[UltimateSilence]

I've tried to block the following ports via Windows Firewall in Windows 7 Ultimate: FTP (#21), SSH (#22), Telnet (#23) as per here, but the ports remain open. What am I doing wrong?

Thank you.

This post has been edited by UltimateSilence: 22 January 2012 - 01:28 AM

[cluberti]

They remain open as in you can still connect to them inbound to your computer from other machines on these ports, or they remain open in that you can make outbound connections on those ports to other machines?

[UltimateSilence]

cluberti, on 22 January 2012 - 11:37 AM, said:

They remain open as in you can still connect to them inbound to your computer from other machines on these ports, or they remain open in that you can make outbound connections on those ports to other machines?

The latter.

[Tripredacus]

I can't get to that website. Are you adding a new rule to the Outbound Rules in the Windows Firewall with Advanced Security?

[UltimateSilence]

Tripredacus, on 23 January 2012 - 09:02 AM, said:

I can't get to that website. Are you adding a new rule to the Outbound Rules in the Windows Firewall with Advanced Security?

Yes, sir.
Windows Firewall with Advanced Security -> Outbound Rules -> New Rule -> Port -> TCP Specific Ports (#21, #22, #23).

What action should be taken when a connection matches the specified conditions?
Block the connection.
-
When does this rule apply?
Domain, Private, Public.

This post has been edited by UltimateSilence: 23 January 2012 - 02:21 PM

[Tripredacus]

Did you try adding one for TCP or UDP? Try adding one of the other types and see if that makes a difference.

[uid0]

If you're trying to block outgoing ssh, you'd be better blocking the program - but win7 doesn't come with one...
Likewise ftp will connect from a high random port number to the server port 21, so blocking outgoing port 21 isn't going to work either.
If you say what you're trying to achieve, people can probably suggest better approaches.

[Tripredacus]

I get it.

Those ports 21-23 are destination ports. Blocking them would stop users from accepting connections for those protocols. For example, for FTP, if you block port 21, if an FTP server is being run on the machine, other systems won't be able to connect to it. If you want to stop users from sending files from that PC to an FTP server, you'd need to block ports 6000 and 6001. As for the other protocols, you'll need to look those up to find what outbound ports they use.

[UltimateSilence]

Tripredacus, on 27 January 2012 - 10:51 AM, said:

I get it.

Those ports 21-23 are destination ports. Blocking them would stop users from accepting connections for those protocols. For example, for FTP, if you block port 21, if an FTP server is being run on the machine, other systems won't be able to connect to it. If you want to stop users from sending files from that PC to an FTP server, you'd need to block ports 6000 and 6001. As for the other protocols, you'll need to look those up to find what outbound ports they use.

Tripredacus,
I'm sorry for the late reply. I just remembered about this topic tonight.
I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open.

EDIT: Windows Firewall is configured to block the inbound and outbound connections of these ports.

This post has been edited by UltimateSilence: 14 February 2012 - 10:29 PM

[Tripredacus]

How does the computer connect to the internet? The reason I am asking is because that website would say I had ports open that I do not, simply because the interface it detects is not my computer, but our outbound interface which is the router. Ports would be open on the router, but any connections into my network would fail at the firewall which sits between the router and my computer. (Yes it is a separate device)

Instead of using that, since you say you have those FTP ports blocked, try to connect to an FTP site using a client (not a web browser) or even the command prompt. If you need a site to go to, you can connect to Clevo's website to see if you can get in:

ftp://usftp.clevo.com.tw/

[UltimateSilence]

Tripredacus, on 15 February 2012 - 09:07 AM, said:

How does the computer connect to the internet? The reason I am asking is because that website would say I had ports open that I do not, simply because the interface it detects is not my computer, but our outbound interface which is the router. Ports would be open on the router, but any connections into my network would fail at the firewall which sits between the router and my computer. (Yes it is a separate device)

Instead of using that, since you say you have those FTP ports blocked, try to connect to an FTP site using a client (not a web browser) or even the command prompt. If you need a site to go to, you can connect to Clevo's website to see if you can get in:

ftp://usftp.clevo.com.tw/

I connect to the Internet using a wired DSL router.
I do not know how to connect via the command prompt...

I know you said to connect using a client and not a web browser, but out of curiosity I tried using Internet Explorer 9, which triggered a Windows Firewall notification!

This post has been edited by UltimateSilence: 16 February 2012 - 12:50 AM

[bphlpt]

By client, he means something like FileZilla, or one of the other FTP clients listed here - http://www.shareware....com/winftp.htm

Cheers and Regards

[CoffeeFiend]

UltimateSilence, on 14 February 2012 - 10:26 PM, said:

I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open.

They seem to be open indeed (not that I really put much faith in that website). A quick SYN stealth scan in nmap confirms it (your IP replaced by 1.2.3.4):

Discovered open port 23/tcp on 1.2.3.4
Discovered open port 21/tcp on 1.2.3.4
Discovered open port 22/tcp on 1.2.3.4
Discovered open port 80/tcp on 1.2.3.4
(the other 2 ports aren't scanned by that)

The ports are opened but they don't actually send any data. For example, connecting to your port 80, the TCP handshake goes over fine (SYN, SYN ACK, ACK), then the browser sends its "GET / HTTP/1.1" request, which it ACKs, then it resets the connection (RST, ACK) without sending a single byte. As for port 21 it's much of the same. Typical TCP handshake, but immediately after (before we even have the chance of making a request) you're already sending FIN ACK and RST. So it's not like there's something running on your PC serving data and your router forwarding traffic to it.

My best guess is that these ports are opened/in use by your DSL modem/router and not your PC. Those ports could also be used by your ISP to update/access the device (and not having the right IP it won't talk to me). They're the typical ports a Linux/Busybox router would have open too (ftp, ssh, telnet, http).

There's no need to panic, and it's not Windows' fault either

[UltimateSilence]

CoffeeFiend, on 16 February 2012 - 01:34 AM, said:

UltimateSilence, on 14 February 2012 - 10:26 PM, said:

I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open.

They seem to be open indeed (not that I really put much faith in that website). A quick SYN stealth scan in nmap confirms it (your IP replaced by 1.2.3.4):

Discovered open port 23/tcp on 1.2.3.4
Discovered open port 21/tcp on 1.2.3.4
Discovered open port 22/tcp on 1.2.3.4
Discovered open port 80/tcp on 1.2.3.4
(the other 2 ports aren't scanned by that)

The ports are opened but they don't actually send any data. For example, connecting to your port 80, the TCP handshake goes over fine (SYN, SYN ACK, ACK), then the browser sends its "GET / HTTP/1.1" request, which it ACKs, then it resets the connection (RST, ACK) without sending a single byte. As for port 21 it's much of the same. Typical TCP handshake, but immediately after (before we even have the chance of making a request) you're already sending FIN ACK and RST. So it's not like there's something running on your PC serving data and your router forwarding traffic to it.

My best guess is that these ports are opened/in use by your DSL modem/router and not your PC. Those ports could also be used by your ISP to update/access the device (and not having the right IP it won't talk to me). They're the typical ports a Linux/Busybox router would have open too (ftp, ssh, telnet, http).

There's no need to panic, and it's not Windows' fault either

Thank you, CoffeeFiend!

You scanned the ports... I feel naked.

EDIT: Wait, CoffeeFiend! It's not my fault either, right?

This post has been edited by UltimateSilence: 16 February 2012 - 03:55 PM

[Tripredacus]

UltimateSilence, on 16 February 2012 - 12:49 AM, said:

Tripredacus, on 15 February 2012 - 09:07 AM, said:

ftp://usftp.clevo.com.tw/

I connect to the Internet using a wired DSL router.
I do not know how to connect via the command prompt...

I know you said to connect using a client and not a web browser, but out of curiosity I tried using Internet Explorer 9, which triggered a Windows Firewall notification!

Open a command prompt (cmd). Using the username of 'Anonymous' and the password of your email address, you can attempt to connect. Here is my example I just did.

C:\windows\system32>ftp usftp.clevo.com.tw
Connected to usftp.clevo.com.tw.
220 Serv-U FTP Server v7.3 ready...
User (usftp.clevo.com.tw:(none)): Anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
ftp>

Of course, it won't show you what you are typing at the password prompt, so hope to not make a typo!

You shouldn't even get to the prompt for the username if the port is blocked tho.

[CoffeeFiend]

UltimateSilence, on 16 February 2012 - 03:50 AM, said:

It's not my fault either, right?

No. It's most likely the configuration of your modem/router device (and that was probably done by your ISP too, and you might not even be able to change that).

Again, there's no need to worry.

[UltimateSilence]

Tripredacus, on 15 February 2012 - 09:07 AM, said:

Open a command prompt (cmd). Using the username of 'Anonymous' and the password of your email address, you can attempt to connect. Here is my example I just did.

C:\windows\system32>ftp usftp.clevo.com.tw
Connected to usftp.clevo.com.tw.
220 Serv-U FTP Server v7.3 ready...
User (usftp.clevo.com.tw:(none)): Anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
ftp>

Of course, it won't show you what you are typing at the password prompt, so hope to not make a typo!

You shouldn't even get to the prompt for the username if the port is blocked tho.

Tripredacus, we have a problem.

This post has been edited by UltimateSilence: 18 February 2012 - 01:05 AM

[CoffeeFiend]

UltimateSilence, on 18 February 2012 - 01:02 AM, said:

Tripredacus, we have a problem.

and that problem is that you're able to connect to stuff on the internet? I honestly don't see how this is a problem in any way. You're perfectly safe.

[submix8c]

Hmmm...
This states

Quote

By default, Windows Firewall is enabled for both inbound and outbound connections. The default policy is to block most inbound connections and allow outbound connections. You can use the Windows Firewall with Advanced Security interface to configure rules for both inbound and outbound connections.

And this indicates that there's a "global" setting for each of Domain, Private, and Public.

Additionally, link#1 indicates "overrides" in IPSec "setups". In Symantec Firewall (VERY similar), there is something called "Trusted Computers" that basically says "ignore firewall - this PC is OK for anything".

Somewhere you have set up some kind of "override".

How to restore defaults. It also gives a link that might indicate thet the FTP program is actually allowed (maybe even the IE browser?) similar to the old-style XP/2K3 Firewall.

Disclaimer -
I have not yet installed/tested either Win7 or 2k8 as of this time but interested in the subject for future install/test.
Add'l Note -
I have Cable Modem (no firewall - External IP)->Router (firewalled incoming with 80/21 pass-thru to Internal IP)->PC (Symantec - FTP.EXE/Iexplore.EXE allowed ALL, Incoming TCP21/80 allowed). GRC reports CLOSED ports when HTTP/FTP Servers "disabled" and All Others "Stealth". So... Is INCOMING also blocked (that is what GRC "checks" for, BTW )?

[UltimateSilence]

CoffeeFiend, on 18 February 2012 - 07:33 AM, said:

UltimateSilence, on 18 February 2012 - 01:02 AM, said:

Tripredacus, we have a problem.

and that problem is that you're able to connect to stuff on the internet? I honestly don't see how this is a problem in any way. You're perfectly safe.

CoffeeFiend,
It's not literally a problem...
I just hate having them open because I don't "use" them.

Submix, thank you for the links. Incoming is also blocked.

This post has been edited by UltimateSilence: 18 February 2012 - 01:53 PM