Security Scan against Untangle

[untangleme]

I just did a few scans with "shields up" and port 80 and port 443 are open otherwise it said I was extremely unusually well protected for a windows pc

This is a report from from one of the scan guess untangle is doing it's business ?

" ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion."

[untangleme]

And this


----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2011-10-06 at 11:09:28

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

2 Ports Open
1 Ports Closed
23 Ports Stealth
---------------------
26 Ports Tested

Ports found to be OPEN were: 80, 443

The port found to be CLOSED was: 22

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

[pazza3564]

2 Ports Open
1 Ports Closed
23 Ports Stealth
Ports found to be OPEN were: 80, 443
The port found to be CLOSED was: 22
Other than what is listed above, all ports are STEALTH.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

If your hosting a website, and a secure website, I would say this is am=lmost a perfect score. If you were really picky, you wouldn't have ping responding, but I like to have this so I know its working. Port 22 is SSH or FTP, but its closed so thats ok.

[untangleme]

I mean if you have TCP 80 exposed on "External" and you didn't configure it, and it's in router mode. Your installation is hosed, and it needs replaced.

I just worried cause I installed untangle with port 80 open , now I don't connect or turn on the modem to after untangle installs and up to configuration screens then downloads, if that means anything ?

Last report

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2011-10-06 at 11:49:20

Results from scan of ports: 0-1055

2 Ports Open
1 Ports Closed
1053 Ports Stealth
---------------------
1056 Ports Tested

Ports found to be OPEN were: 80, 443

The port found to be CLOSED was: 22

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

[sky-knight]

Untangle by default, TCP 80 on the outside is stealth.

Untangle with Lite Rack installed.

TCP 443 is open (remote admin)
UDP 1194 is open (OpenVPN)
TCP 22 is closed (because SSH is stupid that way)

If TCP 80 is "open" you've either port forwarded it to something that is responding. Or, you've gone into the packet filter and touched the wrong button.

[untangleme]

Untangle by default, TCP 80 on the outside is stealth.

Untangle with Lite Rack installed.

TCP 443 is open (remote admin)
UDP 1194 is open (OpenVPN)
TCP 22 is closed (because SSH is stupid that way)

If TCP 80 is "open" you've either port forwarded it to something that is responding. Or, you've gone into the packet filter and touched the wrong button.

Hi sky
You know I forgot, yes I have the server on 80 port forwarding

[sky-knight]

Then the scan is correct, the port is open. And, any vulnerabilities detected on the HTTP server, aren't Untangle, but the web service you've exposed.

[dsolutions1]

I am using all default settings. I am only forwarding RDP to a terminal server and allowing DNS.

I was considering just blocking the ports they are saying are open:
1) TCP 64156 - web server autoindex - enabled
2) TCP:389 - Is Your LDAP Secure?
3) TCP:80 - Is there a way to force https ONLY either from external or internet NIC
4) It says the HTTP trace/track methods are allowed - I suppose I need to disable this
5) TCP:64156 Apache ETag Heder Discloses Inode Numbers
6) TCP/IP Sequence Prediction Blind Reset Spoofing DoS

Before performed all of this, I wanted to make sure the Untangle gurus had a look.

Thanks for the help everyone.

The "BLOCK ALL LOCAL TRAFFIC" did the trick. It cleared up 1-6. I also setup Untangle to HTTPS only.

Now the scan says TCP 1 is open. I will block TCP 1 from the external NIC and I should be good.

[sky-knight]

Disabling HTTP admin doesn't close port 80, that doesn't make any sense. If it did, again you have a problem, because that means you've got it exposed, AND you didn't patch the bug in 9.0.2 that allows this to happen. This is a transitory situation, and the port will be open again once you upgrade to 9.1.

Again, the only ports that are exposed unless you forwarded/played in the packet filter are: TCP 443 (Open for Remote Admin), TCP 22 (Closed unless SSH starts), and UDP 1194 (which I doubt their lame scanner is even checking UDP ports.

If your box is reporting anything else... something is wrong! The PCI scan is a joke, it determines exactly nothing about your network security. But having an Untangle in the field that has random ports exposing themselves for an unknown reasons worries me, and it should be worrying you.