I am trying to decide which firewall is best for a single user Win XP pro. I have tried Outpost in the past, but with the XP ports 21, 25, 110, 143 show open.
Can someone comment on which one to try, before I buy, that will close these ports or at least stealth them?
It's obvious you went to the Gibson site and have done some testing. Stealth is nonsense. The more important thing is that the port is closed.
However, I am most likely going to get hammered for this, because I have been against the XP FW for only one reason, which is it allows some applications to punch holes in the FW when said application is installed, I was against it. But as long as you know this, then you can disable those exceptions.
I now say use the XP FW. I say this, because I am now using the equivalent of the FW that's on Vista Ultimate. The FW on Vista is doing its job of protecting the machine from unsolicited inbound traffic from reaching the machine. It has passed all FW tests I have tried even Gibson's site and the stupid stealth test.
However, I do supplement the FW on Vista like I was doing before when I was running BlackIce on the XP Pro machine. The FW on Vista is being supplemented by IPsec and I am using the AnalogX rules that have been applied for IPsec on Vista.
I am not concerned about inbound traffic which I can set rules with IPsec to stop inbound traffic by port, protocol, or IP. What I will use IPsec for if need be is to stop outbound traffic by port, protocol, or IP.
The AnalogX rules are set to protect the services, like NNTP, HTTP, SMTP, etc etc where you will have to enable the client side of the rules to allow traffic. You have no need to allow the server side, unless you have a service you want to expose to the Internet, which for the average Joe Blow home user, he or she will not enable those rules.
You can learn from the AnalogX rules and make your own rules if need be or change existing ones, like I had to change the SMTP port to 587 from 25, because the ISP uses 587.
formatting link
Enable the XP FW, be aware of any rules that will be set for the FW if installing software, enable the XP FW log, and enable IPsec log, if you want and use the AnalogX rules.
You should secure the XP O/S to attack as much as possible, which I have applied some of it to Vista as much as I can, like the Everyone account being removed, etc, etc.
formatting link
They need something for Vista.
I need to find out how to disable the application control in Vista, that's driving me crazy with asking a lot of questions. I'll get around to doing that, eventually.
Actually i am not running any servers. I just upgraded to XP pro after 5 years with win 2K and I am trying to locate what XP is running on these ports. Then maybe I can turn off the services.
That's only possible with admin rights. And then it's no different from any other packet filter - any application running with admin credentials can do whatever it wants.
If you have applied SP 2 to XP, then they have done some of it for you.
But here is a list of services that you can look into disabling.
formatting link
If the computer has a direct connection to the modem, and therefore, a direct connection to the Internet, then disable Client for MS networks and File and Print Sharing for MS networks off of the network card or dial-up connection.
The machine has no business being in any kind of networking with a direct connection to the Internet.
Please post the exact command and output from your portscan. Also post the output of the commands "ipconfig /all" and "netstat -anob". Maybe with some actual data we'll be getting somewhere.
Port Scan GRC Port Authority Report created on UTC: 2007-05-08 at 22:32:16Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445, 1002,
1024-1030, 1720, 5000 4 Ports Open 1 Ports Closed 21 Ports Stealth--------------------- 26 Ports Tested Ports found to be OPEN were:
21, 25, 110, 143 The port found to be CLOSED was: 113 Other than what is listed above, all ports are STEALTH.
C:\\>netstat -anob Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 992
c:\\windows\\system32\\WS2_32.dll
C:\\WINDOWS\\system32\\RPCRT4.dll
c:\\windows\\system32\\rpcss.dll
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\system32\\ADVAPI32.dll
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]
TCP 0.0.0.0:2967 0.0.0.0:0 LISTENING 576
[Rtvscan.exe]
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 2884
[alg.exe]
TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING 1172
[ccApp.exe]
TCP 192.168.1.100:139 0.0.0.0:0 LISTENING 4
[System]
TCP 192.168.1.100:1439 216.168.3.44:119 ESTABLISHED 1652
[msimn.exe]
TCP 192.168.1.100:1456 216.37.198.32:80 ESTABLISHED 2436
[IEXPLORE.EXE]
TCP 192.168.1.100:1473 216.37.198.32:80 ESTABLISHED 2436
[IEXPLORE.EXE]
TCP 192.168.1.100:1475 216.37.198.32:80 ESTABLISHED 2436
[IEXPLORE.EXE]
TCP 192.168.1.100:1476 216.37.198.32:80 ESTABLISHED 2436
Apart from ports 500/udp and 4500/udp listening which are usually used for IPSEC this looks like a pretty normal wondoze box to me.
Besides that that the local IP 192.168.1.100 seems to indicate that you are sitting behind some gateway/router that does NAT. As long as the NAT implementation on the gateway/router works correct the scan from external will never reach your box but only the gateway.
Please describe your setup and give more information about the gateway your are using.
I could offer a more reliable scan from external than the GRC crap using nmap. If those ports are really open either some port redirections to some internal machine(s) are configured on the gateway (what kind of gateway is that?) or the gateway is running those services.
We'll see, but I think this whole exercise is worthless. You have the link telling what services on the NT based O/S to disable. You also have the link telling what you need to do to better secure the XP NT based O/S.
Here are some other tools that will help you look around for yourself from time to time and see what is happening.
I'd suggest using a real port scanner (like e.g. [1], if you can't run something like nmap or scanline or portqry from outside your network).
[...]
Since your computer has a private IP address it is apparently behind some router doing NAT. Meaning that the portscan you performed showed open ports on that router, not on your local computer. What kind of router do you use?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.