| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 67888 | 2006-04-09 06:49:00 | Port 21 and Port 22 | ephesus (2509) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 445150 | 2006-04-10 00:21:00 | I will try the settings on the Norton Firewall. Does Windows Firewall protect these ports automatically? The windows firewall blocks ftp by default. I thought that norton did too, but I couldn't find a predefined rule for it. Greg - if he blocks it both ways rather than just blocking incoming connections, won't that mean that he won't be able to download from a ftp site? |
Greven (91) | ||
| 445151 | 2006-04-10 01:49:00 | I looked at Norton. The insturction say "block ftp and web servers". Does this mean it will also block my internet? If windows block ftp by default, then the port should not show up on shields up??? :confused: |
ephesus (2509) | ||
| 445152 | 2006-04-10 02:18:00 | I looked at Norton. The insturction say "block ftp and web servers". Does this mean it will also block my internet? If windows block ftp by default, then the port should not show up on shields up??? :confused: No, it won't block your web browsing. most of those default rules only stop incoming connections. The windows firewall blocks ftp by default. check out the settings for it from the control panel & look at the exceptions list. You don't really need the windows firewall as well as Norton Internet security. |
Greven (91) | ||
| 445153 | 2006-04-10 02:36:00 | Many Thanks. :) | ephesus (2509) | ||
| 445154 | 2006-04-10 03:58:00 | The ports are detected from your most outter device to the internet, in this case it's your router that stands in the way, it does not test your computer ports because it's only testing an IP, and has nothing to do with your web browser sending the information to and from the site to your own computer . The only way this would be possible is if you made your router port forward every port to your own computer, which would mean other computers on your network, etc would probably no longer receive incoming connections . How to clarify this, if you were to ping the external IP from a computer on the internet, where do you think that packet would go? It goes to your router, and your router decides how to handle it, in most cases your router takes care of it, if you didn't set up anything that directs it to your computer, then it's the routers job, to handle it by dropping it or replying or doing whatever it wants with it . Shields Up works off your external IP, so it's got no idea that you could be behind a router (though if it performed exploits it might) . Port 21 is FTP, which probably suggests remote FTP is allowed, Port 22 is SSH which suggests remote SSH is probably allowed too . This must mean you can access your router via these two services . If you don't configure your router with FTP or SSH, then it would probably be a good idea to turn those services off at the router, save settings and reboot it . Then perform the checks again . Checking a NAT Router's WAN Security Residential broadband "NAT" routers which allow many computers to share a single Internet connection are becoming quite popular . We love them for the security they provide to the machines placed behind them since any NAT router functions as a natural and excellent hardware firewall . However, the Internet or "WAN" (Wide Area Network) side connection of many NAT routers and DSL gateways is not as secure as it should be . Many routers ship with web, ftp, or Telnet management ports wide open! And many are still configured with their well-known default administrative passwords . Although the router may be protecting the machines behind it, it might not be protecting itself without your deliberate closing of remote "WAN" administration ports . ShieldsUP! automatically tests your NAT router's WAN-side security because the router's WAN IP is the single public IP that connects your internal private network to the public Internet . When a test is initiated by any system behind a NAT router, we are testing the public-side security of the router itself and not the security of the individual machines which are located behind and protected by the router . Cheers, KK |
Kame (312) | ||
| 445155 | 2006-04-10 04:35:00 | The only way this would be possible is if you made your router port forward every port to your own computer The cheap dlink is designed for ease of use with one computer so that is how it is set up out of the box. It doesn't have a firewall or anything fancy - it just sends whatever it gets to whatever computer it is connected to. Not many routers allow you to configure them via ssh & the ones that do aren't cheap. How would you configure a router via ftp? :p |
Greven (91) | ||
| 445156 | 2006-04-10 04:46:00 | It might not be configuring the router via FTP but uploading updates like ROM updates, etc. It needs some place to store those files to flash it. Being a cheap router though, SSH is still a possibility, it's far better than Telnet, so it's probably a reason why it's on there. He's running a Windows machine, it's highly unlikely Windows has SSH unless you installed it yourself. What DLink router are we talking about anyways? I'll look into it and see what I can dig up about it. Cheers, KK |
Kame (312) | ||
| 445157 | 2006-04-10 04:50:00 | the one that Xtra gives away for free to new signups. I agree that ssh would be better than telnet & I don't know why more routers don't offer it, but it seems to be mainly on Cisco equipment & a few of the more expensive consumer level routers. Perhaps it requires too much processing power? most routers I've looked at use http rather than ftp for uploading a new firmware image. I haven't looked into the specs of the dlink modem - I've just made assumptions based on setting them up for friends. I don't really like them because they forward everything rather than letting you set up what to allow & have it block all other incoming connections. |
Greven (91) | ||
| 445158 | 2006-04-10 04:51:00 | Thanks Kame, your explanation is most helpful. Refering to your quote that "Many routers ship with web, ftp, or Telnet management ports wide open", don't you think that ISP that provides routers to attract new customers should be more security concious and have these ports closed by default, given that many new users will not have a clue on these ports and would be quite vulnerable. :illogical |
ephesus (2509) | ||
| 445159 | 2006-04-10 04:57:00 | Its a D-Link DSL 502T. Cheap alright - Can't expect much from Xtra. | ephesus (2509) | ||
| 1 2 3 | |||||