Using a Linksys NAT router and Sygate Pro.
I just did a test with Shields Up and all the tested ports came back "stealth" except for port 113, which came back closed.
My impression is that having 113 closed is probably quite ok, but I wanted to get some opinions on this.
TIA
Louise
The only way you can close port 113 on a router so that it appears as stealth, is to configure the router. If you look at the bottom of the page after running Sheilds up, you will see some good advise from Mr. Gibson on that topic. Also check your router manufacturer's site for a help file on how to deal with this issue. I use a D-Link Router and their help file on this subject can be found at
With a Linksys router, it probably depends upon the firmware version, how you achieve stealth on port 113. I have a Linksys BEFSR11 with a configurable setting on the "Filters" tab, on the "Advanced" tab. I don't recall that I had that option on the earliest firmware revision. This is probably a ver.1 model; it is too old to have a ver.# on the label.
The latest firmware revision is 1.46.02, dated Aug 03 2004. It has selectable options to block ICMP ('ping') and IDENT (port 113). Alas, I don't see it logging packets when I approach it from the WAN port. Without the option, all that you can do is forward port 113 to an unused IP address.
begin quotation from louise in message posted at 2005-09-03T04:12
This is done because many SMTP and IRC servers check port 113 (identd/auth, a Unix-centric service which returns the username opening a given port) and to stealth that port would cause connections to those servers to be delayed.
Maybe someone has already explained it better than I can.
louise wrote in news:MPG.1d82ecb0688400bc9896d5@news- server.nyc.rr.com:
The stealth test means nothing. The fact the port is *closed* is all that really counts. However, if you want to pass Gibson's worthless stealth test for a machine setting behind a router that is already stealthed because it's behind the router and cannot receive unsolicited inbound traffic due to the port being *closed* on the router, you can port forward port 113 to a dummy IP in the DMZ of the router.
Then you'll pass Gibson's worthless stealth test.
Duane :)
You're fooled by your "Personal Firewall". Nothing can make a PC invisible if it's up and running and connected to the Internet.
The "stealth" features of all "Personal Firewalls" are not working at all.
Yours, VB.
Unbelievable. Also DLink start now with that nonsense.
Yours, VB.
I agree. BTW:
There's no point to the "stealth"-hype anyway, so no need to worry.
Historically, it has always been a good idea to keep port 113 closed instead of "stealthed", because many servers (especially POP3, FTP and IRC) will ask your machine on port 113 who you are if you want to connect, and will wait for a timeout period until they allow you through.
Juergen Nieveler
Gibson's marketing babble. You can prove it yourself by using traceroute (or the microsoft lame imitation TRACERT). This is a trace to a stealthed host (I've deleted the hostname normally seen in the first column for space and privacy reasons, and masked the first octet of the address to avoid having fools attack this particular set of hosts):
14 (XXX.117.52.49) 329.807 ms 309.331 ms 309.864 ms 15 (XXX.181.218.10) 329.744 ms 329.413 ms 299.859 ms 16 * * * 17 * * *I have another (similar) tool that tells me that hop 16 is some kind of firewall that is NAT/Port-Forwarding to a host - hop 17 comes back with an indication from a server, but with the address of hop 16.
Similar trace - host exists, and is reachable:
14 (XXX.117.52.49) 348.127 ms 327.441 ms 339.921 ms 15 (XXX.181.218.10) 350.116 ms 331.256 ms 333.981 ms 16 (XXX.87.184.55) 339.793 ms 529.427 ms 469.787 msSimilar trace - host does not exist, or is turned off or disconnected
14 (XXX.117.52.49) 409.373 ms 329.452 ms 331.011 ms 15 (XXX.181.218.10) 419.833 ms !HHere - the router at hop 15 tells me that it knows how to get "there" (or I'd see a !N = Network Unreachable), but the host (!H) isn't there. Now some toy routers/firewalls can be configured to mimic this response - the only thing is that the ICMP Type 3 Code 1 (Host Unreachable) error comes from the IP of the destination I'm tracing to - the host that "doesn't exist". Some programmers are as st00pid as marketeers.
Which as the others have said is good. Ident/Auth (RFC1413) is used by some services on the net (mail and IRC mainly), and stealthing the port delays a connection you want - "Bullet, meet foot. Bang!"
Having a port "closed" ends that connection attempt. A "stealth" port causes the remote end to try again, and again - thinking that the packets got dropped accidentally enroute. THIS DOES NOT SLOW DOWN PORT SCANS, because port scans are run in parallel, rather than waiting for a response before continuing.
Old guy
Not so much 'device fingerprinting' as 'operating system fingerprinting'. That's fixable on some O/S by tweaking some things. It's _VERY_ O/S specific, and not that many have the capability.
You have a choice. If you do not use services that may want Ident/Auth, OR you don't care that you get delayed up to a minute when using such services, then by all means go ahead and stealth if that's what you want to do.
If you have services (such as mail or IRC) that REQUIRE this port to respond (some really do), then it gets sticky - perhaps you can change your firewall rules on the fly, or set a rule that only allows connections to that port from specific addresses.
If your computer is reasonably configured, and you are not offering services, then what does it matter? If the port is 'closed' then the door is closed and that is that. Of course, if you are still using earlier versions of windoze that were vulnerable to the 'ping of death' then running an EXTERNAL hardware firewall is required - but what does it matter?
Old guy
I agree with the other opinions already posted but would anyone see an advantage of "stealthing" this port just to avoid device fingerprinting? By leaving it in a state different than the other ports an attacker can narrow what he's dealing with to a handful of devices, no? I would prefer to not give him that information even though it might not be to any use. Or then it could be...
Your thoughts?
I have a Dlink DI-604 and I want to close a few ports. I don't see an option to do that in the router settings. What am I missing?
D-Link has instructions at
I read this recently in here "As always, I suggest blocking both TCP and UDP ports 135 ~ 139 and 445 on *any* SOHO Router.". Does doing the above effectly achieve the blocking of these ports?
Yes.
Are you using NAT?
Yours, VB.
please tell me, why you think your port is "stealth", say: invisible. What should that be, an "invisible" port?
Is your router modifying the natural numbers, and removing one of them? A port is a number between 1 and 65535 together with a layer 4 protocol like UDP or TCP. With this number, your TCP/IP stack software can assign datagrams to sockets and therefore to processes.
There is nothing, you could "stealth" at all. This is just nonsense, basing on the misinterpretation of the term "port", wich does _not_ mean door here, nor harbor, but just a maintenance number.
Yours, VB.
I cannot see that.
Yours, VB.
Hm... if you mean masquerading with NAT, please explain, what you're meaning with "close ports".
Yours, VB.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.