Port 113?

large as such?

You should look up what port 113 means. Do you have an email server running on your machine where client machines are looking to retrieve emails?

What's stealth? Well, it's Gibson BS is what it is about. The main thing is that the port is *closed* -- that's any port.

Duane :)

You should never "stealth" any port until you have explicit reason to do so.

Usually, if you're using Ident (f.e. with IRC) or at least use some service which asks for such a service (mail transfer with SMTP), you might have it either implicitely open on demand (read: fully allowing it on your packet filter) or at least "closed" (read: sending a TCP RST, giving an immediate negative reply). Anyway else you will just hurt yourself with some stupid timeouts.

large as such?

The latter.

I notice that you don't say you need it open. IRC uses it but I've found it works fine without it.

large as such?

What about reading the protocol documentation? This would safe you some useless trials, and would also show when it's good to use it even if unnecessary.

at large as such?

Good idea...

You have me a little concerned. If your posts start disappearing from the archives then it is a loss.

Close it. "Stealthing" is nonsense.

Yours, VB.

The are real newsservers and also archivers with web interface that are not so stupid to interpret the X-no-archive header out of misunderstood politeness. Well, it's not that Google Groups wouldn't store the posts anyway...

IBTD. I've never seen any use for sending a reply to the incoming garbage on Port 135/TCP. However, what you meant is that, unreflected "stealthing" of any ports is at least O(nonsense²*ln(nonsense)).

So you don't think, that being RFC conforming is sensible. But I do.

I cannot see, that horseplay is a problem, which scales dependent on nonsense ;-)

BTW: I cannot get your PoC code for exploiting .NET to work. Can you help with a working example?

Yours, VB.

I would recommend you "stealth" all of your ports (65535 TCP

• 65535 UDP). What this actually means is disabling the ICMP protocol. ICMP has many uses and can be handy to have around when you need it , but I personally wouldn't recommend using it routinely unless you actually need to.

My reasons would include:

1) There are a plethora of known attacks using ICMP.

2) There is no doubt that there will be new attacks using the ICMP protocol in the future.

3) "Unstealthing" your ports (enabling ICMP) means that your computer's resources can be drained by external attackers. With ICMP enabled your computer is required to process and reply to anything that anyone sends to it. It would be similar to being required to read and send replies to everyone who sends you spam or conventional "junk mail". Why bother?

4) Enabling ICMP allows others to receive data packets from your computer. The way your computer responds to ICMP requests and what your computer responds with can be analyzed with a view to "fingerprinting" your operating system. Knowing what operating system you use is a valuable piece of information to a would-be attacker. They can then use known-vulnerabilities for your specific OS and version (especially if there are any "unpatched" vulnerabilities) in attacks directed towards your computer.

5) Many ISP's disable ICMP in their routers , if your computer also has ICMP disabled , you are effectively "invisible" to many would-be attackers. Not using ICMP at the least makes you far less visible than those who do.

6) Using a "Default Drop" policy for INBOUND and OUTBOUND firewall-traffic is the most secure default firewall configuration you can use. With this policy your computer "drops" packets (does not acknowledge or reply to any packets by default) unless you have intentionally and specifically allowed traffic in or out of your firewall. If you were to use a Default Drop policy why would you specifically allow ICMP in or out if you did not need it? The whole point of this type of security-stance is to allow in and out ONLY that which is ESSENTIAL. Please note that with a Default Drop policy , especially with regard to the OUTBOUND rules , you need to be careful to place any essential firewall-rules ALLOWING traffic in-place before you enable your Default Drop policy. It is always best to have print-outs and back-up copies of all configurations before proceeding.

There are those who disagree with disabling ICMP and "stealthing" ports. These people seem to believe that it is "impolite" not to reply to ICMP pings and the like. Perhaps these same people believe that the Internet is inherently a "friendly place" and not a hostile environment. It would be nice if this were true , but I don't feel this has been the case for a very long time. As long as there are many people expending much effort to subvert the ICMP protocol for both malicious and financially- motivated attacks , I personally will not be using it , "routinely".

Why? This just violates IP and is of no use.

Then IP will not work very good.

Maybe you should have a closer look onto IP and ICMP.

Not "stealthing" does not mean "enabling ICMP". Mostly there are TCP RST packets to send.

Perhaps you really should read STD 5 / RFC 791 and 792 first, before arguing. You seem not to have a clue what you're writing here. You can find the RFCs at

Yours, VB.

the poster has confused "stealth" with blocking ping. You can use "stealth" and allow ping. Or be "unstealthed"(open/closed) and disallow ping.

Before *you* recommend something, you should definitely read some books about TCP/IP. You are clueless.

Wolfgang

large as such?

You should block access to any ports that you want to block access too/from. Unless you are experiencing a technical problem with blocking Port 113, block it and have a happy day.

I know hundreds of of sites that block port 113 without any problems.

Simply insert "TCP RST" packets into my previous post's reasons.

IMO silently dropping all ICMP and TCP RST packets is the more secure thing to do.

If anyone is actually claiming that allowing ICMP and TCP RST is more secure , please elaborate. Apart from some saying "...it breaks this..." or "...it violates RFCxxx..." , no-one seems to be able to articulate why their stance would actually be more secure.

I assumed the original poster wanted to know which policy is more secure. I would never claim to be an expert , I learn new things constantly , but I do stand by my conclusions. I have not allowed ICMP and TCP RST packets for years and have had no problems whatsoever.

Perhaps some who post here who do consider themselves to be experts , hold their views religiously. Religiously-held beliefs cannot be articulated rationally. My recommendation is more secure because... Your recommendation is less secure because...

Choosing NOT to allow things that are optional , not required nor essential , could be the difference between having your computer successfully attacked at some point in the future or being ignored as a target. The concept of OS-hardening and of computer security in general is a trade-off between convenience and security , usually the more secure you make something , the less convenient it is to use. Sometimes things "break" and aren't as easy to use again in the exact way you once used them. I don't think this present instance breaks anything , I have had no adverse effects at all. I would be willing to break some things to achieve a more secure system , I personally give priority to security over convenience when any trade-off needs to occur. Others may prefer convenience. To each his own. I believe I made my post to comp.security.firewalls and not to "comp.convenient.firewalls".

I disagree with the person who thinks that they can receive ping-requests , have their system send ping-replies and still have these ports "stealthed". If any of your ports cause the generation of a ping-reply , these ports are visible externally and are not "stealthed".

ICMP is far more than just ping-requests and ping-replies. I consider it dangerous to use routinely. If you have a large network , you may wish to use it more regularly. The range of ICMP-based attacks available supports my conclusion.

We block all ICMP inbound to most clients network and have never had any problems that we know of in doing so. In fact, many of our team blocks ICMP in/out of their networks and have never experienced a problem because if it.

Cuckoo wrote in news:44f0b882$0$8839$ snipped-for-privacy@free.teranews.com:

I have Port 113 closed and my router has it stealthed. In several years, I've only ever had one issue. I ran into a FTP site that didn't want to serve a file to me. However, on retry, it did deliver it. It just took an additional 30 seconds to decide to allow it.

And you can't show how it breaks anything that most of the world needs. Try giving him a technical explanation.

Could I kindly ask you to also elaborate why you think stealth is more secure?

Is there for example something you can do to a closed port that you cannot do to a stealthed port?

I'm not challenging you. I'm just interrested in both opinions in this everlasting discussion.

Agreed. Therefore we also need an explanation to your own recommendation.

Are you saying that stealthing would make them invisible or unreachable?