Which firewall for WIN XP Pro

I am trying to decide which firewall is best for a single user Win XP pro.
I have tried Outpost in the past, but with the XP ports 21, 25, 110, 143
show open.

Can someone comment on which one to try, before I buy, that will close these
ports or at least stealth them?

THanks,
Randy

--


************************************************************ **********
Randy Tingley "Life is an Adventure,
Mary Tingley not an ulcer giving experience"
rtingley@nep.net
************************************************************ **********

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:

> I am trying to decide which firewall is best for a single user Win XP pro.
> I have tried Outpost in the past, but with the XP ports 21, 25, 110, 143
> show open.

So you run servers on the well known ports for ftp, smtp, pop3 and imap.

> Can someone comment on which one to try, before I buy, that will close
> these ports

Stop running the above servers.

> or at least stealth them?

steath is technical nonsense.

Wolfgang

Re: Which firewall for WIN XP Pro

"Randy Tingley" wrote in message
news:133n4dhibjrsc2c@corp.supernews.com...
>I am trying to decide which firewall is best for a single user Win XP pro.
> I have tried Outpost in the past, but with the XP ports 21, 25, 110, 143
> show open.
>
> Can someone comment on which one to try, before I buy, that will close
> these ports or at least stealth them?
>

It's obvious you went to the Gibson site and have done some testing. Stealth
is nonsense. The more important thing is that the port is closed.

However, I am most likely going to get hammered for this, because I have
been against the XP FW for only one reason, which is it allows some
applications to punch holes in the FW when said application is installed, I
was against it. But as long as you know this, then you can disable those
exceptions.

I now say use the XP FW. I say this, because I am now using the equivalent
of the FW that's on Vista Ultimate. The FW on Vista is doing its job of
protecting the machine from unsolicited inbound traffic from reaching the
machine. It has passed all FW tests I have tried even Gibson's site and the
stupid stealth test.

However, I do supplement the FW on Vista like I was doing before when I was
running BlackIce on the XP Pro machine. The FW on Vista is being
supplemented by IPsec and I am using the AnalogX rules that have been
applied for IPsec on Vista.

I am not concerned about inbound traffic which I can set rules with IPsec to
stop inbound traffic by port, protocol, or IP. What I will use IPsec for if
need be is to stop outbound traffic by port, protocol, or IP.

The AnalogX rules are set to protect the services, like NNTP, HTTP, SMTP,
etc etc where you will have to enable the client side of the rules to allow
traffic. You have no need to allow the server side, unless you have a
service you want to expose to the Internet, which for the average Joe Blow
home user, he or she will not enable those rules.

You can learn from the AnalogX rules and make your own rules if need be or
change existing ones, like I had to change the SMTP port to 587 from 25,
because the ISP uses 587.

http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
http://www.analogx.com/CONTENTS/articles/ipsec.htm
http://www.microsoft.com/technet/community/columns/secmgmt/s m0105.mspx
http://support.microsoft.com/kb/813878

Enable the XP FW, be aware of any rules that will be set for the FW if
installing software, enable the XP FW log, and enable IPsec log, if you want
and use the AnalogX rules.

You should secure the XP O/S to attack as much as possible, which I have
applied some of it to Vista as much as I can, like the Everyone account
being removed, etc, etc.

http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm

They need something for Vista.

I need to find out how to disable the application control in Vista, that's
driving me crazy with asking a lot of questions. I'll get around to doing
that, eventually.

Re: Which firewall for WIN XP Pro

Actually i am not running any servers. I just upgraded to XP pro after 5
years with win 2K and I am trying to locate what XP is running on these
ports. Then maybe I can turn off the services.

Randy


"Wolfgang Kueter" wrote in message
news:f1g3t5$uj7$1@news.shlink.de...
> Randy Tingley wrote:
>
>> I am trying to decide which firewall is best for a single user Win XP
>> pro.
>> I have tried Outpost in the past, but with the XP ports 21, 25, 110, 143
>> show open.
>
> So you run servers on the well known ports for ftp, smtp, pop3 and imap.
>
>> Can someone comment on which one to try, before I buy, that will close
>> these ports
>
> Stop running the above servers.
>
>> or at least stealth them?
>
> steath is technical nonsense.
>
> Wolfgang

Re: Which firewall for WIN XP Pro

"Mr. Arnold" wrote in message
news:LHP_h.11732$3P3.8420@newsread3.news.pas.earthlink.net.. .
>
> "Randy Tingley" wrote in message
> news:133n4dhibjrsc2c@corp.supernews.com...
>>I am trying to decide which firewall is best for a single user Win XP pro.
>> I have tried Outpost in the past, but with the XP ports 21, 25, 110, 143
>> show open.
>>
>> Can someone comment on which one to try, before I buy, that will close
>> these ports or at least stealth them?
>>
>
> It's obvious you went to the Gibson site and have done some testing.
> Stealth is nonsense. The more important thing is that the port is closed.
>
> However, I am most likely going to get hammered for this, because I have
> been against the XP FW for only one reason, which is it allows some
> applications to punch holes in the FW when said application is installed,
> I was against it. But as long as you know this, then you can disable those
> exceptions.
>
> I now say use the XP FW. I say this, because I am now using the equivalent
> of the FW that's on Vista Ultimate. The FW on Vista is doing its job of
> protecting the machine from unsolicited inbound traffic from reaching the
> machine. It has passed all FW tests I have tried even Gibson's site and
> the stupid stealth test.
>
> However, I do supplement the FW on Vista like I was doing before when I
> was running BlackIce on the XP Pro machine. The FW on Vista is being
> supplemented by IPsec and I am using the AnalogX rules that have been
> applied for IPsec on Vista.
>
> I am not concerned about inbound traffic which I can set rules with IPsec
> to stop inbound traffic by port, protocol, or IP. What I will use IPsec
> for if need be is to stop outbound traffic by port, protocol, or IP.
>
> The AnalogX rules are set to protect the services, like NNTP, HTTP, SMTP,
> etc etc where you will have to enable the client side of the rules to
> allow traffic. You have no need to allow the server side, unless you have
> a service you want to expose to the Internet, which for the average Joe
> Blow home user, he or she will not enable those rules.
>
> You can learn from the AnalogX rules and make your own rules if need be or
> change existing ones, like I had to change the SMTP port to 587 from 25,
> because the ISP uses 587.
>
> http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
> http://www.analogx.com/CONTENTS/articles/ipsec.htm
> http://www.microsoft.com/technet/community/columns/secmgmt/s m0105.mspx
> http://support.microsoft.com/kb/813878
>
> Enable the XP FW, be aware of any rules that will be set for the FW if
> installing software, enable the XP FW log, and enable IPsec log, if you
> want and use the AnalogX rules.
>
> You should secure the XP O/S to attack as much as possible, which I have
> applied some of it to Vista as much as I can, like the Everyone account
> being removed, etc, etc.
>
> http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
>
> They need something for Vista.
>
> I need to find out how to disable the application control in Vista, that's
> driving me crazy with asking a lot of questions. I'll get around to doing
> that, eventually.
>
This is good to know that the XP FW is acceptable. Also thanks for the
links, I will read up on closing 21, 25, 110, 143.
Randy

Re: Which firewall for WIN XP Pro

Mr. Arnold wrote:


> However, I am most likely going to get hammered for this, because I have
> been against the XP FW for only one reason, which is it allows some
> applications to punch holes in the FW when said application is installed, I
> was against it.


That's only possible with admin rights. And then it's no different from any
other packet filter - any application running with admin credentials can do
whatever it wants.

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> "Wolfgang Kueter" wrote:
>> Randy Tingley wrote:
>>> I am trying to decide which firewall is best for a single user Win
>>> XP pro. I have tried Outpost in the past, but with the XP ports 21,
>>> 25, 110, 143 show open.
>>
>> So you run servers on the well known ports for ftp, smtp, pop3 and
>> imap.
>>
>>> Can someone comment on which one to try, before I buy, that will
>>> close these ports
>>
>> Stop running the above servers.
>>
>>> or at least stealth them?
>>
>> steath is technical nonsense.
>
> Actually i am not running any servers.

Actually, since those ports are open, you *are* running servers there.

> I just upgraded to XP pro after 5 years with win 2K and I am trying to
> locate what XP is running on these ports.

netstat -anob

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Which firewall for WIN XP Pro

I have looked down the list of services running, but can id the correct
service to turn it off.

Randy



"Ansgar -59cobalt- Wiechers" wrote in message
news:5a8oi4F2n7upbU1@mid.individual.net...
> Randy Tingley wrote:
>> "Wolfgang Kueter" wrote:
>>> Randy Tingley wrote:
>>>> I am trying to decide which firewall is best for a single user Win
>>>> XP pro. I have tried Outpost in the past, but with the XP ports 21,
>>>> 25, 110, 143 show open.
>>>
>>> So you run servers on the well known ports for ftp, smtp, pop3 and
>>> imap.
>>>
>>>> Can someone comment on which one to try, before I buy, that will
>>>> close these ports
>>>
>>> Stop running the above servers.
>>>
>>>> or at least stealth them?
>>>
>>> steath is technical nonsense.
>>
>> Actually i am not running any servers.
>
> Actually, since those ports are open, you *are* running servers there.
>
>> I just upgraded to XP pro after 5 years with win 2K and I am trying to
>> locate what XP is running on these ports.
>
> netstat -anob
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Re: Which firewall for WIN XP Pro

"Randy Tingley" wrote in message
news:133v2l75c79ltee@corp.supernews.com...
>I have looked down the list of services running, but can id the correct
>service to turn it off.
>
> Randy
>

If you have applied SP 2 to XP, then they have done some of it for you.

But here is a list of services that you can look into disabling.

http://www.beemerworld.com/tips/servicesxp.htm

If the computer has a direct connection to the modem, and therefore, a
direct connection to the Internet, then disable Client for MS networks and
File and Print Sharing for MS networks off of the network card or dial-up
connection.

The machine has no business being in any kind of networking with a direct
connection to the Internet.

Re: Which firewall for WIN XP Pro

On May 5, 1:04 am, "Randy Tingley" wrote:
> I am trying to decide which firewall is best for a single user Win XP pro.
> I have tried Outpost in the past, but with the XP ports 21, 25, 110, 143
> show open.
>
> Can someone comment on which one to try, before I buy, that will close these
> ports or at least stealth them?
>
> THanks,
> Randy
>
> --
>
> ************************************************************ **********
> Randy Tingley "Life is an Adventure,
> Mary Tingley not an ulcer giving experience"
> rting...@nep.net
> ************************************************************ **********

well randy why dont u try windows firewall for single use .........i
am using it since long and i think its gud...

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> "Ansgar -59cobalt- Wiechers" wrote:
>> Randy Tingley wrote:
>>> Actually i am not running any servers.
>>
>> Actually, since those ports are open, you *are* running servers
>> there.
>>
>>> I just upgraded to XP pro after 5 years with win 2K and I am trying
>>> to locate what XP is running on these ports.
>>
>> netstat -anob
>
> I have looked down the list of services running, but can id the
> correct service to turn it off.

Which part exactly of 'netstat -anob's output do you fail to understand?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Which firewall for WIN XP Pro

"Mr. Arnold" wrote in message
news:J6M%h.4530$296.1054@newsread4.news.pas.earthlink.net...
>
> "Randy Tingley" wrote in message
> news:133v2l75c79ltee@corp.supernews.com...
>>I have looked down the list of services running, but can id the correct
>>service to turn it off.
>>
>> Randy
>>
>
> If you have applied SP 2 to XP, then they have done some of it for you.
>
> But here is a list of services that you can look into disabling.
>
> http://www.beemerworld.com/tips/servicesxp.htm
>
> If the computer has a direct connection to the modem, and therefore, a
> direct connection to the Internet, then disable Client for MS networks and
> File and Print Sharing for MS networks off of the network card or dial-up
> connection.
>
> The machine has no business being in any kind of networking with a direct
> connection to the Internet.
>
Mr. Arnold,
THank you! I diabled both at the connection level.
Randy

Re: Which firewall for WIN XP Pro

"Randy Tingley" wrote in message
news:1341m75h485777f@corp.supernews.com...
>
> "Mr. Arnold" wrote in message
> news:J6M%h.4530$296.1054@newsread4.news.pas.earthlink.net...
>>
>> "Randy Tingley" wrote in message
>> news:133v2l75c79ltee@corp.supernews.com...
>>>I have looked down the list of services running, but can id the correct
>>>service to turn it off.
>>>
>>> Randy
>>>
>>
>> If you have applied SP 2 to XP, then they have done some of it for you.
>>
>> But here is a list of services that you can look into disabling.
>>
>> http://www.beemerworld.com/tips/servicesxp.htm
>>
>> If the computer has a direct connection to the modem, and therefore, a
>> direct connection to the Internet, then disable Client for MS networks
>> and File and Print Sharing for MS networks off of the network card or
>> dial-up connection.
>>
>> The machine has no business being in any kind of networking with a direct
>> connection to the Internet.
>>
> Mr. Arnold,
> THank you! I diabled both at the connection level.
> Randy

You are welcomed.

Re: Which firewall for WIN XP Pro

"Ansgar -59cobalt- Wiechers" wrote in message
news:5abqgtF2nqkutU2@mid.individual.net...
> Randy Tingley wrote:
>> "Ansgar -59cobalt- Wiechers" wrote:
>>> Randy Tingley wrote:
>>>> Actually i am not running any servers.
>>>
>>> Actually, since those ports are open, you *are* running servers
>>> there.
>>>
>>>> I just upgraded to XP pro after 5 years with win 2K and I am trying
>>>> to locate what XP is running on these ports.
>>>
>>> netstat -anob
>>
>> I have looked down the list of services running, but can id the
>> correct service to turn it off.
>
> Which part exactly of 'netstat -anob's output do you fail to understand?
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Under the PID the netstat -ano does not show anything running on ports 21,
25, 110, & 143? but when I have these scanned they show open?

I am trying to locate the service, then turn it off to close these ports.

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> "Ansgar -59cobalt- Wiechers" wrote:
>> Randy Tingley wrote:
>>> "Ansgar -59cobalt- Wiechers" wrote:
>>>> Randy Tingley wrote:
>>>>> Actually i am not running any servers.
>>>>
>>>> Actually, since those ports are open, you *are* running servers
>>>> there.
>>>>
>>>>> I just upgraded to XP pro after 5 years with win 2K and I am trying
>>>>> to locate what XP is running on these ports.
>>>>
>>>> netstat -anob
>>>
>>> I have looked down the list of services running, but can id the
>>> correct service to turn it off.
>>
>> Which part exactly of 'netstat -anob's output do you fail to understand?
>
> Under the PID the netstat -ano does not show anything running on ports 21,
> 25, 110, & 143? but when I have these scanned they show open?
>
> I am trying to locate the service, then turn it off to close these ports.

Please post the exact command and output from your portscan. Also post
the output of the commands "ipconfig /all" and "netstat -anob". Maybe
with some actual data we'll be getting somewhere.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Which firewall for WIN XP Pro

"Ansgar -59cobalt- Wiechers" wrote in message
news:5ac9tjF2obhfjU1@mid.individual.net...
> Randy Tingley wrote:
>> "Ansgar -59cobalt- Wiechers" wrote:
>>> Randy Tingley wrote:
>>>> "Ansgar -59cobalt- Wiechers" wrote:
>>>>> Randy Tingley wrote:
>>>>>> Actually i am not running any servers.
>>>>>
>>>>> Actually, since those ports are open, you *are* running servers
>>>>> there.
>>>>>
>>>>>> I just upgraded to XP pro after 5 years with win 2K and I am trying
>>>>>> to locate what XP is running on these ports.
>>>>>
>>>>> netstat -anob
>>>>
>>>> I have looked down the list of services running, but can id the
>>>> correct service to turn it off.
>>>
>>> Which part exactly of 'netstat -anob's output do you fail to understand?
>>
>> Under the PID the netstat -ano does not show anything running on ports
>> 21,
>> 25, 110, & 143? but when I have these scanned they show open?
>>
>> I am trying to locate the service, then turn it off to close these ports.
>
> Please post the exact command and output from your portscan. Also post
> the output of the commands "ipconfig /all" and "netstat -anob". Maybe
> with some actual data we'll be getting somewhere.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Port Scan
GRC Port Authority Report created on UTC: 2007-05-08 at 22:32:16Results from
scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445, 1002,
1024-1030, 1720, 5000 4 Ports Open 1 Ports Closed 21 Ports
Stealth--------------------- 26 Ports Tested Ports found to be OPEN were:
21, 25, 110, 143 The port found to be CLOSED was: 113 Other than what is
listed above, all ports are STEALTH.

C:\>netstat -anob
Active Connections



Proto Local Address Foreign Address State PID

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 992

c:\windows\system32\WS2_32.dll

C:\WINDOWS\system32\RPCRT4.dll

c:\windows\system32\rpcss.dll

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ADVAPI32.dll

[svchost.exe]



TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

[System]

TCP 0.0.0.0:2967 0.0.0.0:0 LISTENING 576

[Rtvscan.exe]

TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 2884

[alg.exe]

TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING 1172

[ccApp.exe]

TCP 192.168.1.100:139 0.0.0.0:0 LISTENING 4

[System]

TCP 192.168.1.100:1439 216.168.3.44:119 ESTABLISHED 1652

[msimn.exe]

TCP 192.168.1.100:1456 216.37.198.32:80 ESTABLISHED 2436

[IEXPLORE.EXE]

TCP 192.168.1.100:1473 216.37.198.32:80 ESTABLISHED 2436

[IEXPLORE.EXE]

TCP 192.168.1.100:1475 216.37.198.32:80 ESTABLISHED 2436

[IEXPLORE.EXE]

TCP 192.168.1.100:1476 216.37.198.32:80 ESTABLISHED 2436

[IEXPLORE.EXE]

UDP 0.0.0.0:500 *:* 784

[lsass.exe]

UDP 0.0.0.0:1267 *:* 1196

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]

UDP 0.0.0.0:4500 *:* 784

[lsass.exe]

UDP 0.0.0.0:445 *:* 4

[System]

UDP 0.0.0.0:1034 *:* 1196

C:\WINDOWS\system32\mswsock.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\DNSAPI.dll

c:\windows\system32\dnsrslvr.dll

C:\WINDOWS\system32\RPCRT4.dll

[svchost.exe]

UDP 127.0.0.1:1416 *:* 2436

[IEXPLORE.EXE]

UDP 127.0.0.1:1900 *:* 1152

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP 127.0.0.1:123 *:* 1128

c:\windows\system32\WS2_32.dll

c:\windows\system32\w32time.dll

ntdll.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP 192.168.1.100:1900 *:* 1152

c:\windows\system32\WS2_32.dll

c:\windows\system32\ssdpsrv.dll

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP 192.168.1.100:138 *:* 4

[System]



UDP 192.168.1.100:123 *:* 1128

c:\windows\system32\WS2_32.dll

c:\windows\system32\w32time.dll

ntdll.dll

C:\WINDOWS\system32\kernel32.dll

[svchost.exe]



UDP 192.168.1.100:137 *:* 4

[System]





Folks ... this is where I am lost.

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:

> Port Scan
> GRC Port Authority Report created on UTC: 2007-05-08 at 22:32:16Results
> from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
> 119, 135, 139, 143, 389, 443, 445, 1002,
> 1024-1030, 1720, 5000 4 Ports Open 1 Ports Closed 21 Ports
> Stealth--------------------- 26 Ports Tested Ports found to be OPEN
> were: 21, 25, 110, 143 The port found to be CLOSED was: 113 Other than
> what is listed above, all ports are STEALTH.

As always ... GRC sucks ...

>
> C:\>netstat -anob
> Active Connections
> [...]
> Folks ... this is where I am lost.

Apart from ports 500/udp and 4500/udp listening which are usually used for
IPSEC this looks like a pretty normal wondoze box to me.

Besides that that the local IP 192.168.1.100 seems to indicate that you are
sitting behind some gateway/router that does NAT. As long as the NAT
implementation on the gateway/router works correct the scan from external
will never reach your box but only the gateway.

Please describe your setup and give more information about the gateway your
are using.

I could offer a more reliable scan from external than the GRC crap using
nmap. If those ports are really open either some port redirections to some
internal machine(s) are configured on the gateway (what kind of gateway is
that?) or the gateway is running those services.

Wolfgang

Re: Which firewall for WIN XP Pro

>
> Folks ... this is where I am lost.
>

We'll see, but I think this whole exercise is worthless. You have the link
telling what services on the NT based O/S to disable. You also have the link
telling what you need to do to better secure the XP NT based O/S.

Here are some other tools that will help you look around for yourself from
time to time and see what is happening.

http://preview.tinyurl.com/klw1

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> "Ansgar -59cobalt- Wiechers" wrote:
>> Randy Tingley wrote:
>>> "Ansgar -59cobalt- Wiechers" wrote:
>>>> Which part exactly of 'netstat -anob's output do you fail to understand?
>>>
>>> Under the PID the netstat -ano does not show anything running on ports
>>> 21, 25, 110, & 143? but when I have these scanned they show open?
>>>
>>> I am trying to locate the service, then turn it off to close these ports.
>>
>> Please post the exact command and output from your portscan. Also post
>> the output of the commands "ipconfig /all" and "netstat -anob". Maybe
>> with some actual data we'll be getting somewhere.
>
> Port Scan
> GRC Port Authority Report created on UTC: 2007-05-08 at 22:32:16Results
> from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
> 119, 135, 139, 143, 389, 443, 445, 1002,
> 1024-1030, 1720, 5000 4 Ports Open 1 Ports Closed 21 Ports
> Stealth--------------------- 26 Ports Tested Ports found to be OPEN were:
> 21, 25, 110, 143 The port found to be CLOSED was: 113 Other than what is
> listed above, all ports are STEALTH.

http://grcsucks.com/

I'd suggest using a real port scanner (like e.g. [1], if you can't run
something like nmap or scanline or portqry from outside your network).

> C:\>netstat -anob
[...]
> TCP 192.168.1.100:139 0.0.0.0:0 LISTENING 4
> [System]

Since your computer has a private IP address it is apparently behind
some router doing NAT. Meaning that the portscan you performed showed
open ports on that router, not on your local computer. What kind of
router do you use?

[1] http://www.derkeiler.com/Service/PortScan/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> GRC Port Authority Report

http://grcsucks.com

Better use nmap.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Which firewall for WIN XP Pro

"Ansgar -59cobalt- Wiechers" wrote in message
news:5aclniF2npdlvU1@mid.individual.net...
> Randy Tingley wrote:
>> "Ansgar -59cobalt- Wiechers" wrote:
>>> Randy Tingley wrote:
>>>> "Ansgar -59cobalt- Wiechers" wrote:
>>>>> Which part exactly of 'netstat -anob's output do you fail to
>>>>> understand?
>>>>
>>>> Under the PID the netstat -ano does not show anything running on ports
>>>> 21, 25, 110, & 143? but when I have these scanned they show open?
>>>>
>>>> I am trying to locate the service, then turn it off to close these
>>>> ports.
>>>
>>> Please post the exact command and output from your portscan. Also post
>>> the output of the commands "ipconfig /all" and "netstat -anob". Maybe
>>> with some actual data we'll be getting somewhere.
>>
>> Port Scan
>> GRC Port Authority Report created on UTC: 2007-05-08 at 22:32:16Results
>> from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
>> 119, 135, 139, 143, 389, 443, 445, 1002,
>> 1024-1030, 1720, 5000 4 Ports Open 1 Ports Closed 21 Ports
>> Stealth--------------------- 26 Ports Tested Ports found to be OPEN
>> were:
>> 21, 25, 110, 143 The port found to be CLOSED was: 113 Other than what is
>> listed above, all ports are STEALTH.
>
> http://grcsucks.com/
>
> I'd suggest using a real port scanner (like e.g. [1], if you can't run
> something like nmap or scanline or portqry from outside your network).
>
>> C:\>netstat -anob
> [...]
>> TCP 192.168.1.100:139 0.0.0.0:0 LISTENING 4
>> [System]
>
> Since your computer has a private IP address it is apparently behind
> some router doing NAT. Meaning that the portscan you performed showed
> open ports on that router, not on your local computer. What kind of
> router do you use?
>
> [1] http://www.derkeiler.com/Service/PortScan/
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich


It a Linksys router/4 port switch.

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:

> "Ansgar -59cobalt- Wiechers" wrote in
>> What kind of router do you use?

> It a Linksys router/4 port switch.

Who configured it or who can take a look at the configuration?
Are there other machines behind that router?
If yes, what kind of machines? Is one or more them running services like
ftp, smtp, pop3 and imap?
Are portforwardings configured on the router pointing to those machines?

Sorry, but you really make helping you a bit complicated because one needs
several questions before you provide the nessessary information about your
setup.

Wolfgang

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> It a Linksys router/4 port switch.

Check the status page of the router. Connect to http://192.168.1.1/
Click on the Status tab. The router should show you the IP address for
its internet connection. Is that the same IP address you see on grc or
pages like http://www.whatismyipaddress.com/ ?

If it is not the same IP address grc does not even scan your router but
something else unrelated with your LAN.

Gerald

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> "Ansgar -59cobalt- Wiechers" wrote:
>> Randy Tingley wrote:
>>> C:\>netstat -anob
>> [...]
>>> TCP 192.168.1.100:139 0.0.0.0:0 LISTENING 4
>>> [System]
>>
>> Since your computer has a private IP address it is apparently behind
>> some router doing NAT. Meaning that the portscan you performed showed
>> open ports on that router, not on your local computer. What kind of
>> router do you use?
>>
>> [1] http://www.derkeiler.com/Service/PortScan/
>
> It a Linksys router/4 port switch.

Oh, come on! Which model? Firmware revision? Have you checked its
configuration? Is it running any services? If so: which? And why? Are
any port-forwardings configured? If so: whereto? And why?

Be verbose. As Wolfgang already said: it's really tiresome to have to
wrest every single bit of information from you.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Which firewall for WIN XP Pro

>
> It a Linksys router/4 port switch.
>

Oh, you have a Linksys router. The test you're doing at GRC is worthless and
bogus. The ports on the router are closed by default.

The purpose of the router is to protect the Services on the NT based O/S.
The services cannot be attacked, because the router is setting in front of
it.

It would only mean something if the computer was directly connected to the
modem and therefore, directly connected to the Internet is when you would
need to make sure services were disabled and protected, which would be the
router is not setting between the modem and the computer.

You didn't even have to remove Client for MS network or File and Print
Sharing off of the NIC, because the computer is behind the router and is
protected from the Internet.

If the router is in its default configuration out of the box state else and
you have not manually opened ports on the router, then by default, the ports
are closed and everything behind the router is protected.

Whatever else you're trying to do here with the computer is a moot point
with that router in play.

The only thing you should be concerned with is that the user-id and psw on
the router are changed and are not the defaults everyone else knows about.

And that you have enabled logging on the Linksys router so that you can use
Wallwatcher to watch traffic to and from the router by possible dubious
remote connections by the computers behind the router.

The security link for the XP O/S that was posted to you where it talks about
disabling certain user-id(s) along with other things in that link is where
you need to concentrate on.

http://sonic.net/wallwatcher/

Think about this. The computer is setting behind the router, unsolicited
inbound traffic that the router is stopping cannot reach the computer,
therefore, the computer cannot react to traffic one way or the other in some
kind of *stealth* tests.

The computer is *stealthed* because it's behind the router.

Re: Which firewall for WIN XP Pro

"Gerald Vogt" wrote in message
news:4641b062$0$15972$44c9b20d@news3.asahi-net.or.jp...
> Randy Tingley wrote:
>> It a Linksys router/4 port switch.
>
> Check the status page of the router. Connect to http://192.168.1.1/
> Click on the Status tab. The router should show you the IP address for
> its internet connection. Is that the same IP address you see on grc or
> pages like http://www.whatismyipaddress.com/ ?
>
> If it is not the same IP address grc does not even scan your router but
> something else unrelated with your LAN.
>
> Gerald

This is correct!
THe same ip address.

Re: Which firewall for WIN XP Pro

"Ansgar -59cobalt- Wiechers" wrote in message
news:5adtnfF2mdubdU1@mid.individual.net...
> Randy Tingley wrote:
>> "Ansgar -59cobalt- Wiechers" wrote:
>>> Randy Tingley wrote:
>>>> C:\>netstat -anob
>>> [...]
>>>> TCP 192.168.1.100:139 0.0.0.0:0 LISTENING 4
>>>> [System]
>>>
>>> Since your computer has a private IP address it is apparently behind
>>> some router doing NAT. Meaning that the portscan you performed showed
>>> open ports on that router, not on your local computer. What kind of
>>> router do you use?
>>>
>>> [1] http://www.derkeiler.com/Service/PortScan/
>>
>> It a Linksys router/4 port switch.
>
> Oh, come on! Which model? Firmware revision? Have you checked its
> configuration? Is it running any services? If so: which? And why? Are
> any port-forwardings configured? If so: whereto? And why?
>
> Be verbose. As Wolfgang already said: it's really tiresome to have to
> wrest every single bit of information from you.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

The router is:
Linksys Cable/DSL Router 4port switch
model# BEFSR41 V3
Firmware V 1.05.00

Std out of the box settings. This is the router that was on my win2K system
until last week when i replaced it with a new Win XP Cpu unit. THis was
secure until the new XP cpu.

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> This is correct!
> THe same ip address.

If it is the same IP address on the scans and on the status page of the
router then your router has probably port forwardings configured for
those open ports. Check the settings in the router if there are any.
Also make sure to turn off UPnP support in the router. You don't want
some software in your LAN open ports on the router automatically.

You should verify the scans with other internet port scanners.

Gerald

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> "Ansgar -59cobalt- Wiechers" wrote:
>> Randy Tingley wrote:
>>> It a Linksys router/4 port switch.
>>
>> Oh, come on! Which model? Firmware revision? Have you checked its
>> configuration? Is it running any services? If so: which? And why? Are
>> any port-forwardings configured? If so: whereto? And why?
>>
>> Be verbose. As Wolfgang already said: it's really tiresome to have to
>> wrest every single bit of information from you.
>
> The router is:
> Linksys Cable/DSL Router 4port switch
> model# BEFSR41 V3
> Firmware V 1.05.00

Seems to be the latest Firmware. Good.

> Std out of the box settings.

*sigh*

Look, "out of the box" can mean just about anything. Why don't you go
and find out what the actual settings are and then answer my questions?
Would that make things too easy for us?

BTW: Have you cross-checked the results from grc.com with another port
scanner (like the one I mentioned previously)? Does the router allow for
configuration via UPnP?

> This is the router that was on my win2K system until last week when i
> replaced it with a new Win XP Cpu unit. THis was secure until the new
> XP cpu.

XP is an operating system, not a CPU.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Which firewall for WIN XP Pro

On May 10, 10:13 am, Ansgar -59cobalt- Wiechers
wrote:
> BTW: Have you cross-checked the results from grc.com with another port
> scanner (like the one I mentioned previously)? Does the router allow for
> configuration via UPnP?

http://www.grcsucks.com

> XP is an operating system, not a CPU.

and Steve Gibson is a moron...

> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich- Hide quoted text -
>
> - Show quoted text -

Re: Which firewall for WIN XP Pro

RedForeman wrote:
> On May 10, 10:13 am, Ansgar -59cobalt- Wiechers wrote:
>> BTW: Have you cross-checked the results from grc.com with another
>> port scanner (like the one I mentioned previously)? Does the router
>> allow for configuration via UPnP?
>
> http://www.grcsucks.com
>
>> XP is an operating system, not a CPU.
>
> and Steve Gibson is a moron...

This has already been mentioned by several people in this thread
(including myself).

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Which firewall for WIN XP Pro

"Ansgar -59cobalt- Wiechers" wrote in message
news:5agnkaF2olli5U1@mid.individual.net...
> Randy Tingley wrote:
>> "Ansgar -59cobalt- Wiechers" wrote:
>>> Randy Tingley wrote:
>>>> It a Linksys router/4 port switch.
>>>
>>> Oh, come on! Which model? Firmware revision? Have you checked its
>>> configuration? Is it running any services? If so: which? And why? Are
>>> any port-forwardings configured? If so: whereto? And why?
>>>
>>> Be verbose. As Wolfgang already said: it's really tiresome to have to
>>> wrest every single bit of information from you.
>>
>> The router is:
>> Linksys Cable/DSL Router 4port switch
>> model# BEFSR41 V3
>> Firmware V 1.05.00
>
> Seems to be the latest Firmware. Good.
>
>> Std out of the box settings.
>
> *sigh*
>
> Look, "out of the box" can mean just about anything. Why don't you go
> and find out what the actual settings are and then answer my questions?
> Would that make things too easy for us?
>
> BTW: Have you cross-checked the results from grc.com with another port
> scanner (like the one I mentioned previously)? Does the router allow for
> configuration via UPnP?

Disabled for the UPnp

Yes, I did!
Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) at 2007-05-11 00:01
CEST
Initiating Connect() Scan against 65.170.232.173 [1663 ports] at 00:01
Discovered open port 21/tcp on 65.170.232.173
Discovered open port 25/tcp on 65.170.232.173
Discovered open port 110/tcp on 65.170.232.173
Discovered open port 143/tcp on 65.170.232.173
The Connect() Scan took 48.60s to scan 1663 total ports.
Host 65.170.232.173 appears to be up ... good.
Interesting ports on 65.170.232.173:
(The 1659 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
110/tcp open pop3
143/tcp open imap

Nmap run completed -- 1 IP address (1 host up) scanned in 49.169 seconds



>
>> This is the router that was on my win2K system until last week when i
>> replaced it with a new Win XP Cpu unit. THis was secure until the new
>> XP cpu.
>
> XP is an operating system, not a CPU.

Once again, you are correct!

Hope this helps.


>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Re: Which firewall for WIN XP Pro

Randy Tingley wrote:
> Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) at 2007-05-11 00:01
> CEST
> Initiating Connect() Scan against 65.170.232.173 [1663 ports] at 00:01
> Discovered open port 21/tcp on 65.170.232.173
> Discovered open port 25/tcp on 65.170.232.173
> Discovered open port 110/tcp on 65.170.232.173
> Discovered open port 143/tcp on 65.170.232.173
> The Connect() Scan took 48.60s to scan 1663 total ports.
> Host 65.170.232.173 appears to be up ... good.
> Interesting ports on 65.170.232.173:
> (The 1659 ports scanned but not shown below are in state: filtered)
> PORT STATE SERVICE
> 21/tcp open ftp
> 25/tcp open smtp
> 110/tcp open pop3
> 143/tcp open imap
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 49.169 seconds

So nmap reports them as open, too, and since I can connect to them
there's definitely something listening there. Whatever it is doesn't
seem to be a mail or FTP server, though.

I'd suggest to check the router's configuration. Another thing you could
try is resetting the router to defaults and then re-create your custom
settings. Make sure you have all required data (credentials for your
internet connection, etc.) at hand before doing this.

If the ports ar still shown as open after that I'd check back with
Linksys.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Which firewall for WIN XP Pro

"Ansgar -59cobalt- Wiechers" wrote in message
news:5ahofiF2o8s1aU1@mid.individual.net...
> Randy Tingley wrote:
>> Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) at 2007-05-11 00:01
>> CEST
>> Initiating Connect() Scan against 65.170.232.173 [1663 ports] at 00:01
>> Discovered open port 21/tcp on 65.170.232.173
>> Discovered open port 25/tcp on 65.170.232.173
>> Discovered open port 110/tcp on 65.170.232.173
>> Discovered open port 143/tcp on 65.170.232.173
>> The Connect() Scan took 48.60s to scan 1663 total ports.
>> Host 65.170.232.173 appears to be up ... good.
>> Interesting ports on 65.170.232.173:
>> (The 1659 ports scanned but not shown below are in state: filtered)
>> PORT STATE SERVICE
>> 21/tcp open ftp
>> 25/tcp open smtp
>> 110/tcp open pop3
>> 143/tcp open imap
>>
>> Nmap run completed -- 1 IP address (1 host up) scanned in 49.169 seconds
>
> So nmap reports them as open, too, and since I can connect to them
> there's definitely something listening there. Whatever it is doesn't
> seem to be a mail or FTP server, though.
>
> I'd suggest to check the router's configuration. Another thing you could
> try is resetting the router to defaults and then re-create your custom
> settings. Make sure you have all required data (credentials for your
> internet connection, etc.) at hand before doing this.
>
> If the ports ar still shown as open after that I'd check back with
> Linksys.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Thank you!
I will try this.