Topic: GRC Port Scan

[Dan Williams]

Hi,
I wondered if someone could assist me in either stealthing, or hiding what GRC says are open ports on my server.
They are:
25 / 113 / 443
I had put an SMC Barricade 4 port router on for experimentation, and it locked everything down nicely, however, then, I could not get mail.
I think if I can just "stealth" the ports somehow in E-smith, I would be happy.
Thanks,
Dan

[Scott Smith]

"Stealth" means that a port is closed and any packets directed to that port are simply dropped. The client receives no notification of what happened to its packet(s). It is as if the system does not exist.

This is in contrast to a closed port, where packets directed to the port are denied. The denial is communicated back to the client, so though the client may not be able to access that port, it does know that a server exists at that address.

"Stealth" (or drop) is preferred over deny because it does not say to a potentially malicious client -- Here I am, come hack at me.

You could stealth ports 25, 113, and 443, but then your SMTP, AUTH, and HTTPS services would not be accessible from the outside.

Are you sure that is what you want?

[Dan G.]

You should settle for being happy now, knowing that your SME server is only exposing services necessary to do what you have instructed it to do.  "Stealth" those ports, or otherwise interfere with their operation, and you'll experience unsatisfactory trade-offs --- like the mail problem you mentioned.  The SME team is well aware of the GRC reports, and know that the reports do not indicate unacceptable risks.

There are no glaring, obvious holes in SME's current security implementation.  If any are found, it won't be at grc.com...

Dan

[Dan Brown]

Yes, those ports are open, and they're supposed to be.  You need port 25 open for your server to receive mail from the outside world, and port 443 is used for secure web access.

BTW, GRC is often unduly paranoid.

[Dan Williams]

Thank you for the replies,
So, should I be concerned about any of these ports showing as open like this?
I am not paranoid, I just do not want to expose my company to exploits etc, that are preventable.?
Thanks,
Dan

[Dan G.]

You have the minimum exposure necessary to provide basic external services. I wouldn't lose sleep over it --- it's nothing different than any other web-accessible server would expose.  GRC is for innocent home computer users who may not know anything is exposed to the internet --- a web server is a different animal.

Dan

[Kelvin]

If you are still worried and still want to "close" those ports, you can (but you will lose access to those services from the external interface). Just search the forums for the word "masq" and you will the information you need to close those ports.

I have setup a few sites like this -- basically, they have absolutely no need for external access to the system, so why even advertise that it's there    !


Cheers,

Kelvin

[Dan Brown]

...but if there's no desire to have external access at all, just set the machine to be a private server and gateway.

[Kelvin]

Hi Dan,

So true .... missed that in the configuration screen -- too used to setting up ESSG 4.1.2 systems, don't remember there being an option like that, again, could have just missed it ...

In any case, if anyone who is interested, modifying the masq templates is where you would go if you need to customise what is visible and what is not if there are no add on modules (like the port forwarding module, etc.) available to accomplish just that little bit of customisation ....

Kelvin

[Nate]

As long as your SMTP server isn't an 'open' relay, having that port 25 open doesn't hurt anything.  e-smith isn't an open relay.

[Lapin]

More info there:

http://www.grcsucks.com/

Cheers.