In my opinon, I never filter, I just close. That way, even if somebody did hack me, it would give the thought that I could be not connected at the moment. If it's refused, then you know the person is alive, then you could try getting back in through your original (or any other) hole.
I agree with northernsky. I use the analogy of the cops coming to your place and looking for you. Having a filtered port is like them knocking on the door, and you saying "I'm not here". Having a closed port is like them knocking on the door, and no one answering. With a filtered port, you know there is an active system behind that port.
I prefer port closing as i think with filtering it just says comeon try another method and for true hackers the machine presents more of a challenge to them.
Well, I don't think the question was about the difference in what's sent back, the question was is there a difference from a security standpoint and I think yes there is.
Here is the Actual difference:
Closed Port:
- If you send a SYN to a closed port, it will respond back with a RST.
Open Port:
- If you send a SYN to an open port, you should receive a SYN/ACK.
Filtered Port:
- The packet is simply dropped and you receive no response (not even a RST).
As far as from a security standpoint, to most hackers, when they see closed they don't think of a firewall, they think the service is just not running. When I see filtered, and its a port I want to get to, I instantly think, oh, ok, is there some backdoor I can punch thru the firewall? Can I DOS the firewall? Can I remotely administer the firewall?
Showing a closed doesn't really alert an attacker to anything, however, there is the advantage that by filtering, you just totally ignore the traffic, where as in a closed port, you actually have to go thru sending out a RST... I would imagine that this could be leveraged in a DOS attack.
Well, I don't think the question was about the difference in what's sent back, the question was is there a difference from a security standpoint and I think yes there is.
(I agree with you 100%, was just concerned that the definitions being the wrong way round might confuse n00bs. If it times out, its filtered, not closed.)
Personally I'd go for filtered every time. If a box doesn't have any public services on it then the lack of any response to an unknown address means a potential attacker doesn't even know the target is there for certain (assuming ICMP is filtered, too). And if someone decides to port scan the range anyway, its going to take a long time :)
I take your point that filtered can indicate that there is a firewall, especially if a mix of closed and filtered comes back, but the network architecture doesn't always lend itself to discovering that a firewall exists in this way. Port unreachables and the like can be too useful for an attacker, I'd encourage ppl to run p0f (v2) and try the 'fingerprint whatever told me to go away' mode if they don't believe me.
Filtered generally means that an ACL is applied. ie as peple previously mentioned firewall, or in the case of a Cisco router a ACL has been applied to its VTY for management purposes..
A good point to note is that commonly you will see an open port that has not service running behind it(after testing) if behind a firewall.. Use this port (ie install a listner ) on this port as it has been a misconfiguration by the FW admin..
I enjoy making security clones. For instance, I will code a little prog in c that looks just like a dos shell. Afterwhich, I will use nc -l -e myprogram.exe -p 31337. Keep in mind that this is just a few printf statements so no harm can come of it. What the user on the other end doesn't realize is that their IP along with every last string they type is being stored in a database. After the user disconnects, the program will block their IP from connecting again. :P
Open ports can be just as good as closed or filtered,
I enjoy making security clones. For instance, I will code a little prog in c that looks just like a dos shell. Afterwhich, I will use nc -l -e myprogram.exe -p 31337. Keep in mind that this is just a few printf statements so no harm can come of it. What the user on the other end doesn't realize is that their IP along with every last string they type is being stored in a database. After the user disconnects, the program will block their IP from connecting again. :P
Open ports can be just as good as closed or filtered,
I read abt a tool on securiteam or somewhere i dont remember . It replies to port scans on all ports and so the scanners show all ports open and sometimes even scanner crashes as it gets so many replies from all ports (They showed screenshots ) .
I read abt a tool on securiteam or somewhere i dont remember . It replies to port scans on all ports and so the scanners show all ports open and sometimes even scanner crashes as it gets so many replies from all ports (They showed screenshots ) .
Sign In
Register
Help
MultiQuote
