Jump to content

Ports will not close?

UltimateSilence

By UltimateSilence
in Windows 7

 Share

Recommended Posts


UltimateSilence

UltimateSilence

Posted
  • Author
Posted (edited)

Open a command prompt (cmd). Using the username of 'Anonymous' and the password of your email address, you can attempt to connect. Here is my example I just did.

C:\windows\system32>ftp usftp.clevo.com.tw
Connected to usftp.clevo.com.tw.
220 Serv-U FTP Server v7.3 ready...
User (usftp.clevo.com.tw:(none)): Anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
ftp>

Of course, it won't show you what you are typing at the password prompt, so hope to not make a typo! :rolleyes:

You shouldn't even get to the prompt for the username if the port is blocked tho.

Tripredacus, we have a problem. :ph34r:

48dj0i2j.png

Edited by UltimateSilence
Link to comment
Share on other sites
submix8c

submix8c

Posted
Posted

Hmmm...

This states

By default, Windows Firewall is enabled for both inbound and outbound connections. The default policy is to block most inbound connections and allow outbound connections. You can use the Windows Firewall with Advanced Security interface to configure rules for both inbound and outbound connections.
And this indicates that there's a "global" setting for each of Domain, Private, and Public.

Additionally, link#1 indicates "overrides" in IPSec "setups". In Symantec Firewall (VERY similar), there is something called "Trusted Computers" that basically says "ignore firewall - this PC is OK for anything".

Somewhere you have set up some kind of "override".

How to restore defaults. It also gives a link that might indicate thet the FTP program is actually allowed (maybe even the IE browser?) similar to the old-style XP/2K3 Firewall.

Disclaimer -

I have not yet installed/tested either Win7 or 2k8 as of this time but interested in the subject for future install/test.

Add'l Note -

I have Cable Modem (no firewall - External IP)->Router (firewalled incoming with 80/21 pass-thru to Internal IP)->PC (Symantec - FTP.EXE/Iexplore.EXE allowed ALL, Incoming TCP21/80 allowed). GRC reports CLOSED ports when HTTP/FTP Servers "disabled" and All Others "Stealth". So... Is INCOMING also blocked (that is what GRC "checks" for, BTW ;))?

Link to comment
Share on other sites
UltimateSilence

UltimateSilence

Posted
  • Author
Posted (edited)

Tripredacus, we have a problem. :ph34r:

and that problem is that you're able to connect to stuff on the internet? I honestly don't see how this is a problem in any way. You're perfectly safe.

CoffeeFiend,

It's not literally a problem...

I just hate having them open because I don't "use" them.

Submix, thank you for the links. Incoming is also blocked.

Edited by UltimateSilence
Link to comment
Share on other sites
CoffeeFiend

CoffeeFiend

Posted
Posted

I just hate having them open because I don't "use" them.

But what you posted i.e. using ftp.exe to connect to another server means absolutely NOTHING about your own ports being opened (as shown on GRC's website). This just means you are able to connect to someone else which is typically what people want -- just like you're able to connect to web servers to see web pages.

Unfortunately, if you want them to display anything else than "opened", then you'll most likely need another modem/router. Since none of the traffic is reaching your computer, there's no settings you can change there to affect that. You should talk to your ISP about them using these ports on your modem if anything.

Link to comment
Share on other sites
Tripredacus

Tripredacus

Posted
Posted

Tripredacus, we have a problem. :ph34r:

and that problem is that you're able to connect to stuff on the internet? I honestly don't see how this is a problem in any way. You're perfectly safe.

Well you'd think that if you configured Windows Firewall to block FTP out using the configured ports, that you wouldn't be able to connect out to an FTP site.

@UltimateSilence

Run this test again. But before you disconnect from the FTP, open another CMD and run

netstat

Here are my results:

TCP    10.x.x.x:61781     ec2-184-72-241-236:ftp  ESTABLISHED

So it would appear that my FTP out connection is using port 61781. I also tested the other FTPs I commonly use from my FTP client (Leech) and also am seeing FTP out on these TCP ports:

61788 (when connecting to saved FTP server #1)

61792 (when connecting to saved FTP server #2)

61794 (when connecting to saved FTP server #1 again)

:wacko:

Link to comment
Share on other sites
CoffeeFiend

CoffeeFiend

Posted
Posted

Well you'd think that if you configured Windows Firewall to block FTP out using the configured ports, that you wouldn't be able to connect out to an FTP site.

Yes, but his main concern seems to be:

I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open. :ph34r:

and not that he's actually able to connect to websites, ftp servers, torrents and so on.

So it would appear that my FTP out connection is using port 61781. I also tested the other FTPs I commonly use from my FTP client (Leech) and also am seeing FTP out on these TCP ports:

61788 (when connecting to saved FTP server #1)

61792 (when connecting to saved FTP server #2)

61794 (when connecting to saved FTP server #1 again)

:wacko:

These are dynamic ports. They'll be different the next time you try, or if you connect to something else, or if you try it on a different PC, or if somebody else tries it (hence the "dynamic" name -- these are also called ephemeral ports). It's perfectly normal that you're listening on that port range when you make a connection of any type (unless you're using an older version of Windows which uses a lower port range), be it for web pages, ftp sites or whatever. It's how TCP/IP connections work (using source/destination ports). There's nothing :wacko: about it ;)

Link to comment
Share on other sites
UltimateSilence

UltimateSilence

Posted
  • Author
Posted

Well you'd think that if you configured Windows Firewall to block FTP out using the configured ports, that you wouldn't be able to connect out to an FTP site.

Yes, but his main concern seems to be:

I have ports 21-23; 6000-6001 blocked, but according to GRC Shields Up! they remain open. :ph34r:

and not that he's actually able to connect to websites, ftp servers, torrents and so on.

Actually, my main concern is that, due to the fact that they're listed as open, they could be used for malicious activity... :ph34r:

Tripredacus,

I did what you suggested and the results are...

TCP 192.x.x.x:6831 ec2-184-72-241-236:ftp  ESTABLISHED

Link to comment
Share on other sites
CoffeeFiend

CoffeeFiend

Posted
Posted

Actually, my main concern is that, due to the fact that they're listed as open, they could be used for malicious activity... :ph34r:

That's exactly what I'm saying. These are inbound ports which your modem/router (model unknown) has opened and it has nothing to do with what Tripredacus is saying (he's checking if you can connect to an external ftp site, much like you can test if you could connect to a web server -- totally and completely unrelated to those GRC results). Not that those "opened" ports of yours can actually be used for malicious activity.

Link to comment
Share on other sites
bphlpt

bphlpt

Posted
Posted (edited)

Let me ask some clarifying questions.

UltimateSilence, are you concerned about blocking inbound ports or outbound ports? Also, assuming you have a modem/router between your PC and the Net, (brand and model number?), it does seem that there is a big difference whether you are blocking the PC's ports or the router's ports.

How one would possibly block the whole range of "dynamic" ports I have no idea. It does seem that you have to block the app instead.

CoffeeFiend, I guess there are a few questions. Is it possible to block either the inbound or the outbound ports, of either the PC or the router, and does it matter? If not, why not?

The security concern seems a valid one, but not being an expert in the field I have no idea how far one should take their concerns. There are obviously different opinions on the matter.

Cheers and Regards

Edited by bphlpt
Link to comment
Share on other sites
CoffeeFiend

CoffeeFiend

Posted
Posted

How one would possibly block the whole range of "dynamic" ports I have no idea.

You can't. If you block that, then *nothing* can connect to the internet (no web browser or anything).

It does seem that you have to block the app instead.

If you're worried about a particular application connecting to the internet, then sure, why not.

Is it possible to block either the inbound or the outbound ports, of either the PC or the router, and does it matter? If not, why not?

The inbound ports are most likely already blocked on both his firewall and his router. They are not opened by default on the Windows firewall, nor are they forwarded to an IP address by default by the router -- so you'd have to go out of your way to set that up yourself. It's just that his router has some services running on it (for its internal use) but which don't actually accept connections from anybody (like I said previously, it just resets the TCP connection on you, no data is ever sent, and it's not coming from his PC either). These ports used by the router's firmware (which again just reset the connection on you) are what's being reported by GRC's website. So no, it doesn't really matter and he's secure -- unless your concern is that you're able to connect to websites, ftp sites and stuff like that on the internet.

Link to comment
Share on other sites
bphlpt

bphlpt

Posted
Posted

Thank you for the explanation.

I assumed since he was talking about blocking outgoing ftp, if I understood him correctly, that he was concerned for some reason that a nefarious rogue program could get on his system and "call home" or something via ftp, hence the attempts to block the appropriate ports. But I could have totally misunderstood his concerns.

Cheers and Regards

Link to comment
Share on other sites
Tripredacus

Tripredacus

Posted
Posted

That's exactly what I'm saying. These are inbound ports which your modem/router (model unknown) has opened and it has nothing to do with what Tripredacus is saying (he's checking if you can connect to an external ftp site, much like you can test if you could connect to a web server -- totally and completely unrelated to those GRC results). Not that those "opened" ports of yours can actually be used for malicious activity.

I basically ignored what the OP posted the website was telling him and trying to tackle the basics of the problem. In his initial posts it was made clear he wanted to block FTP (among other types of connections) going out, but was focusing on the inbound (21) port. That was why my focus on the subject changed to stopping the client from connecting to an FTP server.

How one would possibly block the whole range of "dynamic" ports I have no idea. It does seem that you have to block the app instead.

You wouldn't end up blocking the ports, per se. I don't know how it would be done, but even netstat shows the protocol being used as well as the port. I would imagine there was a program that could block protocols.

It is possible to block programs using Windows 7 Pro and Ultimate (or was that Enterprise) by using the App Locker, but I don't think that would be any help against a virus which would connect to FTP using an API call.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...