Stealth Ports Or Closed?

This subject has come up a surprising amount recently – are ┬ástealth’d ports more secure than closed ones? The idea behind a stealth port is that an attacker will try to initiate contact but when they don’t get a reply they’ll assume no one’s there. Here’s a short piece explaining the Stealth vs Closed port argument.

What Happens When A Port Is Closed?

If I have a closed port and an attacker pings that port they’ll get a little message saying that the port is closed. This is the default behavior, it’s the standard. This is what is, for all intents and purposes, the way things are “supposed to be.”

What Happens When A Port Is Stealth?

If I have a stealth port and an attacker pings that port they’ll sit there for 30 seconds or however long and then realize they aren’t getting anything back. So, great, right? They now think no one is there? Well, not quite.

What Happens When There Are No Ports?

Let’s say I’m an attacker and I ping an IP but there really is no one on the other side. I wouldn’t get no response, I would get one of the “ICMP Unreachable” responses.

What Does This Mean?

What this means is that, unless you configure your ports to send out the ICMP Unreachable signal you’re actually telling your attacker just as much by stealthing as you are with a closed port.

Furthermore, even if you did configure stealth properly it wouldn’t matter. A single listening service will break the entire ‘purpose’ of stealth – you can’t stealth an open port.

So there are a few situations here…

1) Your ports are all closed. A hacker gets a response but what the hell are they going to do? Your ports are closed. Yeah, I guess they know you’re there so they can try something fancy to get in but they’re going to be circumventing the firewall not breaking it.

2) Your ports are all stealthed. A hacker doesn’t get a response but they still know you’re there because there wasn’t a proper response. But your ports are still closed so see (1.)

3) Your ports are all closed or all stealthed except for one. None of the stealthing matters because the open port gives you away entirely.

Even in the situation where all ports are stealthed “properly” what are you really accomplishing? It’s like the security is depending on the hacker being an idiot or just driving through the town NMAPing random houses.

The big problem is that people think “Closed” is insecure now. That only stealth is secure.

I can see some potential when actually done the right way but I just couldn’t ever make myself spend the time setting up stealthed ports. If your question is: “Should I stealth my ports?” my answer is: “Don’t bother.”

Here’s a tip – stop making security a matter of whether the attacker knows you’re there and start making it a matter of whether or not they can get in anyway.