Stealth Ports Or Closed?

This subject has come up a surprising amount recently – are  stealth’d ports more secure than closed ones? The idea behind a stealth port is that an attacker will try to initiate contact but when they don’t get a reply they’ll assume no one’s there. Here’s a short piece explaining the Stealth vs Closed port argument.

What Happens When A Port Is Closed?

If I have a closed port and an attacker pings that port they’ll get a little message saying that the port is closed. This is the default behavior, it’s the standard. This is what is, for all intents and purposes, the way things are “supposed to be.”

What Happens When A Port Is Stealth?

If I have a stealth port and an attacker pings that port they’ll sit there for 30 seconds or however long and then realize they aren’t getting anything back. So, great, right? They now think no one is there? Well, not quite.

What Happens When There Are No Ports?

Let’s say I’m an attacker and I ping an IP but there really is no one on the other side. I wouldn’t get no response, I would get one of the “ICMP Unreachable” responses.

What Does This Mean?

What this means is that, unless you configure your ports to send out the ICMP Unreachable signal you’re actually telling your attacker just as much by stealthing as you are with a closed port.

Furthermore, even if you did configure stealth properly it wouldn’t matter. A single listening service will break the entire ‘purpose’ of stealth – you can’t stealth an open port.

So there are a few situations here…

1) Your ports are all closed. A hacker gets a response but what the hell are they going to do? Your ports are closed. Yeah, I guess they know you’re there so they can try something fancy to get in but they’re going to be circumventing the firewall not breaking it.

2) Your ports are all stealthed. A hacker doesn’t get a response but they still know you’re there because there wasn’t a proper response. But your ports are still closed so see (1.)

3) Your ports are all closed or all stealthed except for one. None of the stealthing matters because the open port gives you away entirely.

Even in the situation where all ports are stealthed “properly” what are you really accomplishing? It’s like the security is depending on the hacker being an idiot or just driving through the town NMAPing random houses.

The big problem is that people think “Closed” is insecure now. That only stealth is secure.

I can see some potential when actually done the right way but I just couldn’t ever make myself spend the time setting up stealthed ports. If your question is: “Should I stealth my ports?” my answer is: “Don’t bother.”

Here’s a tip – stop making security a matter of whether the attacker knows you’re there and start making it a matter of whether or not they can get in anyway.

6 thoughts on “Stealth Ports Or Closed?

  1. Then why testing site like grc.com telling the users to stealth all ports ?
    Are they don’t know it is uses less if you have open port ?

  2. Ok thanks,i personally like this type of classic blog,but please consider to add screnshot in your blog because it is hard for beginners to understands some topic.I am new to linux and don’t know “how to use terminal properly” so it is very difficult to understand the command or How to or where to use them and with which.Like your app armor article i tried somehow but after that pidgin is not started at all ,I mean UI not showing.After that i read on ubuntu help pages that apps already uses app armor.

    Thanks 🙂

    • I’ll consider using more pictures.

      In terms of Apparmor Pidgin doesn’t use a profile by default. I have guides for building profiles, though they are a bit advanced.

Leave a Reply

Your email address will not be published. Required fields are marked *