By using netstat or lsof or $TOOL (or %TOOL%) locally and not from the outside, or by directly connecting a second host to the network interface which afterwards will be connected to the outside and doing a port scan, i.e. with nmap.
But to be clear: Joe Average should not try to test border routers. He should ask someone who understands.
Yours, VB.
Volker, you're talking nonsense, and you know that. netstat, TCPView, lsof, openports, fport and other tools like that show the status of ports on the local system from the INSIDE. Unless no services are listening on the external interface (which is desirable, but not always feasible) The output of these tools doesn't say anything at all about which ports are accessible from the OUTSIDE.
A local packet filter may or may not allow connections to port X. A SOHO router may or may not forward selected or all inbound connections to a particular host/port. None of the tools know the least about this.
Unfortunately Joe Average doesn't necessarily have a second computer he can plug into the router's external port. Or is familiar enough with commandline tools like nmap, scanline or PortQuery. Your advice also doesn't account for hosts that are directly on a dialup connection.
Although Joe Average shouldn't conduct a penetration test, there is nothing wrong at all with him running a port scan against his own border router to see, if all ports are closed (except for those he configured to be open).
cu
59cobalt
Yes. And this is not nonsense, but the better way to check.
If so, throw away your operating system.
Clear. If you're using a filtering implementation, read the config and check the status of it additionally.
Then he cannot test. Sometimes it's so easy.
Your recommendation for remote testing servers misleads the reader; in your own words:
The output of these tools doesn't say anything at all about which are accessible from the outside. They're just showing, what is filtered away and what's faked in on the line.
The wrong thing with it is, that he may believe that what this tool shows is how his box is behaving. The reality often is, that on the way to the testing server the net is being modified by the inter-connecting networks.
We're living in the "filtering is cool" ages, Ansgar. Just if you didn't notice. This is true for internet providers, too.
Unfortunately.
Yours, VB.
Note that Vista does most of the configuration related suggestions made here out of the box. Vista can't help you think, but you start out with limited user privileges, the OS nags you until you update automatically or take several conscious steps to turn off the nags, the firewall blocks all inbound requests by default, removable media prompts before execution.
IE is fairly well locked down, and even if IE is completely and wholly pwned, protected mode keeps the malware from going far.
(Don't get me wrong, I'm a Firefox user myself, but IE in Protected Mode isn't a particularly unsafe browser.
The problem is going the next step as it involves the user. A sandboxed environment isn't impossible to implement at an OS level (again, IE protected mode is one such example -- You can run other apps with less privileges too if you desire, but you'll probably be disappointed with Excel when it can't open existing documents.)
The iPhone version of OSX is one example of an OS built and managed in a relatively sandboxed fashion.
As long as users are capable of installing their own software, they'll be capable of jumping through whatever hoops the OS puts in their way before installing the latest Trojan in an attempt to access whatever shiny new toy shows up, as most malware authors will just have to get smarter at engineering the human side of the equation.
For less technical users this will be alerts from their system administrator that they need to install a patch manually. For more technically capable end-users it will be a fake codec pack to access some media that they sought out (and therefore assume the codec is safe)
Depending on where the filtering is done, this may be good enough. A port isn't a threat just because it's open, it also needs to be remotely accessible and exploitable.
The obvious problem shows up if your ISP filters from their edge routers and the attacker is another customer of your ISP (or more likely, a zombied machine within your ISP's network owned by a botmaster in some foreign country)
That isn't really true either, netstat can show a port as listening when a software packet filter wouldn't actually allow an inbound connection through to that port.
In other words, netstat will report all open ports, but is subject to false positives. Netstat is a useful tool, but it's not an exhaustive solution.
Still, this is a significant improvement over the false sense of security that GRC may leave you with if your ISP's edge routers filter some traffic that your local security would otherwise let through.
Does she need to be able to install software at all? She's a perfect candidate for a limited user access account.
This will limit what she can do with her PC without assistance, but I'd argue that she probably can't install a new stereo into her car without a trained professional's assistance either.
OSX is a classic case of security by obscurity in practice. Why attack some ~10% of the market when you can just as easily go after some 85% of the desktop market?
Also remember that a significant percentage of OSX users also run Windows and are therefore vulnerable to Windows based malware, driving the percentage of otherwise-unreachable OSX users even lower.
There certainly are exceptions, but the vast majority of the recent malware outbreaks have been things installed by users without realizing that they're installing a trojan, this is not really a technological attack, but rather an attack exploiting vulnerabilities in the human.
Move 50% of the least technical users from Windows over to OSX and the exploits will follow.
At least, the default number of network services a Macintosh offers to the rest of the internet is zero.
In contrast to Windows.
Yours, VB.
Unfortunately you're wrong. Also Vista starts network services and filters them away as the default configuration.
Barring it's a piece of shit, because its the only browser left which breaks CSS2 seriously, it can be used (and therefore abused) to communicate with any COM object on the machine. If one of them has security flaws, Internet Exploder inherits them all.
"IE Protected Mode" would be a sandbox only, if it would not support COM objects any more.
OSX on the iPhone is far from a sandbox concept. It's just the Darwin kernel without the BSD personality. Did you ever have a look onto this architecture before you're holding forth about it?
Or are you just unfamiliar with the concept which is commonly known as "sandboxing"?
Yours, VB.
May.
And how can the user judge this?
A port is neither a door nor a gate nor a harbour above all. It's just a maintenance number.
If people say, that a "port" is "open", usually they mean that there is a process running on the kernel, which allocated the port and offers a network service using this port.
It is best practise to offer network services only, which have to be offered, because exploits in code which is not being executed are not endangering the system.
And there are zero day exploits everytime.
That is one of the problems, exactly.
Yes, but filtering is not reliable in many cases. Commonly, there are exceptions like FTP helpers, which can be easily abused to ignore any filter.
netstat shows what's going on exactly. There are no false positives in any way. It's just the wrong concept to try to filter away what could use the network services your box is offering. Just shut them down, and you don't need to filter.
Yes.
Yours, VB.
*sigh* This is regardless of the operating system. Because none of these tools know anything about packet filters. Neither local, nor remote.
As you know quite well, the proper way to do that is a port scan.
[...]I'd like to see proof for that claim.
cu
59cobalt
I prefer the analogy in which the user should only be allowed to drive the car if they can take apart the engine, and then put it back together.
Geo
This is consistent with the default configuration of every version/service pack of Windows released within the last four and a half years.
The issue isn't users driving, users are allowed to drive without too much of a problem, the problem is only when they start tinkering under the hood installing or removing components they don't understand.
YABA (Yet Another Bad Analogy)
Car analogies are the worst of all ;-) They never work.
Yours, VB.
Unfortunately, including Vista, Windows runs programs in the default configuration, which offer network services, and then filters them away.
Yours, VB.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Maybe you want to correct that then.
Not only. As you know, most filtering implementations are dynamic, i.e. with FTP helpers or even port knocking. You cannot see that with a port scan.
In many cases, you're scanning not your box but some NAT box outside or even some proxy server from the outside.
It's so easy, Ansgar: many Internet providers are filtering. People are using such remote scanning and are thinking, that the words "your computer has the following ports closed" mean, that their computer has them closed. It just means, that someone sent a TCP NACK or some ICMP port unreachable.
Someone.
And with "stealth" it's even worse: that means, someone on the line, maybe the box itself, did throw away packets.
Your users don't recognize the difference in scanning results. But I saw the other way arround, too:
I was in a hotel in Spain. When I was scanning from the outside, my Box had port 25 open. What?
Wenn I was scanning from the inside, every box in the outside had port
25 open.The reason was, that this hotel did redirect any transport of any IP address to their filtering mail server. It did not matter which mail server you were trying to reach, they connected your TCP socket to any IP address port 25 to their own box.
In this case, NAT did not make a difference, because they had none.
And of course, their mail server was as b0rken as their network setup, so I used my own to send mail through an SSH tunnel to my server.
Yours, VB.
Never say never. A few of them work in the right context :-)
No, it isn't. Unlike every version of Windows released up to now, OS X in the default configuration does not have any services listening on the external interface (and very few services running at all). Windows OTOH still has lots of services listening on all interfaces, and is just denying access to them via the Windows firewall.
However, only a service that is not running cannot be attacked. A service that is running can still be attacked, even if direct access is denied by the firewall. See e.g. [1].
[1]Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.