The Netgear does address translation so that your computers with private IPs can communicate with the internet with public IPs. The endpoint on your side for the internet is always the Netgear with the dynamic IP address of your ISP.

I would highly recommend to change the setup in this way as your setting is really strange. I try to guess your setup: you have connected the DSL modem to a LAN port of your netgear. This way all you have is a switch. Obviously you can only connect one device to the DSL line so you connected computer 1 to a second LAN port of the Netgear. Computer 1 has a setup dial-up/DSL network connection which you connect when you want internet. Computer 2 is connected to the second LAN card in computer 1. Computer 1 has Internet Connection sharing. This way computer 2 gets the private IP address from computer 1 and computer 1 has the public dynamic IP address on the card to the internet and a private one on the card to computer 2. I guess, that you had this setup earlier and bought the Netgear later... Anyway, if I am correct the Netgear in this kind of setup is next to useless because all you bascially use is the switch. The "firewall", NAT router and other security features of the Netgear are only between the WAN port and the LAN ports. The WAN is usually the internet and the LAN is your local network. Between those the netgear does the filtering.

I hope I guessed correct and you can confirm your setup or point out where it differs. Again, please change the setup in the way I wrote earlier unless there is a important reason why you did it the way you did it. (I cannot think of one now...)

You should not be able to scan a private IP address because no scanner can find it. A private IP address is usually drop at any router in between. That's why they are private. You can only scan the public address. If you scan from computer 2 all you should be able to scan under normal circumstances is computer 1 which has the public IP address. Can you elaborate which "software scanning programs" you used? When I usually think of port scanners I think of some online service that scans your ports like grc.com which you have mentioned somewhere else. These online scanners give you a fairly accurate look how it looks from the internet. These online scans are the only really interesting ones as any software which you would install locally to scan your computer can mostly give you look from the inside which is different.

So what is relevant is the reports of a external online scanner.

O.K. At this time I don't worry about the 135, 139, 445 which are normal to be open under normal circumstances. I worry more about the 25 and 110 which is a SMTP server and POP server. Both, you say, you don't run but only use the normal client use. Even with your Internet Connection Sharing in between, no computer should report open ports 25 and 110 unless it is running the servers. This does worry me in your case. Under normal circumstances I would say that this indicates some malware on your computer playing smtp relay or worse...

So the first thing to check would be to verify that ports 25 and port

110 are actually open. I usually prefer to go with the standard windows command line tools so please open a command prompt and enter

netstat -a -o

check the output for lines which are in state "LISTENING" and which list your computer name with port "smtp" or "pop3"/"pop" in the column for the local address (e.g. "Compi:smtp" if your computer has the name "Compi") if you find any of those lines write down the PID in the last column of that line.

For each of the PIDs (for this example below 11223) you wrote down type

tasklist /V /FI "PID eq 11223"

(with the double quotes, replace 11223 with one of your PIDs) This gives you information about the process that is listening to that port. Also run the previous command replacing /V with /SVC to see if it is running services.

If you do find any LISTENING lines with netstat, you do have most likely malware running on your computer. If this is the case, you have to deal with that, probably the best would be a fresh setup from CD of both computers. If you don't find anything with netstat it may be that the malware replace the netstat program with one that does not report its own ports. If the external online scanner show open ports 25 and 110 on your computer directly connected to the internet then they are most likely open. (The external online scanner does not find any open ports anymore once you have change the setup and put the first computer behind the netgear because the netgear is scanned then. This does not solve your real problems, however, if you have really something running that listens to port 25 and 110.)

So, I think this should be your first priority to find that out. You can also try to connect to the port 25 on your computer. Type

telnet 65.93.127.22 smtp

in a command prompt window, replacing the 65.93.127.22 with your current dynamic IP address. If telnet can connect and shows some message of the server, then you are running an smtp server on your computer even if you don't know about it.

If this is the case, you have a smtp server, have the ports listening on your computer, you have to deal with the malware problem. Write back what you have found as I wrote above and we continue from there. If you find something, make sure that your anti-virus and PFW is turned on on your computer. Put them to the highest level of security. In addition, I would recommend to temporarily turn on the XP SP2 firewall as well. As administrator right click the network connection in the tray, click to change the windows firewall settings. Turn the firewall on and check the box regarding the exceptions, i.e. do not allow any exceptions. This hopefully disables access to your computer from the outside for the moment until you can deal with the problem.

You may also try to run various online virus scanners or programs like Spybot or Adaware to scan your computer for irregularities.

I hope, it's just a false alarm, but please check this...

Gerald

Gerald Vogt wrote:

"secondary"

consider

Sorry, when I say the second computer has a "cable attached to the first computer", I was not being very specific. But by that, I mean the cable is attached to the LAN port on the router, which sits on top of the first computer. (I've just always "seen" the second computer as being attached to and dependent upon the first computer, since its the one that houses the modem and router. But of course, since this is a simple standard configuration, technically speaking, the 2nd machine is being connected to the LAN port on the router, as is the first one).

public

By "contains", I simply meant the router is physically located on top of the first computer. Sorry for the confusion.

outside,

That's what I was starting to conclude.... I guess that means I can stop worrying about Javascript revealing my private IP. Still kinda bugs me that "they" can know that too about me.... (turning JS off simply isn't a solution, unfortunately. My wife who uses the computer would never know when to turn it on, when a particular function in a web site is "broken" because of JS).

router

I think we discovered via netstat (and "WhoIsConnected") that 25 & 110 were not listening to the net, because the software port monitor/analysis programs don't report that, nor do the online scanners. Only some of the (software) port scanners do.

(135-139,445) on

firewalls

Because it helps me sleep at night? My story begins... after countless hours of research and tweaking rulesets, I thought I was pretty savvy when it came to computer network security, and that my system was all but bulletproof. Then when I witnessed an attack on my personal firewall causing it to crash on me, and my friend's home PC actually getting a DOS attack before my eyes, (which was stopped by Kaspersky, the antivirus), that's when I decided that months of researching network security to protect myself wasn't enough. If it wasn't enough that I had what research told me was one of the most respected software firewalls available, then it wasn't enough. That's when I decided I needed the Netgear, simply for use as a hardware firewall device, to avoid having a software firewall become disabled by a trojan or worm. That plus the fact that the use of the router meant I had to change my modem to an "always on" type, which made security even more of an issue.

Now if a hacker wants in and tries to disable my firewall or reboot my PC to do it, they're at least going to have a heck of a time trying to succeed. Because even if the Netgear gets struck by lightning, I still have Jetico providing firewall duties. And if they manage to disable Jetico, Kaspersky anti-hacker takes up the slack. If they also manage to blow away Kaspersky Anti-Hacker, the sideline players kick in; namely Black Ice Defender. If Black Ice Defender suddenly has a heart attack, then I will probably have Windows SP2 firewall there to "get its back". But if they manage to kill SP2's firewall, blow up the Netgear, crash Jetico, shoot down Anti-Hacker, and quiche Black Ice Defender... then I'm really screwed. Unless TrojanGuard picks up on the attack. But even if it doesn't, Kaspersky Anti-Virus, which is also running, might. After all, it stopped the network TCP Syn Flood Attack that my friend got. As for the second computer... if all of these firewalls and anti-hacking programs manage to let the attack through to the second computer... well, there's still Jetico there to prevent further damage. And of course, if the attack comes on ports 135-139 or 445, well I've blocked those off completely via the Netgear.

My purpose here in posting this thread was to tighten up security even more, by seeing if I can completely close off any listening ports.

"telnet

I tried that and the IP of my two computers, using port 5066 as the random port no. Every time I get "Could not open connection to the host on port 5066, Connect failed". I'm assuming this is normal. More interestingly, when I tried telnetting smtp using the private IP of either of my two computers, I got the same message (ie. telnet privateIP smtp = "connect failed"). So what happened yesterday is not being repeated today.

Netgear.

This is the output as done from the second computer:

Windows IP Configuration

Host Name . . . . . . . . . . . . : client Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek RTL6145 Family PCI Fast Ethernet NIC Physical Address. . . . . . . . . : 00-20-CH-A9-69-4D Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.3 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 192.168.1.1

4.2.2.2

Yes. No. After turning Kaspersky's email guard off, and doing a quick scan with FreePortScanner, The 25 and 110 ports are reported as closed. These experiments have also confirmed for me that the port scanners have varying degrees of reliability. FOR EXAMPLE... Today, Advanced Port Scanner showed only port 25 as open, after doing a "range scan" of all addresses that end between 0 and 255 on my private LAN. But when I did a scan on only the address owned by my second computer, the one that reported those ports open, nothing showed up as open. Then when I did another range scan after closing Kaspersky's email guard, two ports showed open, but they were ports 135 and 139. This however conflicts with the above mentioned FreePortScanner, which also showed the mail ports as closed after closing Kaspersky's mail guard feature, but they showed THREE ports open: 135, 139 and 445. Running Moorer's Port Scanner doesn't show ANY ports as being open. However on the plus side, its very fast at producing these incorrect results. "pcSuper Scanner 1.1" found those same three as "FreePortScanner", and two more that it didn't, which were the Kaspersky antivirus ports. However, it didn't report the mail ports, even though I had re-opened Kaspersky's mail guard. Instead, it found a whole bunch of what it calls "TCP Client Ports", which -none- of the other port scanners reported. So many, it wouldn't even show me the entire list, because the stupid program can't be properly maximized to reveal numbers that go beyond its screen space. Plus a whole slew of UDP ports that even the port scanners never listed. This program really says "bogus" to me.

components, and

There's no check mark, so I must have already removed that one a long time ago.

router's

(stealth)

Why doesn't NAT ignore requests coming through on port 80 (the web), or other ports that allow data to come through, such as the mail ports (25/110)? I never configured the router to allow them. (For that matter, if SheildsUp tests the first

1024 ports, how can it say they are all green, when that would include port 80? The very port that allows me to view the results of the test!).

"listening".

Well yes, that's the way I have things set up.

I ran TCPView, which is similar to my "WhoIsConnected", except unchecking "resolve addresses" finally shows me the Local Address ports that these services are listening to. Which is very educational, because I see now that there is indeed something listening on port 135 (TCP), the one I'm most concerned about. Although I don't think its a worm, but I can't positively identify what needs that port, because its listed as "svchost.exe:744", which is a program that can represent a number of windows services.

It showed a few ports I hadn't seen yesterday, such as LocalAddres port

1029 (svchost.exe:900, remote address:*.*) and a LocalAddress of 127.0.0.1:123 (svchost.exe:792). But no references to ports 25 or 110.

[cut]

That is likely to be true but it does depend on what is meant by a mail server. It is also likely to be true that you have done (or had done for you by whoever supplied your PCs) a complete install of the first release of XP pro with all Windows components including IIS installed. This is why your PC is listening to 25 and 110. If you don't need IIS go to the control panel, add/remove programs, add/remove windows components, and remove IIS.

It's because the router, like any NAT router, does not know which PC on your LAN the incoming connection requests from shields up should go to. So your router is ignoring them and sending nothing back. Shields up will show the port as stealth if it gets nothing back.

They are only listening to your LAN if your ADSL modem is connected to the WAN port on the Netgear rp614 router and both computers are connected to LAN ports on the Netgear rp614 router.

Nope it's acting like a NAT router would be expected to act, not like a real firewall at all.

If you tell the router to block outbound connections to 25 and 110 then you will block yourself from being able to use your ISP's email services. In this case the listening computer is at your ISP not on your LAN. This has nothing to do with blocking services on your own LAN which are listening to 25/110 but which shouldn't have been installed in the first place. I suggest you have a look at TCPView

it not to resolve addresses and to be always on top. Run it on both of your PCs Look for 25 and 110 in the local address column. Now send and receive email to/from your ISP. Look for 25 and 110 in the remote address column. If you can figure out what this is telling you then you may get a bit further with your education.

Jason

[cut]

This is what I don't get. The first computer does not "have" the modem & router. Both computers are connected to router. Both computers are the same then. There is no difference between them in this regard. What do you mean when you say "the first computer [...] has the modem & router"?

This again is wrong. Your Netgear router should connect to the internet. Your Netgear router should have the public IP address. Your computers inside don't know anything about the external IP addresses. They just have their private addresses and the Netgear as gateway which does the rest for them. So I also don't understand what you mean when you write "the server also [has] a public address from my ISP". No LAN computer should have any public IP address.

Your Netgear: a public IP address like 65.93.190.160 and a internal one like 192.168.1.1

Your computers: exactly one internal IP address like 192.168.1.2 (gateway configured as 192.168.1.1)

Maybe the output of the command prompt tool "ipconfig" from each computer would help to clarify here.

This is correct. Accessible from the internet are only the ports that are explicitly opened on your router and then forwarded to an address inside your LAN where there must be a server running.

The problem with 25 & 110 is that they should never ever be open in your scenario unless you are running an SMTP and POP3 server which you don't. This is a problem in any case. It does not help closing ports anywhere. You must find out why these ports are open.

Am I correct to assume that the information about the open ports 25 and

110 are from a port scanner software that you have run inside your network. No external online scanner did report 25, 110 nor any of the other ones open? Just want to be sure.

The router does affect only the connections between the WAN and the LAN. The LAN itself is connected through a switch which generally just sends everything through. "Closing" NetBIOS ports on the router does not make any difference in respect to the LAN file sharing traffic.

Second, there should no need to "close" ports. By default your router does NAT which is technically no firewall/filter but still does something similar. It allows you to connect to the outside and tries to figure out which of the incoming traffic from the internet is related to a connection from you to the outside (i.e. is a response to your request) and which is just unrelated garbage or someone trying to probe your IP address. That latter is usually just dropped and that's good so. So by default any online scan from the internet should report no open ports which means they cannot find any open ports on your Netgear from the internet. Only if you explicitly forward a port from the internet to the inside, only then it can be open and only then if the inside recipient does actually run a server on this port, else it would just report the port as closed. So there should be no need to block anything by default.

If you explicitely block port 25 and port 110 you block _all_ traffic to port 25 and port 110 in the internet (or in both directions, the details depend on your Netgear router). If you block them in your router, your computers inside cannot access your E-Mail-Servers (SMTP for sending and POP3 for receiving) anymore. Again, there should be no need to block here anything as long as online scans don't report open ports and if they do I would rather figure out why they are open instead of blocking something that should not be open in the first place.

O.K. Now I understand better. ;-)

I suppose you mean the WAN IP/public IP address compared to the private IP address scan of your first computer. The WAN IP address is the public IP address.

I know it may seem strange but there is a huge difference if you scan the public IP address from the inside or the outside. The router has two IP addresses: the public IP address assigned by your ISP and the internal IP address which is probably 192.168.1.1 on your Netgear. Both IP addresses go to your Netgear. Only the public address can be reached from the internet, not the internal one. The internal one can only be reached from the inside. The router does no from which side - inside or outside - traffic comes. If you connect to your router using its public IP address from the inside, it notices that and considers this traffic as any other inside traffic. There should no big difference except for one tiny piece: the web management interface on port 80 or 443 depending on your router and if it uses HTTP or HTTPS.

You usually connect to your router with your browser with something like http://192.168.1.1/ I suppose. Try the public IP address instead, e.g. http://65.93.190.160/ This also gives you the normal web management interface. If you try to connect to this URL with the public IP from the outside, the router will block that traffic and won't accept it.

So what you should compare is a online scan from the internet, scanning your public IP address which should belong to your Netgear and compare that to your inside scan of either the private router address or the public IP address. The latter one should report at least port 80 as open.

Anyway, if you really run the NAT router as gateway with NAT any online scan scans the router from the internet. Any scan from the inside on the public IP address or the internal router IP address 192.168.1.1 should both report the same and may have some open ports which should not bother you as long as they look closed from the online scan.

You cannot scan you inside computer with an online scan through a NAT router unless the inside computer is configured as DMZ in the NAT router. A DMZ computer inside basically receives any traffic to any port of your public IP address. Do not configure any computer inside your network as DMZ unless you really do know what you are doing. I assume here that you don't have a DMZ configured.

O.K. I hope this is clear now.

(I posted regarding the closing of port 135 at another place in this thread...) If you are behind a NAT router and an online scan does not show port 135 open than there is no need to worry because noone can reach the port from the outside. Only if you run some malware inside it could exploit possible vulnerablities as the access is open inside your LAN. But if you have applied all the latest Windows security updates I think there should not be any (known) problems at this time.

O.K. That's good. If this is the current state of open ports, there should be no malware. These are normal ports. No port 25 or 110 here. You should be able to close 135 and 445 as I wrote elsewhere in this thread.

O.K. Which IP address where you scanning? The external public IP address (which is the router) or the internal IP address of your computer?

Anyway, if it was the internal one I guess that APS has a problem with the Microsoft IP stack implementation. Older versions of Windows and netstat also reported non-existing server ports listening. These are called "phantom ports". I would say that APS (which I don't know) still reports the phantom ports while netstat does not. Microsoft fixed their netstat implementation I think with Windows XP (or was it XP SP2?). Phantom ports are generally some remainders from a previous connection. The connection has been closed. No one is listening there but still the status of these ports is "listening" somewhere deep inside of Windows. The check with telnet for instance gives you the real information (well, not really, because a server could as well just block your connection attempt, but if telnet gets a connection you definitvely know that there is something running...)

You don't have to close them as long as they don't appear in an online scan scanning your public IP address of your netgear router. The netgear is the essential device here. For your computer, there is no need to worry about it as long as nothing is forwarded through your netgear. Blocking is not required as nothing is accessible on your netgear on these ports, it does not forward traffic inside, and (hopefully) your computer only shows phantom ports.

I think you may try to reboot your computer and then run the APS scan before doing anything else (in particular not checking your e-mails ;-). I think a fresh rebooted system should have no phantom ports anywhere as they require AFAIK previous existing connections.

But you did get an error message? And: you must try this with the internal IP address of your computer. With the public one you just checked your router. So something like telnet 192.168.1.2 smtp for your inside computers give you the information whether something is listening on your computer.

I don't think so but you can close them anyway...

Gerald

On both PCs? Ok.

Because it knows which of your PCs made the _outbound_ connection. That PC is after all connected directly to the router, so the router knows which of your PCs should get the return traffic for that connection.

or

Because it knows which of your PCs made the _outbound_ connection. That PC is after all connected directly to the router, so it knows which of your PCs should get the return traffic.

You don't have to when it's one of _your_ computers making an outbound request to a remote computer such as a web server or an email server at your ISP. You may be able to configure the router to block them but that's not a good idea until you figure out why it's not a good idea to block an outbound connection to your ISP's email server.

Because an inbound request was made to port 80 on _your_ PC from shields up. This is NOT the same as one of your PCs making an _outbound_ request to port

80 on a remote PC. Do you understand the difference between inbound and outbound yet?

Nope, it's not the same port 80. You are making an _outbound_ connection to port 80 on a web server at shields up. One of Gibbo's PCs is listening on port 80 (maybe 443), not one of your PCs. Shields up tested _inbound_ to your PC. Shields up did not do anything at all as far as _outbound_ from your PC is concerned, except to accept commands from you and show the results. Use TCPView while you run shields up. Do you understand the difference between inbound and outbound yet?

I thought it might be. That should save a few paragraphs here and there.

No surprise but I wouldn't be too concerned from behind the NAT router. No-one outside can make an inbound connection to that PC because the router won't know which of your two PCs the inbound request should go to so it will just ignore it.

On both PCs? Are you sure that this port scanner was scanning one of your LAN PCs from the other LAN PC? Or scanning itself? Or were you scanning something else such as your ISP's email server?

To be sure I'd have the PCs examined by someone who knows what they're doing.

Jason

>

Sorry, but now you are contradicting your last message. Last time you wrote both computers are connected to the router and the router is connected to the modem. Now you are writing that there is no physical connection between the second computer and the router and the second computer is connected to the first computer (but how if the first one does only have one ethernet card?) So again, how exactly is your wiring?

Last time I checked a RP614 is a hardware device.

computer cannot contain that router...

The router does provide the internet connection. Not your first computer. The first computer and the second computer just use the internet connection of the router. Both computers are physically connected to the router by a ethernet cable. That's what it is supposed to be like. There is no need that the second computer receives its internet connection via the first computer. This is not possible unless the first computer is running Internet Connection Sharing which would be totally unnecessary as the router does already provide the internet connection.

No, no server outside your network can know about your LANs private IP addresses unless you are using something that tells it to the outside, which may be a JavaScript inside your browser. Noone outside your router can send a packet to any of your inside IP addresses because the internal IP addresses are not routable and any router in between will just drop these packets.

NAT, when active, has many characteristics of a firewall although it is technically not one. Therefore, all the ports are supposed to be closed when scanned from the internet.

I prefer not to install some software that I don't need on my computer, in particular when it comes from Russia... Anyway, the relevant scans in respect to security from the internet are the online scans. Those should show no open ports.

That a software scan of your public IP shows open ports inside the network, however, seems not correct. But at this time I won't try any more guessing until I fully understood your configuration. Under normal circumstances the scan of your public IP address would scan the router from the inside which may show some open ports in particular port 80 if the router does have a web management interface. The router should not have open ports 25 or 110, though, as it is not running a server.

You can block them on your Netgear. No problem there. But why do you have 4 or 5 personal firewalls on two computers?

I don't know the Netgear router. Under normal circumstances I would say, no. The Netgear should not have an SMTP server let alone an POP server running.

This is weird. That means that there is actually something listening on these ports but just closes the connection again after a few seconds. If there is nothing running you would get an error message. (Try "telnet

192.168.1.2 1234" with 1234 a random port that noone is listening to for comparison...) This is not good. But right now I am more confused about your configuration that I don't know where the problem could be.

Maybe you could write the output of the "ipconfig" command on both computers. That should clarify a lot about your setup with the Netgear.

Do you have a anti-virus with e-mail scanner running? Do the open ports still appear on your computers if the e-mail scanner (inbound and outbound) is turned off?

Gerald

O.K. This is the only important description for anyone who has to help you. You may say at home "computer one hosts router and modem" because they stand there next to each other. For other outside home always say "computer 1 & 2 connect to the router which connects to the modem" ;-) That will expedite the process and avoid confusion. (So, not only IP ports look different from the inside and outside ;-)

Yes, but you had a connect with telnet on ports 25... This should not happen. If nothings there, telnet reports an error message.

Well, as long as it is properly running for you... Generally, each added security software usually adds to the complexity of the whole system, makes various changes to your system etc. Two security components can possibly nullify each other just by some coincidence in their configurations (kind of the first changes (a) and depends on a certain (b) setting while the second one changes (b) and depends on a certain (a) setting and in the end both (a) and (b) have been changed and neither one gets anything properly right). So, in general, the recommendation is to stick to one PFW and to one AV on a system... O.K, but this was a side comment and as you have spent some time getting this all tight up is supposed you have learn a few things about your system.

O.K. That is, well, I hope good news. As you did not get an error message yesterday I would still highly recommend to do some scans on your system with your AV and maybe also an online virus scan. Also look for ad-aware from

and for spybot which are fairly well in detecting malware and adware on a computer along with more privacy related stuff (which all requires some reading to understand what they report...) Also hijackthis has a quite good reputation which you get here You can upload your hijackthis output on that webpage, too, for some detailed interpretation as the hijackthis output itself is pretty much low-level, raw information.

It's good that telnet reports the ports as closed today. I would just doublecheck that there is really no indication of other problems which were there, yesterday, when it seemed as if there is something listening on port 25 and 110.

Looks good. But didn't you write that you have changed the internal ip address of your Netgear router? To me, 192.168.1.1 looks like the default address.

O.K. (I already wrote everything above, but I won't go through it and edit it. I hope you can make the adjustments ;-)) That means that the Kaspersky's email guard does relay all your mails through its own scanner engine. I suppose your email configuration in your email client does not show your ISP's smtp server and POP server but instead has something like "localhost" in it. When you retrieve e-mails, you retrieve them from localhost (which is the computer you are on) port

110, which is Kaspersky's relay/scanner server which retrieves the e-mails from your ISP's pop server, scanning everything on the way through. Similiar for the outgoing emails.

This is O.K. I think, however, that those ports 25 and 110 servers of Kaspersky should show up normally in netstat output. It should report them, if they did it properly, as listening. If you use "netstat -a -n" it reports the IP addresses where the ports are bound, which can be "0.0.0.0" or "127.0.0.1" or "192.168.1.2" for your local computer. The Kaspersky should be bound on 127.0.0.1 and not on 0.0.0.0 or

192.168.1.*. That way these servers are exclusively available to your local computer and not accessible from anywhere else including your other computers in the LAN. If port 25 and port 110 do not show up in netstat while you are running the email guard, and telnet can connect to port 25 or port 110 on your local computer ("telnet localhost 25"), then, well, this is not a problem but not really nice. It would indicate some technical problem with the Kaspersky email guard or your PFW as I would see no reason why Kaspersky would intentionally try to hide open ports they run from the user like any hacker would try to do.

Anyway, I think this solves the problem with the ports 25 and 110. I should have thought about that sooner...

Regarding the rest of the ports: you should be able to close ports 135 and 445 as I elsewhere. The other ports you won't most likely be able to close. What you may be able to do is to block any in-coming connections on the client computer to these ports. The trick is, however, that you need a proper SPI here, as simply blocking the ports would mean that nothing gets through which is necessary as you receive the UDP replies on these ports. I do know that a XP SP2 firewall configured with no exceptions still allows the client to access shares in the network. I am not sure if your PFW can be configured in this way, too, to block unrelated traffic to these ports while still allowing UDP responses through.

O.K. I think we are getting there... ;-)

Gerald