BitTorrent security questions

I'm running a Linux desktop behind a NAT router with a
broadband connection to the Internet. I've also installed
an iptables based firewall (Firestarter) with a completely
permissive outbound traffic policy and an inbound traffic
policy of NO connections from any host allowed and NO
services on any port allowed for anyone.

I frequently use BitTorrent (Azureus 2.3.0.6) to download
files from the web. In order to support this I enabled
port forwarding on the NAT router for ports 6882-6889 for
service BitTorrent. With these settings BitTorrent seemed
to be running all right.

Recently, after I had installed an update for Azureus
(v.2.3.0.6), I noticed a new colored button in the status
bar which would be either yellow or red indicating a
"Possible NAT (TCP) problem".

In the course of investigating this, I also noticed an item
"NAT/Firewall test" in the Azureus Tools menu which would
test the "incoming TCP/UDP listen port" which I had set to
6886. When I ran this test, it failed with the message
"Testing port 6886 ... NAT error". The test dialog box
also offered the following explanation: "In order to get
the best out of Azureus, it's highly recommended to be
fully accessible from the Internet. This tool lets you
test and/or change the port used to accept incoming peer
connections."

I took this recommendation to mean that I should open my
firewall for the ports used by bittorrent. Accordingly, I
added the inbound traffic policy "Allow service BitTorrent
for port 6881-6889 for everyone."

With that the NAT status indicator button in the Azureus
status bar turned green ("NAT OK (TCP)"). Also, some of
the torrent health indicators for ongoing downloads turned
green, meaning "everything is going fine" whereas before
they had generally been yellow, meaning "you're connected
to peers, tracker is OK but you may have a NAT problem if
your torrents stay on yellow status all the time."

After I'd made these changes everything seemed fine and
subjectively it seemed as though Azureus was working better
and down/uploading faster.

Then I did a Shields Up (grc.com) port scan for the range of
ports 6881-6889 while Azureus was running and downloads
were proceeding. The result: 6881 stealthed, 6882-6885 and
6887-6889 closed, 6886 OPEN. Ouch! I'd been running my
system with this configuration for more than a week.

I immediately removed the firewall rule "Allow service
BitTorrent for port 6881-6889 for everyone" and did another
Shields Up port scan. The result: 6881-6889 stealthed.
BitTorrent down/uploads were still running fine.

Next I also disabled port forwarding for ports 6882-6889 in
the NAT router. BitTorrent down/uploads were still running
fine.

Several questions:

1. When my system was configured with port forwarding
enabled in the router and BitTorrent allowed for ports
6881-6889 in the inbound traffic rules of my firewall, the
Shields Up port scan diagnosed port 6886 as open whenever
Azureus was running. Did that constitute a major security
hazard that a malicious hacker could have exploited? Could
he have installed malware via this "open" port, or was this
port only open for the BitTorrent protocol? If malware had
been installed would it have remained in my user area (I
wasn't running Azureus as root) or could I have been
rooted?

2. What were the security implications when I was running
Azureus with NAT router port forwarding enabled for
6882-6889 but firewall closed to traffic coming in on
6881-6889? Was there a possibility of a security
compromise in that configuration?

3. What is the point of aiming for green settings for the
NAT status of the incoming TCP/UDP listen port 6886 and for
"torrent health", settings which potentially introduce
security hazards, when BitTorrent appears to be functional
even when these settings are in the yellow or red range?

Thanks in advance.

Robert

Ports are simply addresses that some software on your system listens for.
They are like apartment numbers in an apartment building. Outside things
can knock on the doors of the various appartment numbers. If noone answers
that means the port is closed. If something answers it is open. But that
something that answers will be some program. The security of the system
depends on what program answers.If it is a buggy program, then an attack
maybe possible. If it is not a buggy program then it will do only what it
is designed to do. In your case it is bittorrent that answers the door. It
is the security of bittorrent that you have to worry about. I do not know
of any bittorrent exploits, but that of course does not mean much.
A port is NOT an open door into your computer system. a port is simply an
address, It is not as if an "open port" allows anything out there to use
that port to do anything on your computer. It simply means that some
program answers the knock.


Robert Glueck <rglk@grmtwlc.ch> writes:

>I'm running a Linux desktop behind a NAT router with a
>broadband connection to the Internet. I've also installed
>an iptables based firewall (Firestarter) with a completely
>permissive outbound traffic policy and an inbound traffic
>policy of NO connections from any host allowed and NO
>services on any port allowed for anyone.

>I frequently use BitTorrent (Azureus 2.3.0.6) to download
>files from the web. In order to support this I enabled
>port forwarding on the NAT router for ports 6882-6889 for
>service BitTorrent. With these settings BitTorrent seemed
>to be running all right.

>Recently, after I had installed an update for Azureus
>(v.2.3.0.6), I noticed a new colored button in the status
>bar which would be either yellow or red indicating a
>"Possible NAT (TCP) problem".
>
>In the course of investigating this, I also noticed an item
>"NAT/Firewall test" in the Azureus Tools menu which would
>test the "incoming TCP/UDP listen port" which I had set to
>6886. When I ran this test, it failed with the message
>"Testing port 6886 ... NAT error". The test dialog box
>also offered the following explanation: "In order to get
>the best out of Azureus, it's highly recommended to be
>fully accessible from the Internet. This tool lets you
>test and/or change the port used to accept incoming peer
>connections."

>I took this recommendation to mean that I should open my
>firewall for the ports used by bittorrent. Accordingly, I
>added the inbound traffic policy "Allow service BitTorrent
>for port 6881-6889 for everyone."

>With that the NAT status indicator button in the Azureus
>status bar turned green ("NAT OK (TCP)"). Also, some of
>the torrent health indicators for ongoing downloads turned
>green, meaning "everything is going fine" whereas before
>they had generally been yellow, meaning "you're connected
>to peers, tracker is OK but you may have a NAT problem if
>your torrents stay on yellow status all the time."

>After I'd made these changes everything seemed fine and
>subjectively it seemed as though Azureus was working better
>and down/uploading faster.

>Then I did a Shields Up (grc.com) port scan for the range of
>ports 6881-6889 while Azureus was running and downloads
>were proceeding. The result: 6881 stealthed, 6882-6885 and
>6887-6889 closed, 6886 OPEN. Ouch! I'd been running my
>system with this configuration for more than a week.

>I immediately removed the firewall rule "Allow service
>BitTorrent for port 6881-6889 for everyone" and did another
>Shields Up port scan. The result: 6881-6889 stealthed.
>BitTorrent down/uploads were still running fine.

>Next I also disabled port forwarding for ports 6882-6889 in
>the NAT router. BitTorrent down/uploads were still running
>fine.

>Several questions:

>1. When my system was configured with port forwarding
>enabled in the router and BitTorrent allowed for ports
>6881-6889 in the inbound traffic rules of my firewall, the
>Shields Up port scan diagnosed port 6886 as open whenever
>Azureus was running. Did that constitute a major security
>hazard that a malicious hacker could have exploited? Could
>he have installed malware via this "open" port, or was this
>port only open for the BitTorrent protocol? If malware had
>been installed would it have remained in my user area (I
>wasn't running Azureus as root) or could I have been
>rooted?

>2. What were the security implications when I was running
>Azureus with NAT router port forwarding enabled for
>6882-6889 but firewall closed to traffic coming in on
>6881-6889? Was there a possibility of a security
>compromise in that configuration?

>3. What is the point of aiming for green settings for the
>NAT status of the incoming TCP/UDP listen port 6886 and for
>"torrent health", settings which potentially introduce
>security hazards, when BitTorrent appears to be functional
>even when these settings are in the yellow or red range?

>Thanks in advance.

>Robert

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Glueck wrote:
> I'm running a Linux desktop behind a NAT router with a
> broadband connection to the Internet. I've also installed
> an iptables based firewall (Firestarter) with a completely
> permissive outbound traffic policy and an inbound traffic
> policy of NO connections from any host allowed and NO
> services on any port allowed for anyone.
>
> I frequently use BitTorrent (Azureus 2.3.0.6) to download
> files from the web. In order to support this I enabled
> port forwarding on the NAT router for ports 6882-6889 for
> service BitTorrent. With these settings BitTorrent seemed
> to be running all right.
>
> Recently, after I had installed an update for Azureus
> (v.2.3.0.6), I noticed a new colored button in the status
> bar which would be either yellow or red indicating a
> "Possible NAT (TCP) problem".
>
> In the course of investigating this, I also noticed an item
> "NAT/Firewall test" in the Azureus Tools menu which would
> test the "incoming TCP/UDP listen port" which I had set to
> 6886. When I ran this test, it failed with the message
> "Testing port 6886 ... NAT error". The test dialog box
> also offered the following explanation: "In order to get
> the best out of Azureus, it's highly recommended to be
> fully accessible from the Internet. This tool lets you
> test and/or change the port used to accept incoming peer
> connections."
>
> I took this recommendation to mean that I should open my
> firewall for the ports used by bittorrent. Accordingly, I
> added the inbound traffic policy "Allow service BitTorrent
> for port 6881-6889 for everyone."
>
> With that the NAT status indicator button in the Azureus
> status bar turned green ("NAT OK (TCP)"). Also, some of
> the torrent health indicators for ongoing downloads turned
> green, meaning "everything is going fine" whereas before
> they had generally been yellow, meaning "you're connected
> to peers, tracker is OK but you may have a NAT problem if
> your torrents stay on yellow status all the time."
>
> After I'd made these changes everything seemed fine and
> subjectively it seemed as though Azureus was working better
> and down/uploading faster.
>
> Then I did a Shields Up (grc.com) port scan for the range of
> ports 6881-6889 while Azureus was running and downloads
> were proceeding. The result: 6881 stealthed, 6882-6885 and
> 6887-6889 closed, 6886 OPEN. Ouch! I'd been running my
> system with this configuration for more than a week.
>
> I immediately removed the firewall rule "Allow service
> BitTorrent for port 6881-6889 for everyone" and did another
> Shields Up port scan. The result: 6881-6889 stealthed.
> BitTorrent down/uploads were still running fine.
>
> Next I also disabled port forwarding for ports 6882-6889 in
> the NAT router. BitTorrent down/uploads were still running
> fine.
>
> Several questions:
>
> 1. When my system was configured with port forwarding
> enabled in the router and BitTorrent allowed for ports
> 6881-6889 in the inbound traffic rules of my firewall, the
> Shields Up port scan diagnosed port 6886 as open whenever
> Azureus was running. Did that constitute a major security
> hazard that a malicious hacker could have exploited? Could
> he have installed malware via this "open" port, or was this
> port only open for the BitTorrent protocol? If malware had
> been installed would it have remained in my user area (I
> wasn't running Azureus as root) or could I have been
> rooted?

Azureus only uses port 6881 TCP for data transmission and 6881 UDP for
distributed hash table (dht or "trackerless" torrents) communication by
default. Ports 6882-6889 of either protocol are used for miscellaneous
plugins and additional non-essential services offered by azureus which
can be safely disabled or firewalled off. This is only a minor security
risk as the program azureus would have to be exploited remotely (or you
would have to install a corrupted copy) for an attacker to gain anything
in this way and any gain would be restricted to the user azureus is
running as (i.e., you). You can safely open only port 6881 TCP and UDP
for azureus' use.

> 2. What were the security implications when I was running
> Azureus with NAT router port forwarding enabled for
> 6882-6889 but firewall closed to traffic coming in on
> 6881-6889? Was there a possibility of a security
> compromise in that configuration?

See above, only with a firewall blocking connections to the unnecessary
ports the risk is even further mitigated. Unless the program has been
installed compromised or locally compromised and is making outgoing
connections to malicious servers (in which case you are already in
trouble) you are perfectly safe. Were I you, I would track down
whichever portion of azureus is opening port 6886 and disable it if
unnecessary thought.

> 3. What is the point of aiming for green settings for the
> NAT status of the incoming TCP/UDP listen port 6886 and for
> "torrent health", settings which potentially introduce
> security hazards, when BitTorrent appears to be functional
> even when these settings are in the yellow or red range?

The "green" status of the bit torrent network allows you to receive
connections from hosts who would otherwise be unable to contact you. Bit
torrent is fully functional in "yellow" status and has an unavailable
tracker (for whatever reason) in "red" status. Green status is highly
desirable because it can result in speed boosts of well over 200%. Case
in point, my system tends to download around 15-20 KB/s while yellow and
has been known to reach over 500 KB/s while green.

> Thanks in advance.
>
> Robert
>

Hope this helps,
Will
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDwfxqkIdrTCWKJM0RAkrKAKCcJURRjzfp7vNB5AkWQv jtWEkUjwCglW8p
+x51bO4RtksoWScQ5KIKg1E=
=GBl6
-----END PGP SIGNATURE-----

"Will Ashford" <ashford@virginia.edu> schreef in bericht
news:dpsu9n$42j$1@murdoch.acc.Virginia.EDU...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Robert Glueck wrote:
> > I'm running a Linux desktop behind a NAT router with a
> > broadband connection to the Internet. I've also installed
> > an iptables based firewall (Firestarter) with a completely
> > permissive outbound traffic policy and an inbound traffic
> > policy of NO connections from any host allowed and NO
> > services on any port allowed for anyone.
> >
> > I frequently use BitTorrent (Azureus 2.3.0.6) to download
> > files from the web. In order to support this I enabled
> > port forwarding on the NAT router for ports 6882-6889 for
> > service BitTorrent. With these settings BitTorrent seemed
> > to be running all right.
> >
> > Recently, after I had installed an update for Azureus
> > (v.2.3.0.6), I noticed a new colored button in the status
> > bar which would be either yellow or red indicating a
> > "Possible NAT (TCP) problem".
> >
> > In the course of investigating this, I also noticed an item
> > "NAT/Firewall test" in the Azureus Tools menu which would
> > test the "incoming TCP/UDP listen port" which I had set to
> > 6886. When I ran this test, it failed with the message
> > "Testing port 6886 ... NAT error". The test dialog box
> > also offered the following explanation: "In order to get
> > the best out of Azureus, it's highly recommended to be
> > fully accessible from the Internet. This tool lets you
> > test and/or change the port used to accept incoming peer
> > connections."
> >
> > I took this recommendation to mean that I should open my
> > firewall for the ports used by bittorrent. Accordingly, I
> > added the inbound traffic policy "Allow service BitTorrent
> > for port 6881-6889 for everyone."
> >
> > With that the NAT status indicator button in the Azureus
> > status bar turned green ("NAT OK (TCP)"). Also, some of
> > the torrent health indicators for ongoing downloads turned
> > green, meaning "everything is going fine" whereas before
> > they had generally been yellow, meaning "you're connected
> > to peers, tracker is OK but you may have a NAT problem if
> > your torrents stay on yellow status all the time."
> >
> > After I'd made these changes everything seemed fine and
> > subjectively it seemed as though Azureus was working better
> > and down/uploading faster.
> >
> > Then I did a Shields Up (grc.com) port scan for the range of
> > ports 6881-6889 while Azureus was running and downloads
> > were proceeding. The result: 6881 stealthed, 6882-6885 and
> > 6887-6889 closed, 6886 OPEN. Ouch! I'd been running my
> > system with this configuration for more than a week.
> >
> > I immediately removed the firewall rule "Allow service
> > BitTorrent for port 6881-6889 for everyone" and did another
> > Shields Up port scan. The result: 6881-6889 stealthed.
> > BitTorrent down/uploads were still running fine.
> >
> > Next I also disabled port forwarding for ports 6882-6889 in
> > the NAT router. BitTorrent down/uploads were still running
> > fine.
> >
> > Several questions:
> >
> > 1. When my system was configured with port forwarding
> > enabled in the router and BitTorrent allowed for ports
> > 6881-6889 in the inbound traffic rules of my firewall, the
> > Shields Up port scan diagnosed port 6886 as open whenever
> > Azureus was running. Did that constitute a major security
> > hazard that a malicious hacker could have exploited? Could
> > he have installed malware via this "open" port, or was this
> > port only open for the BitTorrent protocol? If malware had
> > been installed would it have remained in my user area (I
> > wasn't running Azureus as root) or could I have been
> > rooted?
>
> Azureus only uses port 6881 TCP for data transmission and 6881 UDP for

I really don't agree with this. I'm only using port 55555 for Azureus, and
don't
have any problem with that ;-)

> distributed hash table (dht or "trackerless" torrents) communication by
> default. Ports 6882-6889 of either protocol are used for miscellaneous
> plugins and additional non-essential services offered by azureus which
> can be safely disabled or firewalled off. This is only a minor security
> risk as the program azureus would have to be exploited remotely (or you
> would have to install a corrupted copy) for an attacker to gain anything
> in this way and any gain would be restricted to the user azureus is
> running as (i.e., you). You can safely open only port 6881 TCP and UDP
> for azureus' use.
>
> > 2. What were the security implications when I was running
> > Azureus with NAT router port forwarding enabled for
> > 6882-6889 but firewall closed to traffic coming in on
> > 6881-6889? Was there a possibility of a security
> > compromise in that configuration?
>
> See above, only with a firewall blocking connections to the unnecessary
> ports the risk is even further mitigated. Unless the program has been
> installed compromised or locally compromised and is making outgoing
> connections to malicious servers (in which case you are already in
> trouble) you are perfectly safe. Were I you, I would track down
> whichever portion of azureus is opening port 6886 and disable it if
> unnecessary thought.
>
> > 3. What is the point of aiming for green settings for the
> > NAT status of the incoming TCP/UDP listen port 6886 and for
> > "torrent health", settings which potentially introduce
> > security hazards, when BitTorrent appears to be functional
> > even when these settings are in the yellow or red range?
>
> The "green" status of the bit torrent network allows you to receive
> connections from hosts who would otherwise be unable to contact you. Bit
> torrent is fully functional in "yellow" status and has an unavailable
> tracker (for whatever reason) in "red" status. Green status is highly
> desirable because it can result in speed boosts of well over 200%. Case
> in point, my system tends to download around 15-20 KB/s while yellow and
> has been known to reach over 500 KB/s while green.
>
> > Thanks in advance.
> >
> > Robert
> >
>
> Hope this helps,
> Will
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFDwfxqkIdrTCWKJM0RAkrKAKCcJURRjzfp7vNB5AkWQv jtWEkUjwCglW8p
> +x51bO4RtksoWScQ5KIKg1E=
> =GBl6
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt De Bree wrote:
> "Will Ashford" <ashford@virginia.edu> schreef in bericht
> news:dpsu9n$42j$1@murdoch.acc.Virginia.EDU...
>
> Robert Glueck wrote:
>
>>I'm running a Linux desktop behind a NAT router with a
>>broadband connection to the Internet. I've also installed
>>an iptables based firewall (Firestarter) with a completely
>>permissive outbound traffic policy and an inbound traffic
>>policy of NO connections from any host allowed and NO
>>services on any port allowed for anyone.
>
>>I frequently use BitTorrent (Azureus 2.3.0.6) to download
>>files from the web. In order to support this I enabled
>>port forwarding on the NAT router for ports 6882-6889 for
>>service BitTorrent. With these settings BitTorrent seemed
>>to be running all right.
>
>>Recently, after I had installed an update for Azureus
>>(v.2.3.0.6), I noticed a new colored button in the status
>>bar which would be either yellow or red indicating a
>>"Possible NAT (TCP) problem".
>
>>In the course of investigating this, I also noticed an item
>>"NAT/Firewall test" in the Azureus Tools menu which would
>>test the "incoming TCP/UDP listen port" which I had set to
>>6886. When I ran this test, it failed with the message
>>"Testing port 6886 ... NAT error". The test dialog box
>>also offered the following explanation: "In order to get
>>the best out of Azureus, it's highly recommended to be
>>fully accessible from the Internet. This tool lets you
>>test and/or change the port used to accept incoming peer
>>connections."
>
>>I took this recommendation to mean that I should open my
>>firewall for the ports used by bittorrent. Accordingly, I
>>added the inbound traffic policy "Allow service BitTorrent
>>for port 6881-6889 for everyone."
>
>>With that the NAT status indicator button in the Azureus
>>status bar turned green ("NAT OK (TCP)"). Also, some of
>>the torrent health indicators for ongoing downloads turned
>>green, meaning "everything is going fine" whereas before
>>they had generally been yellow, meaning "you're connected
>>to peers, tracker is OK but you may have a NAT problem if
>>your torrents stay on yellow status all the time."
>
>>After I'd made these changes everything seemed fine and
>>subjectively it seemed as though Azureus was working better
>>and down/uploading faster.
>
>>Then I did a Shields Up (grc.com) port scan for the range of
>>ports 6881-6889 while Azureus was running and downloads
>>were proceeding. The result: 6881 stealthed, 6882-6885 and
>>6887-6889 closed, 6886 OPEN. Ouch! I'd been running my
>>system with this configuration for more than a week.
>
>>I immediately removed the firewall rule "Allow service
>>BitTorrent for port 6881-6889 for everyone" and did another
>>Shields Up port scan. The result: 6881-6889 stealthed.
>>BitTorrent down/uploads were still running fine.
>
>>Next I also disabled port forwarding for ports 6882-6889 in
>>the NAT router. BitTorrent down/uploads were still running
>>fine.
>
>>Several questions:
>
>>1. When my system was configured with port forwarding
>>enabled in the router and BitTorrent allowed for ports
>>6881-6889 in the inbound traffic rules of my firewall, the
>>Shields Up port scan diagnosed port 6886 as open whenever
>>Azureus was running. Did that constitute a major security
>>hazard that a malicious hacker could have exploited? Could
>>he have installed malware via this "open" port, or was this
>>port only open for the BitTorrent protocol? If malware had
>>been installed would it have remained in my user area (I
>>wasn't running Azureus as root) or could I have been
>>rooted?
>
> Azureus only uses port 6881 TCP for data transmission and 6881 UDP for
>
>
>> I really don't agree with this. I'm only using port 55555 for Azureus, and
>> don't
>> have any problem with that ;-)

Oh, yes, you can change the port if you'd like (in fact it is highly
recommended that you do because ISPs like to block port 6881). I was
simply detailing the default behavior.

Will

<snip>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDyecHkIdrTCWKJM0RAg6nAJ49S6RYdwh3V14TBLJ4kp Dlp9yW/gCfZrfE
PnE9rzuTSrwhyejKSoElKPk=
=5Z2A
-----END PGP SIGNATURE-----

>2. What were the security implications when I was running
>Azureus with NAT router port forwarding enabled for
>6882-6889 but firewall closed to traffic coming in on
>6881-6889? Was there a possibility of a security
>compromise in that configuration?

yes, of corse.

if i was a bad hack3r now i know that you have some ports forwarded and
therefore open.

your firewall has an hole.

i could make an infected email or some kind of tricks for installing or
use a pre-installed software that make me for example an admin of you
pc.

Instead if you close all, or stealth you can prevent all risks.