ZA的端口113的隐藏性问题
今天碰巧在COMODO区看见帖子提到了ZA的端口113的隐藏性问题(原帖不知道具体原因,ZA显示为不隐藏),就顺便简单翻译点SHIELDS UP!关于ZA的113端口的隐藏性问题的说明(资料不新,不过看来还是有人检测完端口没去看过).适应性IDENT隐藏性
IDENT协议的端口113的隐藏性是个微妙的问题.如果用户的端口113完全隐藏,那么连接到一些远程服务器如eMail,IRC等会延误甚至拒绝.因为这个原因,许多 NAT路由和个人防火墙并不试图隐藏端口113,它们将其设置为关闭.而ZA采取的是”适应性隐藏”.
“适应性隐藏”是指当一个TCP SYN标志包到达你的机器要求一个连接到端口113,ZA会检查当前是否有任何与该远程机器的联系(如一个往该远程机器的出站连接尝试),如果有,这个远程机器被认为是”友好的”并且它的IDENT请求包被允许通过ZA.如果这个IDENT的发起机器未被ZA认为是”友好的”机器,那么这个请求包将被丢弃,对未知的针对端口113的扫描将给予隐藏.
ZoneAlarm在ShieldsUP!的113端口检查
当测试机器的浏览器和GRC的服务器有了联系,GRC通过使用一个不同的”外部”IP地址发起的针对113端口的扫描.ZA将丢弃这个入站包并显示为隐藏.
演示适应性隐藏:
1,扫描端口113,显示为隐藏性.
2,打开第2个浏览器试图连接”4.79.142.206”这个地址.连接会失败,但ZA会注意到这个动作.
3,再扫描端口113,该端口将不再为隐藏.
4,关掉第2个浏览器,重新扫描端口113,看看ZA的适应性反应要多长时间.
PS:以前有朋友说ZA在天网的端口检测113端口未通过,是因为天网的发起扫描的IP地址没有使用一个"外部"IP,而就是用户浏览器"浏览着"的服务器地址.
如果想去掉这种适应性隐藏,那么在专家规则里写一条入站本机113端口禁止的规则就可以了......
翻译是简单化的,原文如下
Adaptive IDENT Stealthing ExperimentationThe IDENT protocol's port 113 is quite problematical and tricky to stealth. If the user's port 113 is completely stealthed, connections to some remote Internet servers such as eMail, Internet Relay Chat (IRC), and others, may be delayed or denied altogether. For this reason, many NAT routers and personal firewalls do not attempt to stealth port 113, they settle for leaving it closed. One of the first things that caught my eye about the ZoneAlarm personal firewall was that it was clever about handling port 113: It "adaptively stealthed" the port.
To understand the following discussion, you should familiarize yourself with the details of the IDENT protocol and port 113. Please read port 113's Port Authority database page before proceeding.
Even after many years, the (free) ZoneAlarm personal firewall from Zone Labs is the only personal firewall to "adaptively" stealth port 113. Unlike any other firewall or NAT router (any of which could also do the same) this allows port 113 to be stealthed to any passing Internet scanners or probes, but "unstealthed" for any valid IDENT connection attempts originating from remote servers with which the user's computer is attempting to connect. (Since this could easily be done by any personal firewall or even NAT routers, I am hopeful that this feature might yet appear in other products.)
"Adaptive Stealthing" means that when a TCP SYN packet arrives to request a connection to your machine's port 113, ZoneAlarm checks, on the fly, to see whether your machine currently has any sort of "relationship" with the remote machine (such as a pending outgoing connection attempt). If so, the remote machine is considered to be "friendly" and its IDENT request packet is allowed to pass through ZoneAlarm's firewall. But if the IDENT originating machine is not known to ZoneAlarm as a "friendly" machine, the connection requesting packet is dropped and discarded, rendering port 113 stealth to all unknown port scanners. It's very slick.
IDENT, ZoneAlarm, and ShieldsUP!
Even though your computer's web browser already has a relationship with the web server at GRC, our tests originate from a different "foreign" IP address. ZoneAlarm therefore drops incoming packets to port 113 from this different probing IP address and ZoneAlarm users see that port 113 is stealthed to passing Internet scans.
To demonstrate how ZoneAlarm (and perhaps someday other firewalls or NAT routers) selectively "unstealth" port 113 — but only for known "friendly" machines — we simply initiate a connection from your web browser to the ShieldsUP! scanning IP. Even though the connection attempt will ultimately fail (since there's no web server at the probing address), ZoneAlarm will note the outgoing attempt and will unstealth port 113 for subsequent probes.
Step One: Verify that our scan currently show port 113 stealthed. (You may wish to use one of the other remote port tests which will be faster than an entire 1056-port grid scan.)
Step Two: Open a secondary web browser window to initiate a connection to the probing IP. (Users of Microsoft Internet Explorer can press Ctrl-N to "clone" their current browser window.)
Step Three: In the secondary web browser window, click this URL or enter this address:[code]http://4.79.142.206[/code]This second connection attempt will ultimately fail, but ZoneAlarm will notice the effort, which is all that's necessary.
Step Four: Finally, refresh the port probe window or repeat the scan to check your system's current port status. You should find that port 113 is no longer "stealth" to the probing IP address because you are attempting to connect to it and it has been determined to be "friendly".
Step Five: If you're curious, stop and close the secondary web browser window and periodically refresh your port probe window to see how long the "friendly" status persists before Zone Alarm returns the probing IP to unknown status and port 113 to full stealth. 不错,很有价值的文章,收藏了。 OP也提到过这个问题. 推荐是仅允许对信任目标主机的113通信 :) 多谢了,原来za也有这样的事,去试试吧 薄荷你是不是女的啊?结婚没啊?哪里人呦?
N年前的金山论坛就常见你啊! 尘封这么多年的秘密该公开了吧 好像CHX-I的Conditional规则也可以实现 。。看不懂哦
页:
[1]