I am trying to decide which firewall is best for a single user Win XP pro. I have tried Outpost in the past, but with the XP ports 21, 25, 110, 143 show open.
Can someone comment on which one to try, before I buy, that will close these ports or at least stealth them?
THanks, Randy
So you run servers on the well known ports for ftp, smtp, pop3 and imap.
Stop running the above servers.
steath is technical nonsense.
Wolfgang
It's obvious you went to the Gibson site and have done some testing. Stealth is nonsense. The more important thing is that the port is closed.
However, I am most likely going to get hammered for this, because I have been against the XP FW for only one reason, which is it allows some applications to punch holes in the FW when said application is installed, I was against it. But as long as you know this, then you can disable those exceptions.
I now say use the XP FW. I say this, because I am now using the equivalent of the FW that's on Vista Ultimate. The FW on Vista is doing its job of protecting the machine from unsolicited inbound traffic from reaching the machine. It has passed all FW tests I have tried even Gibson's site and the stupid stealth test.
However, I do supplement the FW on Vista like I was doing before when I was running BlackIce on the XP Pro machine. The FW on Vista is being supplemented by IPsec and I am using the AnalogX rules that have been applied for IPsec on Vista.
I am not concerned about inbound traffic which I can set rules with IPsec to stop inbound traffic by port, protocol, or IP. What I will use IPsec for if need be is to stop outbound traffic by port, protocol, or IP.
The AnalogX rules are set to protect the services, like NNTP, HTTP, SMTP, etc etc where you will have to enable the client side of the rules to allow traffic. You have no need to allow the server side, unless you have a service you want to expose to the Internet, which for the average Joe Blow home user, he or she will not enable those rules.
You can learn from the AnalogX rules and make your own rules if need be or change existing ones, like I had to change the SMTP port to 587 from 25, because the ISP uses 587.
You should secure the XP O/S to attack as much as possible, which I have applied some of it to Vista as much as I can, like the Everyone account being removed, etc, etc.
I need to find out how to disable the application control in Vista, that's driving me crazy with asking a lot of questions. I'll get around to doing that, eventually.
Actually i am not running any servers. I just upgraded to XP pro after 5 years with win 2K and I am trying to locate what XP is running on these ports. Then maybe I can turn off the services.
Randy
This is good to know that the XP FW is acceptable. Also thanks for the links, I will read up on closing 21, 25, 110, 143. Randy
That's only possible with admin rights. And then it's no different from any other packet filter - any application running with admin credentials can do whatever it wants.
Actually, since those ports are open, you *are* running servers there.
netstat -anob
cu
59cobaltI have looked down the list of services running, but can id the correct service to turn it off.
Randy
If you have applied SP 2 to XP, then they have done some of it for you.
But here is a list of services that you can look into disabling.
The machine has no business being in any kind of networking with a direct connection to the Internet.
well randy why dont u try windows firewall for single use .........i am using it since long and i think its gud...
Which part exactly of 'netstat -anob's output do you fail to understand?
cu
59cobalt
Mr. Arnold, THank you! I diabled both at the connection level. Randy
You are welcomed.
Under the PID the netstat -ano does not show anything running on ports 21,
25, 110, & 143? but when I have these scanned they show open?I am trying to locate the service, then turn it off to close these ports.
Please post the exact command and output from your portscan. Also post the output of the commands "ipconfig /all" and "netstat -anob". Maybe with some actual data we'll be getting somewhere.
cu
59cobalt
Port Scan GRC Port Authority Report created on UTC: 2007-05-08 at 22:32:16Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445, 1002, 1024-1030, 1720, 5000 4 Ports Open 1 Ports Closed 21 Ports Stealth--------------------- 26 Ports Tested Ports found to be OPEN were: 21, 25, 110, 143 The port found to be CLOSED was: 113 Other than what is listed above, all ports are STEALTH.C:\\>netstat -anob Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 992
c:\\windows\\system32\\WS2_32.dll
C:\\WINDOWS\\system32\\RPCRT4.dll
c:\\windows\\system32\\rpcss.dll
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\system32\\ADVAPI32.dll
[svchost.exe]TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]TCP 0.0.0.0:2967 0.0.0.0:0 LISTENING 576
[Rtvscan.exe]TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 2884
[alg.exe]TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING 1172
[ccApp.exe]TCP 192.168.1.100:139 0.0.0.0:0 LISTENING 4
[System]TCP 192.168.1.100:1439 216.168.3.44:119 ESTABLISHED 1652
[msimn.exe]TCP 192.168.1.100:1456 216.37.198.32:80 ESTABLISHED 2436
[IEXPLORE.EXE]TCP 192.168.1.100:1473 216.37.198.32:80 ESTABLISHED 2436
[IEXPLORE.EXE]TCP 192.168.1.100:1475 216.37.198.32:80 ESTABLISHED 2436
[IEXPLORE.EXE]TCP 192.168.1.100:1476 216.37.198.32:80 ESTABLISHED 2436
[IEXPLORE.EXE]UDP 0.0.0.0:500 *:* 784
[lsass.exe]UDP 0.0.0.0:1267 *:* 1196
C:\\WINDOWS\\system32\\mswsock.dll
c:\\windows\\system32\\WS2_32.dll
c:\\windows\\system32\\DNSAPI.dll
c:\\windows\\system32\\dnsrslvr.dll
C:\\WINDOWS\\system32\\RPCRT4.dll
[svchost.exe]UDP 0.0.0.0:4500 *:* 784
[lsass.exe]UDP 0.0.0.0:445 *:* 4
[System]UDP 0.0.0.0:1034 *:* 1196
C:\\WINDOWS\\system32\\mswsock.dll
c:\\windows\\system32\\WS2_32.dll
c:\\windows\\system32\\DNSAPI.dll
c:\\windows\\system32\\dnsrslvr.dll
C:\\WINDOWS\\system32\\RPCRT4.dll
[svchost.exe]UDP 127.0.0.1:1416 *:* 2436
[IEXPLORE.EXE]UDP 127.0.0.1:1900 *:* 1152
c:\\windows\\system32\\WS2_32.dll
c:\\windows\\system32\\ssdpsrv.dll
C:\\WINDOWS\\system32\\ADVAPI32.dll
C:\\WINDOWS\\system32\\kernel32.dll
[svchost.exe]UDP 127.0.0.1:123 *:* 1128
c:\\windows\\system32\\WS2_32.dll
c:\\windows\\system32\\w32time.dll
ntdll.dll
C:\\WINDOWS\\system32\\kernel32.dll
[svchost.exe]UDP 192.168.1.100:1900 *:* 1152
c:\\windows\\system32\\WS2_32.dll
c:\\windows\\system32\\ssdpsrv.dll
C:\\WINDOWS\\system32\\ADVAPI32.dll
C:\\WINDOWS\\system32\\kernel32.dll
[svchost.exe]UDP 192.168.1.100:138 *:* 4
[System]UDP 192.168.1.100:123 *:* 1128
c:\\windows\\system32\\WS2_32.dll
c:\\windows\\system32\\w32time.dll
ntdll.dll
C:\\WINDOWS\\system32\\kernel32.dll
[svchost.exe]UDP 192.168.1.100:137 *:* 4
[System]Folks ... this is where I am lost.
As always ... GRC sucks ...
Apart from ports 500/udp and 4500/udp listening which are usually used for IPSEC this looks like a pretty normal wondoze box to me.
Besides that that the local IP 192.168.1.100 seems to indicate that you are sitting behind some gateway/router that does NAT. As long as the NAT implementation on the gateway/router works correct the scan from external will never reach your box but only the gateway.
Please describe your setup and give more information about the gateway your are using.
I could offer a more reliable scan from external than the GRC crap using nmap. If those ports are really open either some port redirections to some internal machine(s) are configured on the gateway (what kind of gateway is that?) or the gateway is running those services.
Wolfgang
We'll see, but I think this whole exercise is worthless. You have the link telling what services on the NT based O/S to disable. You also have the link telling what you need to do to better secure the XP NT based O/S.
Here are some other tools that will help you look around for yourself from time to time and see what is happening.
Since your computer has a private IP address it is apparently behind some router doing NAT. Meaning that the portscan you performed showed open ports on that router, not on your local computer. What kind of router do you use?
[1]
Yours, VB.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.