Port 113 - IDENT

Discussion in 'General Hardware' started by contender, Apr 1, 2003.

  1. contender

    contender Guest

    why is it that when i do an online firewall security test, some sites tell me its closed and others will tell me its open? the only way i have been able to get a closed result for port 113 is to have my router forward it and i dont think this is a good thing or maybe its ok? can you help me?
     
  2. Enyo

    Enyo Moderator

    Messages:
    1,338
    It may be your router itself that holding 113 open.

    Is it a Linksys router? Its a knowen issue with old linksys firmware.

    Which test sites have you used?

    Check out www.computercops.biz CCSP module on the top left

    Computer cops does a NMAP scan and is very accurate.

    If your router allows it i highly recommend setting a dummy DMZ, this will counter UDP echo scans amoung others that NAT based routers (presuming its a NAT based router).

    A dummy DMZ will stop the problem to in the same way your fake forwarding address has.

    Its okay to do this providing you ensure a system never gets assigned the dummy IP of the DMZ or forwarding targer :)
     
  3. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    identd is not as bad as it seems, most IRC servers need it, and i have it installed on my BSD box.
     
  4. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    There isnt much wrong with having Ident forwarded or Closed. The only thing would be if everything else was Stealthed, then it would be that port that gave your existence away.
    But as X-Istence said, if you use IRC a lot then you probably want to have Ident working.
     
  5. contender

    contender Guest

    Well I dont really use mIRC so i would like to close this port if possible.

    The firmware for my BEFSR41 Linksys 4-Port Router currently is - Firmware Version: 1.44Z, Nov 21 2002

    Now on the linksys site there is Firmware Version: 1.44.2

    There are 2 links - Click here to start downloading the new Firmware Upgrade Utility with Zone Alarm support for windows users.

    Click here to start downloading the new firmware for windows users.

    Which of those 2 should i click? Are they both the same but one has the extra update for zone alarm utility if i am using ZA? Am I correct?
     
  6. Enyo

    Enyo Moderator

    Messages:
    1,338
    You are running a faulty version of the firmware

    Its nothing to do with you actually running a IDENT server as the guys above were talking about, its a bug and should be treated as such!

    Yes your right, the one has extra features for ZA the other does not.

    Go with this one:

    ftp://ftp.linksys.com/pub/befsr41/befsr-fw-1442.zip

    Once flashed you can turn forwarding off on port 113 and it should report as "stealthed"
     
  7. contender

    contender Guest

    why would you not recommend the ZA update?

    the reason i ask is because i use zapro as my firewall and it can work in conjuntion with my router, would this be of benefit to me or not really to go with the za update instead of just the regular update?
     
  8. Enyo

    Enyo Moderator

    Messages:
    1,338
    Either one will do really but i guess it you use ZAP it would be nice to have the ZA supported :) Im not sure of the level of support and interoperability the ZA supported firmware gives but it cant hurt, either one will fix your issue :)
     
  9. contender

    contender Guest

    ok i did the firmware upgrade and it completed fine from what i see

    what is the next step?

    i shouldnt have to really change anything in the router settings for it to stealth port 113, correct? even tho i did before to get the result.

    its showing port 80 and 113 open and this result is with the online sygate scan

    shouldnt the router automatically stealth those ports without any configuration or do i have to forward it again which worked before, but i didnt think i really needed to do that?
     
  10. Enyo

    Enyo Moderator

    Messages:
    1,338
    Go to:

    http://192.168.1.1/Filters.htm

    Ensure Block WAN Request is set to Enabled.

    Ensure Remote Management is set to disabled.

    Ensure Remote Upgrade is set to disabled (this only need be enabled before a firmware update)

    http://192.168.1.1/Forward.htm

    Ensure no forwarders are enabled.

    http://192.168.1.1/DMZ.htm

    Configure a Dummy DMZ, input a IP address that is unused and that will not be assigned by the routers DHCP.

    Also ensure that the online scanner your using is scanning your host and not a proxy.
     
  11. contender

    contender Guest

    i have checked all that you told me to and all is correct.

    do you recommend an IP number i set in the DMZ zone?

    i have a rule in my firewall to block port 113 also, would that conflict or is that fine?
     
  12. Enyo

    Enyo Moderator

    Messages:
    1,338
    Anything you set on your computers firewall wont affect the router.

    For the DMZ I would use a IP that stands out but it can be anything.

    Go onto the DHCP tab and see what IP's the router uses to lease to clients:

    http://192.168.1.1/DHCP.htm

    eg. If the starting address is 2 and Number of DHCP Users is 5 then 192.168.1.2 to 192.168.1.6 are reserved for your clients so dont use anything in that range for a Dummy DMZ.

    I would use something high like 222, but as i say i can be anything as long as no host actually exisits at that address :)

    Port 113 was not been held open by your computer but the router, you dont need to worry about a rule at the workstation but its OK to have one non the less.
     
  13. contender

    contender Guest

    i have again followed your suggestions but i am getting the same result.

    sygate and grc both show port 113 open whereas sygate also shows port 80. dslreports.com however gives me full stealth result.

    i am not sure how this has changed but i once had a stealthed result on all online scans.

    any other suggestions/ideas?
     
  14. Enyo

    Enyo Moderator

    Messages:
    1,338
    I would trust DSLR's scan over them to be honest, are they all scanning the correct host? Check the IP that is being scanned as i say it may be reading a proxy.

    Its probably just a false positive, not unuseual.

    Try:

    http://www.hackerwhacker.com/, http://www.pcflank.com and as above http://www.computercops.biz

    Also:

    https://www.grc.com/

    http://www.blackcode.com/scan/

    http://www.auditmypc.com/

    If you have a DMZ set and no port forwarders then the results should be stealth all over, the very nature of a Dummy DMZ will ensure of that.

    Do you have logging enabled on the router? If not download linklogger and enable logging on the router, you should be able to see then that the ports are being blocked.

    http://www.linklogger.com/
     
  15. contender

    contender Guest

    like i have mentioned above, i have tried everything being suggested.

    i have setup a DMZ host and i still continue to get the same result.

    the only way i can get stealth on those ports - 80 and 113 are to forward them.

    i have installed linklogger and have it set so that when an attempt is made on 113 i am notified
     
  16. Enyo

    Enyo Moderator

    Messages:
    1,338
    With a dummy DMZ in place thats a very strange result indeed.

    As long as the fake forwarders work all is ok i guess.

    If you have a news reader head to news.grc.com and ask in security.hardware the linksys routers are well loved by the community and they have a great deal of expertise with them.

    Read only:

    https://grc.com/x/news.exe?cmd=xover&group=grc.security.hardware
     
  17. contender

    contender Guest

    Well I am still having the same problem. If I allow port 443 (http-secure) then as the scan proceeds it shows port 80 and 113 open, but if i deny port 443 the scan does not continue.

    If I have port forwarding enabled on my router then it doesnt matter if i allow port 443 it will show a stealth result for ports 80 and 113.
     
  18. Enyo

    Enyo Moderator

    Messages:
    1,338
    What site are you using to scan your system?
     
  19. contender

    contender Guest

    This result is coming from Sygate's Stealth Scan.

    I have the LinkLogger program installed to accompany my Linksys Router. (Latest Firmware Installed)

    I have Linklogger setup to alert me when that port is scanned and during the scan the first alert shows Src Port 53 and Dest Port 113 and 2nd alert shows Src Port 80 and Dest Port 113.

    Today I installed KPF v2.1.4. I was messing around with the rules and actually had it setup where I did get a full Stealth result, but stupid me didn't write the rules down I had set as I continued to mess with the rules.

    Currently I am messing with the rules where I block port 113 by itself, block local port 113 and remote port 53 and block local port 113 and remote port 80.

    For the life of me, I cannot think of the combination of rules I had set now to give me that full Stealth scan that I actually achieved earlier.

    All suggestions are welcome to help me solve this annoying little issue I have.
     
  20. Enyo

    Enyo Moderator

    Messages:
    1,338
    Hi, me again.

    C: This result is coming from Sygate's Stealth Scan.

    E: Do all the scanning sites say them same or do they still report differant results, I want to make sure its not a false positive.

    C: I have Linklogger setup to alert me when that port is scanned and during the scan the first alert shows Src Port 53 and Dest Port 113 and 2nd alert shows Src Port 80 and Dest Port 113.

    E: What IP's does it log for these events?

    C: Today I installed KPF v2.1.4.

    E: Nice Choice

    C: I was messing around with the rules and actually had it setup where I did get a full Stealth result, but stupid me didn't write the rules down I had set as I continued to mess with the rules.

    E: Do you get the alert on the workstation to? You should not and anything you do on the workstation should not affect the router.

    C: Currently I am messing with the rules where I block port 113 by itself, block local port 113 and remote port 53 and block local port 113 and remote port 80.

    E: Using kerios status screen is port 113 in the listening state on your system? Again if it is it should not be showing up through the NAT router.

    C: All suggestions are welcome to help me solve this annoying little issue I have.

    E: Sorry its me again but what the hell. Did you ask the guys in the GRC group from above?