port security

[viking33]

I recently ran Gibson Research "Shields up" program to check the status of my ports and was surprised to see that two ports were no longer in Stealth mode but were Closed but responding to requests to open. Prior to this all ports were "Stealth" but now ports 20 & 21 are responding.

Port 20 shows it is FTP-Data file transfer protocol-Default data channel.
Port 21 shows it is FTP file transfer protocol-Control channel.

Also it shows that my location is responding to ping requests.

All of this is new and did not show up in the last tests which were some weeks ago, I think.

My questions are:
How to close these ports and how to identify what opened them in the first place?
I am running Malwarebytes as we "speak."

[JoeP]

What firewall are you running?

Have you allowed anything new through the firewall recently?

You can use Sysinternal's TCPview or Nirsoft's CurrPorts to monitor port usage. Both are free.

Joe

[viking33]

What firewall are you running?

Have you allowed anything new through the firewall recently?

You can use Sysinternal's TCPview or Nirsoft's CurrPorts to monitor port usage. Both are free.

Joe

Joe,
Running the Win 7 firewall with default settings.
Not about anything NEW, that I can recall? ( but who knows? )
Still running Malwarebytes but it said I was running an "outdated" version of vbalsgrid6.ocx which I just OKd and it started to run????
Will check out those progs as soon as I can.

[JoeP]

With default settings the Windows firewall does not block outbound traffic. So, if you have installed some drive-by bad guy that is phoning home that is OK by default.

Are you running through a router? You should be able to close the ports at the router.

Joe

[viking33]

With default settings the Windows firewall does not block outbound traffic. So, if you have installed some drive-by bad guy that is phoning home that is OK by default.

Are you running through a router? You should be able to close the ports at the router.

Joe

Will have to check how to block outbound traffic.

Only running a Verizon DSL router with built in NAT router.
Malwarebytes ran OK, no hits. That .ocx thing seems to have disappeared? Now running AV.
DL those two progs you suggested but yet to run them.

[JoeP]

The builtin interface to control outbound traffic with the Windows firewall is less than user friendly. Check out another free tool - Windows Firewall Control.

Joe

[viking33]

The builtin interface to control outbound traffic with the Windows firewall is less than user friendly. Check out another free tool - Windows Firewall Control.

Joe

You can say that again, Joe.
Thanks for the other link. Will DL and try to get at this later on today.

[viking33]

I tried all three of those tools. None seemed to identify Ports 20 and 21 as being used by any program.
I was able to go into the Windows Firewall advanced settings and use the wizard to block the two ports both incoming and outgoing. At least i was able to see and accomplish the individual port settings easily enough.
However, Gibson still shows those two as responding and also my system was responding to Ping requests.

gibson.PNG

gibson2.PNG

The setting shown for incoming are the same as for outgoing and are from the Windows Firewall configuration settings.

[StuartR]

If there is a router between your PC and the Internet then it is very likely that it is the router that is responding to these requests. No changes you make to firewall configurations on your PC will affect this.

[viking33]

If there is a router between your PC and the Internet then it is very likely that it is the router that is responding to these requests. No changes you make to firewall configurations on your PC will affect this.

AS mentioned before. all I have is the Verizon DSL modem\NAT router which I have had for years. Shields Up never showed anything but "stealth" for all ports, until suddenly, there it is with 20 & 21 responding, but not open. Gibson did mention that separate routers could affect the tests but never this one. ( up until now ) Something made the change and that's what I'm trying to find out.

[viking33]

Moving along here. I uninstalled Windows 7 firewall and installed Zone Alarm free. This just to start eliminating some of the possibilities. Did the port check and it was exactly the same as with Win 7 firewall. So much for that idea. Put Win7 back in place after uninstalling ZA.
Now with much regret, I started a chat with a Verizon "tech' in New Delhi. This was a complete waste of time. I don't think I ever had to deal with total incompetence like this before. She\He didn't have a clue as to what I even describing to them. They tried a remote session and I watched as they moused around and were lost in space.
I asked for a link to download a manual for the Westell 6100G modem\router. Couldn't even do that. Finally they gave up and gave me a number to call for "advanced support." Haven't got up the courage to do that yet.
I suppose all this proved was that the firewall is not the culprit. The modem\router is the more likely one.

[StuartR]

...
I suppose all this proved was that the firewall is not the culprit. The modem\router is the more likely one.

The modem/router is definitely the culprit here. I wonder if the ISP has intentionally configured it to accept ftp transfers so that they can upload new images or configuration files.

[viking33]

...
I suppose all this proved was that the firewall is not the culprit. The modem\router is the more likely one.

The modem/router is definitely the culprit here. I wonder if the ISP has intentionally configured it to accept ftp transfers so that they can upload new images or configuration files.

That's very possible, Stuart.
Now if I could only get them to admit and acknowledge that, then advise how I could close those ports! Using the "tech support" like I had yesterday, and getting a true answer, would be the impossible dream.
Even checking with Westell drew a blank, where they said the 6100G modem /router was made specifically for Verizon and I would have to contact Verizon for any help. Catch 22?
Maybe tomorrow I'll pour a pitcher of martinis and call the advanced tech support.

[JoeP]

Can you access the router configuration pages? Often that is http://192.168.0.1" onclick="window.open(this.href);return false; or http://192.168.1.1" onclick="window.open(this.href);return false;.

Joe

[viking33]

Can you access the router configuration pages? Often that is http://192.168.0.1" onclick="window.open(this.href);return false; or http://192.168.1.1" onclick="window.open(this.href);return false;.

Joe

Yes, I can as always, using the latter address. The GUI has changed to a newer one and I have not been able to find or go the correct location regarding blocking or enabling ports.
Somewhere along the way Verizon has slipped in a new version that is uniquely theirs and not Westell. Hence my request for a manual for the model 6100G.
You would think I was asking for the design plans for the new stealth bomber or something!
Do I have to file for a freedom of information act to Congress?

[StuartR]

...
Somewhere along the way Verizon has slipped in a new version that is uniquely theirs and not Westell...

This would certainly explain why they need the ftp port to be usable.

[jonwallace]

This post here suggests downloading the manual for the 327 from Verizon's site here. The firmware's the same (they say).

But YMMV (as always)

[viking33]

This post here suggests downloading the manual for the 327 from Verizon's site here. The firmware's the same (they say).

But YMMV (as always)

Might be worth a shot, Jon. Thanks.
Some progress to report. Using Jon's link to that 327 modem/router, It at least gave me what appears to be the same info that Verizon has with the 6100G.
Buried in the bowels of the advanced settings was IPSEC-ALG and UPNP,
which I disabled.
This gave me a clear green board at Gibson with ALL ports "stealth!"

Now all that is shown as "failing" is that I am responding to ICMP Echo which is NOT supposed to be a good thing.
-----------------------------------
Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
---------------------------


Now to try to find out how to fix this?

( I have no clue as to where and how these changes occurred )

[viking33]

I'll consider this thread closed and solved.

Opening a new thread regarding the Ping Request replying to incoming pings.