Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hey everybody, I have a really weird issue here. I just installed a Linksys BEFSX41 router last night, and, though it seems to be working OK, I can't figure something out.
Ok, I've been hanging over at PCFlank for awhile testing my security. So, I run the Quick Test, and it tells me I have Port 135 open. So, I make an advanced rule in Sygate to block it and run the scan again. It comes up stealthed, but now Port 139 is open. So I do the same thing for it, run it through the scan, and everything comes up stealthed.
Now, I have the RPC and ShootTheMessenger apps from GRC and took care of that. Ok, so I log in to my router to clear out the massive scan logs that the security scans created. I close out the browser (as this seems to be the only method of logging out of the router setup), and run all of the PCFlank tests again.
Would you believe that they BOTH come up as visible now? I don't understand this guys, one minute I'm good to go, the next scan around I'm open. What gives here? I've been through Linksys tech support (if that is what you would like to call it, be my guest). If anybody is familiar with these routers, please let me know how I get everything safely stealthed. Thanks.
Hey dw226,
I've got a linksys router as well. If you have the current firmware version for your router the only ports that should be non-stealthed is 113. The 113 port is the old IDENT server that sends a verification packet back after a request is made. If this port is stealthed, theoretically, it could interfere with you communicating to some servers. My router deliberatly closed 113, but did not stealth it. Check to make sure you have updated your firmware at Linksys website. If you already have it updated, let me know and will try something else.
Also, make sure you have no Spyware, adware, trojans, etc.. opening those ports.
0 
Hey WannaBTech, thanks for replying. Ok, let me go over the steps I have taken:
1. Scanned for viruses and such, came up clean.
2. Ran another PCFlank scan and came up with both ports mentioned open. I also ran a GRC scan and saw that 113 is indeed closed but not stealthed.
3. I ran the various applications such as ShootTheMessenger and the others from GRC and I turned off File and Print Sharing within Windows.
4. I also created Advanced Rules within my Sygate Firewall to block ports 113, 135, and 139.
5. Now, while waiting for replies here, I surfed around and found something about my particular router. In the Advanced options menu when I go into the router settings, there is what is called "Forwarding".
According to the website I found the information on, what you do is put in the name of the application the port number uses, the port number, and, add an ending to the end range of your router IP address, and it will forward all requests for that port to that non-existant IP address, thereby I assume stealthing it.
I followed the instructions for this and ran the PCFlank QuickTest again, and it came up as everything being stealthed. Whether I've actually fixed the problem or not I have no idea. If you know of anything I might be missing, please let me know.
For whatever reason, since I've installed the router per my ISP's and Linksys's instructions last night, my computer has restarted Windows out of the blue 3 times. I don't have the slightest clue what that is about, but let's solve one problem at a time :-)
0
Ok, I've run the PCFlank.com QuickScan again, without making any other changes than I have. Now the scan is telling me Port 139 is visible, when an hour or so ago I was all stealth. Am I not doing something right or is this router changing its own settings on me?
0
Ok, first make sure you have your routers most recent firmware. The newest release is version 1.45.3, and you can get it ftp://ftp.linksys.com/pub/network/BEFSX41_v1453_code.bin.
Yes, forwarding those ports will stealth them. What you have done is send all incoming TCP/UDP packets that are going to those ports to go to a computer that doesn't exist.
You do want to make sure those ports are not vunerable as they are your Netbios and DCOM ports. If you want to read up on what those ports do you can go back to grc.com, if you don't know already.
As long as those ports are stealthed your in good shape. Anyone wanting to get into your system wouldn't have enough information to start. Odds are that they can't even see your computer if your ports are all stealthed.
I believe, although I am no expert, that your router should automatically stealh those ports in question. Is it a NAT router? I have a BEFSR41 linksys NAT. All NAT's will drop all unsolicited UDP/TCP packets by default, which is why they make good hardware firewall's.
What programs are you running for virus/spyware? In my opinion you should at least be running Adaware and Spybot.
I never could get Sygate to work the way I wanted it to. For some reason it kept wanting to block my system Kernel from updating, even when I set a rule to allow it to access the net. Maybe it was just operator error, but Sygate never gave me that warm and fuzzy feeling when it came to port scans. I loved their packet sniffer that would show the binary dump of the packet, but for some reason I couldn't get it to work well for me.
I'm in the middle of cooking steaks for dinner on my new grill. The old lady finally pulls me away from one toy, and I go play on the other. HEhe. Sometimes life is good. I hope I helped some. I'll check back later and see how things turn up for ya. It sounds like your all good though.
Hang around if you still have problems. We may be able to do some more things. Surely, someone smarter than me will show up, they always do.
0
Hey there, yes, I have the new firmware. When I forwarded the ports, I put checkmarks in the boxes next to TCP only, not the UDP boxes, should I have?
I have the BEFSX41, I do believe that is a NAT version. What I'm finding cute is the fact that the router firewall is doing its job as I see the green entries in the logs, which according to various websites are entries showing what the router blocked. Yet I'm still getting ports show up in the security scans I do.
I have a program called Wallwatcher that imports the router logs to that program so I don't have to log in to the router to check them. And the entries in that program show the blocked data also.
So, the router is doing its job in one way, but seemingly not in another. It drives me nuts because I see the obvious entries showing the router doing its work, but something can't be right if ports are still showing up. By the way, PCFlank tends to change its mind on which port is visible every few times I check, maybe that means something.
Any ideas bud? Any steak left? :-)
0
Nah, you can just block the TCP packets to stealh it, and you should be fine.
P.C flank sometimes does the same thing to me. Either there is a flaw in the test they run, or different programs are opening those ports and you notice it when you run the test at different times.
Try running the"SHieldsUp" test at grc.com without sygate running. Lets just wee what the router is blocking without the software firewall. I have never had conflicting results at grc.com, and Steve Gibson seems to have it together.
BTW-Will Sygate stealth all of your ports without the router? For some reason I could not get sygate to stealh all of my ports.
On my router the only ports that were open when I installed my updated firmware was the 113 port. As you did, I forwarded the incoming TCP packets to an IP in the upper end of my router's internal IP address range,and that stealthed it. Once I did that though my port 5000 (UPNP)"unplug and pray" port showed up as unstealthed, but closed. This is because my router is using (UPNP). I wasn't able to stealth this port by forwarding the packets to another IP, but Zone Alarm stealths it for me.
In my opinion ZA is the best firewall out there protection wise. I don't like the way it uses system resorces if I am downloading large files, but that is what a good firewall does in my opinion. It takes a look at everything coming in, and makes sure that you allowed it access.
Try testing the router without sygate running, maybe you can get a better idea of what is NOT blocking what. That may give us a better idea of what to tweak.
I'm at work now, but I'll check back in a little while, cause that's just the type of employee I am. He He.
Sorry, I ate all the steak. I am a fat fat man.
0
Alright, I forgive you for not saving me steak this time, lol. Here are the results of my tests without Sygate running:
PCFlank:
1. QuickTest: Passed with stealth.
2. TCP Scan (Basic): Port 135 and 139 are closed.3. Exploits Test: Passed completely.
GRC.com Tests:
1. Filesharing Port Scan: Stealthed
2. Common Port scan: Stealthed.
3. All Service Ports Scan: StealthedSo, either PCFlank has a bug, or my router really isn't stealthing ports 135 and 139. I'm hoping it is PCFlank, otherwise I don't know how else to stealth these suckers. I'll check back from work myself. Take care.
0
Ok.Try running and individual port probe at grc.com and see if those ports come up as closed or stealthed. Sometimes they will be different on an individual probe, I have no idea why.
Is that "Wallwatcher" program running on any of these ports. Try closing different applications and see if they changes anything with the port scan. You may have a program that is trying to use those ports.
0
Individual port scan at GRC comes up stealth. Another QuickScan at PCFlank comes up as ports 135 and 139 visible, HOWEVER, the basic TCP ping test at PCFlank shows those two ports as closed, and the rest stealth.
I'm starting to think I should just leave well enough alone as ports being closed do mean they can't be connected to from outside sources even if they can be seen. Also, I think I'm going with another software firewall, probably OutPost 2.1, or, I may just leave out the software firewall and just use the NAT firewall in the router.
0
Yeah as long as those ports are closed you will not accept incoming connections from those ports.
I woneder why you are getting conflicting results?
Just curious, as to why you don't like zone alarm. Have you ever tried it?
0
Update, I have done a few more scans with Outpost firewall and the router together and I've passed every one. Now, I don't dislike ZA personally, but I have just HEARD that it can be a bit troublesome at times and that it uses quite a bit of resources, which are the only reasons I didn't choose it.
I will keep you updated if my security scans change on me again.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
