Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Ports will not close?


  • Please log in to reply
35 replies to this topic

#1
UltimateSilence

UltimateSilence

    Member

  • Member
  • PipPip
  • 169 posts
  • OS:98SE
  • Country: Country Flag
I've tried to block the following ports via Windows Firewall in Windows 7 Ultimate: FTP (#21), SSH (#22), Telnet (#23) as per here, but the ports remain open. What am I doing wrong?

Thank you.

Edited by UltimateSilence, 22 January 2012 - 01:28 AM.

yZo4FWG.png
Keep Windows XP alive!

Please do not misconstrue Windows 7 license sales as actual sales of the operating system. PCs are bundled with Windows 7, and count towards the sales figures.
Running Windows Vista on HP Pavilion Slimline.



How to remove advertisement from MSFN

#2
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,250 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag
They remain open as in you can still connect to them inbound to your computer from other machines on these ports, or they remain open in that you can make outbound connections on those ports to other machines?
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#3
UltimateSilence

UltimateSilence

    Member

  • Member
  • PipPip
  • 169 posts
  • OS:98SE
  • Country: Country Flag

They remain open as in you can still connect to them inbound to your computer from other machines on these ports, or they remain open in that you can make outbound connections on those ports to other machines?


The latter.

yZo4FWG.png
Keep Windows XP alive!

Please do not misconstrue Windows 7 license sales as actual sales of the operating system. PCs are bundled with Windows 7, and count towards the sales figures.
Running Windows Vista on HP Pavilion Slimline.


#4
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,706 posts
  • OS:Server 2012
  • Country: Country Flag

Donator

I can't get to that website. Are you adding a new rule to the Outbound Rules in the Windows Firewall with Advanced Security?
MSFN RULES | GimageX HTA for PE 3.x | lol probloms
msfn2_zpsc37c7153.jpg

#5
UltimateSilence

UltimateSilence

    Member

  • Member
  • PipPip
  • 169 posts
  • OS:98SE
  • Country: Country Flag

I can't get to that website. Are you adding a new rule to the Outbound Rules in the Windows Firewall with Advanced Security?


Yes, sir.
Windows Firewall with Advanced Security -> Outbound Rules -> New Rule -> Port -> TCP Specific Ports (#21, #22, #23).

What action should be taken when a connection matches the specified conditions?
Block the connection.
-
When does this rule apply?
Domain, Private, Public.

Edited by UltimateSilence, 23 January 2012 - 02:21 PM.

yZo4FWG.png
Keep Windows XP alive!

Please do not misconstrue Windows 7 license sales as actual sales of the operating system. PCs are bundled with Windows 7, and count towards the sales figures.
Running Windows Vista on HP Pavilion Slimline.


#6
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,706 posts
  • OS:Server 2012
  • Country: Country Flag

Donator

Did you try adding one for TCP or UDP? Try adding one of the other types and see if that makes a difference.
MSFN RULES | GimageX HTA for PE 3.x | lol probloms
msfn2_zpsc37c7153.jpg

#7
uid0

uid0

    Advanced Member

  • Member
  • PipPipPip
  • 356 posts
If you're trying to block outgoing ssh, you'd be better blocking the program - but win7 doesn't come with one...
Likewise ftp will connect from a high random port number to the server port 21, so blocking outgoing port 21 isn't going to work either.
If you say what you're trying to achieve, people can probably suggest better approaches.

#8
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,706 posts
  • OS:Server 2012
  • Country: Country Flag

Donator

I get it. :blushing:

Those ports 21-23 are destination ports. Blocking them would stop users from accepting connections for those protocols. For example, for FTP, if you block port 21, if an FTP server is being run on the machine, other systems won't be able to connect to it. If you want to stop users from sending files from that PC to an FTP server, you'd need to block ports 6000 and 6001. As for the other protocols, you'll need to look those up to find what outbound ports they use.
MSFN RULES | GimageX HTA for PE 3.x | lol probloms
msfn2_zpsc37c7153.jpg

#9
UltimateSilence

UltimateSilence

    Member

  • Member
  • PipPip
  • 169 posts
  • OS:98SE
  • Country: Country Flag

I get it. :blushing:

Those ports 21-23 are destination ports. Blocking them would stop users from accepting connections for those protocols. For example, for FTP, if you block port 21, if an FTP server is being run on the machine, other systems won't be able to connect to it. If you want to stop users from sending files from that PC to an FTP server, you'd need to block ports 6000 and 6001. As for the other protocols, you'll need to look those up to find what outbound ports they use.


Tripredacus,
I'm sorry for the late reply. I just remembered about this topic tonight.
I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open. :ph34r:

EDIT: Windows Firewall is configured to block the inbound and outbound connections of these ports.

Edited by UltimateSilence, 14 February 2012 - 10:29 PM.

yZo4FWG.png
Keep Windows XP alive!

Please do not misconstrue Windows 7 license sales as actual sales of the operating system. PCs are bundled with Windows 7, and count towards the sales figures.
Running Windows Vista on HP Pavilion Slimline.


#10
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,706 posts
  • OS:Server 2012
  • Country: Country Flag

Donator

How does the computer connect to the internet? The reason I am asking is because that website would say I had ports open that I do not, simply because the interface it detects is not my computer, but our outbound interface which is the router. Ports would be open on the router, but any connections into my network would fail at the firewall which sits between the router and my computer. (Yes it is a separate device)

Instead of using that, since you say you have those FTP ports blocked, try to connect to an FTP site using a client (not a web browser) or even the command prompt. If you need a site to go to, you can connect to Clevo's website to see if you can get in:

ftp://usftp.clevo.com.tw/

MSFN RULES | GimageX HTA for PE 3.x | lol probloms
msfn2_zpsc37c7153.jpg

#11
UltimateSilence

UltimateSilence

    Member

  • Member
  • PipPip
  • 169 posts
  • OS:98SE
  • Country: Country Flag

How does the computer connect to the internet? The reason I am asking is because that website would say I had ports open that I do not, simply because the interface it detects is not my computer, but our outbound interface which is the router. Ports would be open on the router, but any connections into my network would fail at the firewall which sits between the router and my computer. (Yes it is a separate device)

Instead of using that, since you say you have those FTP ports blocked, try to connect to an FTP site using a client (not a web browser) or even the command prompt. If you need a site to go to, you can connect to Clevo's website to see if you can get in:

ftp://usftp.clevo.com.tw/


I connect to the Internet using a wired DSL router.
I do not know how to connect via the command prompt... :unsure:

I know you said to connect using a client and not a web browser, but out of curiosity I tried using Internet Explorer 9, which triggered a Windows Firewall notification!

Edited by UltimateSilence, 16 February 2012 - 12:50 AM.

yZo4FWG.png
Keep Windows XP alive!

Please do not misconstrue Windows 7 license sales as actual sales of the operating system. PCs are bundled with Windows 7, and count towards the sales figures.
Running Windows Vista on HP Pavilion Slimline.


#12
bphlpt

bphlpt

    MSFN Addict

  • Member
  • PipPipPipPipPipPipPip
  • 1,796 posts
  • OS:none specified
  • Country: Country Flag
By client, he means something like FileZilla, or one of the other FTP clients listed here - http://www.shareware....com/winftp.htm

Cheers and Regards

Posted Image


#13
CoffeeFiend

CoffeeFiend

    Coffee Aficionado

  • Super Moderator
  • 5,399 posts
  • OS:Windows 7 x64
  • Country: Country Flag

I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open. :ph34r:

They seem to be open indeed (not that I really put much faith in that website). A quick SYN stealth scan in nmap confirms it (your IP replaced by 1.2.3.4):

Discovered open port 23/tcp on 1.2.3.4
Discovered open port 21/tcp on 1.2.3.4
Discovered open port 22/tcp on 1.2.3.4
Discovered open port 80/tcp on 1.2.3.4
(the other 2 ports aren't scanned by that)

The ports are opened but they don't actually send any data. For example, connecting to your port 80, the TCP handshake goes over fine (SYN, SYN ACK, ACK), then the browser sends its "GET / HTTP/1.1" request, which it ACKs, then it resets the connection (RST, ACK) without sending a single byte. As for port 21 it's much of the same. Typical TCP handshake, but immediately after (before we even have the chance of making a request) you're already sending FIN ACK and RST. So it's not like there's something running on your PC serving data and your router forwarding traffic to it.

My best guess is that these ports are opened/in use by your DSL modem/router and not your PC. Those ports could also be used by your ISP to update/access the device (and not having the right IP it won't talk to me). They're the typical ports a Linux/Busybox router would have open too (ftp, ssh, telnet, http).

There's no need to panic, and it's not Windows' fault either :)
Coffee: \ˈkȯ-fē, ˈkä-\. noun. Heaven in a cup. Life's only treasure. The meaning of life. Kaffee ist wunderbar. C8H10N4O2 FTW.

#14
UltimateSilence

UltimateSilence

    Member

  • Member
  • PipPip
  • 169 posts
  • OS:98SE
  • Country: Country Flag


I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open. :ph34r:

They seem to be open indeed (not that I really put much faith in that website). A quick SYN stealth scan in nmap confirms it (your IP replaced by 1.2.3.4):

Discovered open port 23/tcp on 1.2.3.4
Discovered open port 21/tcp on 1.2.3.4
Discovered open port 22/tcp on 1.2.3.4
Discovered open port 80/tcp on 1.2.3.4
(the other 2 ports aren't scanned by that)

The ports are opened but they don't actually send any data. For example, connecting to your port 80, the TCP handshake goes over fine (SYN, SYN ACK, ACK), then the browser sends its "GET / HTTP/1.1" request, which it ACKs, then it resets the connection (RST, ACK) without sending a single byte. As for port 21 it's much of the same. Typical TCP handshake, but immediately after (before we even have the chance of making a request) you're already sending FIN ACK and RST. So it's not like there's something running on your PC serving data and your router forwarding traffic to it.

My best guess is that these ports are opened/in use by your DSL modem/router and not your PC. Those ports could also be used by your ISP to update/access the device (and not having the right IP it won't talk to me). They're the typical ports a Linux/Busybox router would have open too (ftp, ssh, telnet, http).

There's no need to panic, and it's not Windows' fault either :)


Thank you, CoffeeFiend!

You scanned the ports... I feel naked. :lol:

EDIT: Wait, CoffeeFiend! It's not my fault either, right? :unsure:

Edited by UltimateSilence, 16 February 2012 - 03:55 PM.

yZo4FWG.png
Keep Windows XP alive!

Please do not misconstrue Windows 7 license sales as actual sales of the operating system. PCs are bundled with Windows 7, and count towards the sales figures.
Running Windows Vista on HP Pavilion Slimline.


#15
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,706 posts
  • OS:Server 2012
  • Country: Country Flag

Donator


ftp://usftp.clevo.com.tw/


I connect to the Internet using a wired DSL router.
I do not know how to connect via the command prompt... :unsure:

I know you said to connect using a client and not a web browser, but out of curiosity I tried using Internet Explorer 9, which triggered a Windows Firewall notification!


Open a command prompt (cmd). Using the username of 'Anonymous' and the password of your email address, you can attempt to connect. Here is my example I just did.

C:\windows\system32>ftp usftp.clevo.com.tw
Connected to usftp.clevo.com.tw.
220 Serv-U FTP Server v7.3 ready...
User (usftp.clevo.com.tw:(none)): Anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
ftp>

Of course, it won't show you what you are typing at the password prompt, so hope to not make a typo! :rolleyes:

You shouldn't even get to the prompt for the username if the port is blocked tho.
MSFN RULES | GimageX HTA for PE 3.x | lol probloms
msfn2_zpsc37c7153.jpg

#16
CoffeeFiend

CoffeeFiend

    Coffee Aficionado

  • Super Moderator
  • 5,399 posts
  • OS:Windows 7 x64
  • Country: Country Flag

It's not my fault either, right? :unsure:

No. It's most likely the configuration of your modem/router device (and that was probably done by your ISP too, and you might not even be able to change that).

Again, there's no need to worry.
Coffee: \ˈkȯ-fē, ˈkä-\. noun. Heaven in a cup. Life's only treasure. The meaning of life. Kaffee ist wunderbar. C8H10N4O2 FTW.

#17
UltimateSilence

UltimateSilence

    Member

  • Member
  • PipPip
  • 169 posts
  • OS:98SE
  • Country: Country Flag

Open a command prompt (cmd). Using the username of 'Anonymous' and the password of your email address, you can attempt to connect. Here is my example I just did.

C:\windows\system32>ftp usftp.clevo.com.tw
Connected to usftp.clevo.com.tw.
220 Serv-U FTP Server v7.3 ready...
User (usftp.clevo.com.tw:(none)): Anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
ftp>

Of course, it won't show you what you are typing at the password prompt, so hope to not make a typo! :rolleyes:

You shouldn't even get to the prompt for the username if the port is blocked tho.


Tripredacus, we have a problem. :ph34r:
Posted Image

Edited by UltimateSilence, 18 February 2012 - 01:05 AM.

yZo4FWG.png
Keep Windows XP alive!

Please do not misconstrue Windows 7 license sales as actual sales of the operating system. PCs are bundled with Windows 7, and count towards the sales figures.
Running Windows Vista on HP Pavilion Slimline.


#18
CoffeeFiend

CoffeeFiend

    Coffee Aficionado

  • Super Moderator
  • 5,399 posts
  • OS:Windows 7 x64
  • Country: Country Flag

Tripredacus, we have a problem. :ph34r:

and that problem is that you're able to connect to stuff on the internet? I honestly don't see how this is a problem in any way. You're perfectly safe.
Coffee: \ˈkȯ-fē, ˈkä-\. noun. Heaven in a cup. Life's only treasure. The meaning of life. Kaffee ist wunderbar. C8H10N4O2 FTW.

#19
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,199 posts
  • OS:none specified
  • Country: Country Flag
Hmmm...
This states

By default, Windows Firewall is enabled for both inbound and outbound connections. The default policy is to block most inbound connections and allow outbound connections. You can use the Windows Firewall with Advanced Security interface to configure rules for both inbound and outbound connections.

And this indicates that there's a "global" setting for each of Domain, Private, and Public.

Additionally, link#1 indicates "overrides" in IPSec "setups". In Symantec Firewall (VERY similar), there is something called "Trusted Computers" that basically says "ignore firewall - this PC is OK for anything".

Somewhere you have set up some kind of "override".

How to restore defaults. It also gives a link that might indicate thet the FTP program is actually allowed (maybe even the IE browser?) similar to the old-style XP/2K3 Firewall.

Disclaimer -
I have not yet installed/tested either Win7 or 2k8 as of this time but interested in the subject for future install/test.
Add'l Note -
I have Cable Modem (no firewall - External IP)->Router (firewalled incoming with 80/21 pass-thru to Internal IP)->PC (Symantec - FTP.EXE/Iexplore.EXE allowed ALL, Incoming TCP21/80 allowed). GRC reports CLOSED ports when HTTP/FTP Servers "disabled" and All Others "Stealth". So... Is INCOMING also blocked (that is what GRC "checks" for, BTW ;))?

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#20
UltimateSilence

UltimateSilence

    Member

  • Member
  • PipPip
  • 169 posts
  • OS:98SE
  • Country: Country Flag


Tripredacus, we have a problem. :ph34r:

and that problem is that you're able to connect to stuff on the internet? I honestly don't see how this is a problem in any way. You're perfectly safe.


CoffeeFiend,
It's not literally a problem...
I just hate having them open because I don't "use" them.

Submix, thank you for the links. Incoming is also blocked.

Edited by UltimateSilence, 18 February 2012 - 01:53 PM.

yZo4FWG.png
Keep Windows XP alive!

Please do not misconstrue Windows 7 license sales as actual sales of the operating system. PCs are bundled with Windows 7, and count towards the sales figures.
Running Windows Vista on HP Pavilion Slimline.


#21
CoffeeFiend

CoffeeFiend

    Coffee Aficionado

  • Super Moderator
  • 5,399 posts
  • OS:Windows 7 x64
  • Country: Country Flag

I just hate having them open because I don't "use" them.

But what you posted i.e. using ftp.exe to connect to another server means absolutely NOTHING about your own ports being opened (as shown on GRC's website). This just means you are able to connect to someone else which is typically what people want -- just like you're able to connect to web servers to see web pages.

Unfortunately, if you want them to display anything else than "opened", then you'll most likely need another modem/router. Since none of the traffic is reaching your computer, there's no settings you can change there to affect that. You should talk to your ISP about them using these ports on your modem if anything.
Coffee: \ˈkȯ-fē, ˈkä-\. noun. Heaven in a cup. Life's only treasure. The meaning of life. Kaffee ist wunderbar. C8H10N4O2 FTW.

#22
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,706 posts
  • OS:Server 2012
  • Country: Country Flag

Donator


Tripredacus, we have a problem. :ph34r:

and that problem is that you're able to connect to stuff on the internet? I honestly don't see how this is a problem in any way. You're perfectly safe.


Well you'd think that if you configured Windows Firewall to block FTP out using the configured ports, that you wouldn't be able to connect out to an FTP site.

@UltimateSilence

Run this test again. But before you disconnect from the FTP, open another CMD and run

netstat

Here are my results:

TCP    10.x.x.x:61781     ec2-184-72-241-236:ftp  ESTABLISHED

So it would appear that my FTP out connection is using port 61781. I also tested the other FTPs I commonly use from my FTP client (Leech) and also am seeing FTP out on these TCP ports:
61788 (when connecting to saved FTP server #1)
61792 (when connecting to saved FTP server #2)
61794 (when connecting to saved FTP server #1 again)

:wacko:
MSFN RULES | GimageX HTA for PE 3.x | lol probloms
msfn2_zpsc37c7153.jpg

#23
CoffeeFiend

CoffeeFiend

    Coffee Aficionado

  • Super Moderator
  • 5,399 posts
  • OS:Windows 7 x64
  • Country: Country Flag

Well you'd think that if you configured Windows Firewall to block FTP out using the configured ports, that you wouldn't be able to connect out to an FTP site.

Yes, but his main concern seems to be:

I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open. :ph34r:

and not that he's actually able to connect to websites, ftp servers, torrents and so on.

So it would appear that my FTP out connection is using port 61781. I also tested the other FTPs I commonly use from my FTP client (Leech) and also am seeing FTP out on these TCP ports:
61788 (when connecting to saved FTP server #1)
61792 (when connecting to saved FTP server #2)
61794 (when connecting to saved FTP server #1 again)

:wacko:

These are dynamic ports. They'll be different the next time you try, or if you connect to something else, or if you try it on a different PC, or if somebody else tries it (hence the "dynamic" name -- these are also called ephemeral ports). It's perfectly normal that you're listening on that port range when you make a connection of any type (unless you're using an older version of Windows which uses a lower port range), be it for web pages, ftp sites or whatever. It's how TCP/IP connections work (using source/destination ports). There's nothing :wacko: about it ;)
Coffee: \ˈkȯ-fē, ˈkä-\. noun. Heaven in a cup. Life's only treasure. The meaning of life. Kaffee ist wunderbar. C8H10N4O2 FTW.

#24
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,789 posts
  • OS:98SE
  • Country: Country Flag

Donator

While SpinRite rocks, Steve Gibson's rants about security and his ShieldsUp! page should be taken with a real *huge* pinch (not just a grain) of salt, IMHO (and I'm not the only one to think so).

#25
UltimateSilence

UltimateSilence

    Member

  • Member
  • PipPip
  • 169 posts
  • OS:98SE
  • Country: Country Flag


Well you'd think that if you configured Windows Firewall to block FTP out using the configured ports, that you wouldn't be able to connect out to an FTP site.

Yes, but his main concern seems to be:

I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open. :ph34r:

and not that he's actually able to connect to websites, ftp servers, torrents and so on.


Actually, my main concern is that, due to the fact that they're listed as open, they could be used for malicious activity... :ph34r:

Tripredacus,
I did what you suggested and the results are...
TCP 192.x.x.x:6831 ec2-184-72-241-236:ftp  ESTABLISHED

yZo4FWG.png
Keep Windows XP alive!

Please do not misconstrue Windows 7 license sales as actual sales of the operating system. PCs are bundled with Windows 7, and count towards the sales figures.
Running Windows Vista on HP Pavilion Slimline.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN