Stealth Mode


  • I was ready to purchase an Amplifi HD then discovered that it does support Stealth Mode. I am currently a Unifi user but we are moving and Amplifi is a better option in the new place. Stealth Mode is a "must have" on any network that I implement.

    I am really surprised that Stealth Mode is not implemented and from what I understand it is not on the immediate radar.

    I view this as a "must have" for any environment. Until Stealth Mode is implemented I will definitely not recommend Amplifi to anyone. Also, when implemented it should be on by default.


  • @james-earl-ford Can you provide more information on what you're seeing and expecting? I just did a full scan using Shields Up (Steve Gibson of GRC.com) and it showed everything being fully-stealthed for me with the only concern to note is that it got a ping response. I'm running firmware v2.6.2rc1.

    0_1521223562797_2018_03_16_14_05_26_GRC_ShieldsUP_Service_Ports_Probe.png


  • Oddly, mine is showing tcp/19 as closed (RST), but other than that, it's showing stealth (silent drop) on everything else but icmp ping on the first 1056 ports. Even then, if you use teleport along with it, I suspect it'll need to leave a port open as well unless it goes and programs itself via the remote access channel based on where it sees the teleport's source coming from to some middlebox.


    Results from scan of ports: 0-1055

    0 Ports Open
    1 Ports Closed
    

    1055 Ports Stealth

    1056 Ports Tested

    NO PORTS were found to be OPEN.

    The port found to be CLOSED was: 19

    Other than what is listed above, all ports are STEALTH.

    TruStealth: FAILED - NOT all tested ports were STEALTH,
    - NO unsolicited packets were received,
    - A PING REPLY (ICMP Echo) WAS RECEIVED.


  • When I ran my prior scan, that was without a Teleport as part of the network. Unrelated to this conversation, I added a Teleport to my network and tested it. After the Teleport was configured and functional (complete with a remote test), I then left the Teleport as part of my network but unplugged it and ran another scan. I had the same results - 100% stealth from 1-1055 without exceptions.

    I have not ran a scan while the Teleport was active, so I have no data for that scenario.

    @Michael-Eckhoff I suspect your tcp/19 exception may have been specific to your case where it was opened for a specific purpose. I can't even guess what that purpose was but perhaps something requested it via UPnP or something?


  • @shane-milton I too use ShieldsUp to check for open ports, therefore I am glad to see that it is showing all ports closed. I could not do this because I do not yet own an Amplifi HD but want to use it in the place we are moving too. As I stated, I currently use Unifi but since our house was purchased by a family member we will be leaving it when we move. We are moving to a much smaller place (seniors downsizing) and the HD will be more than adequate.

    I based my post on several things.

    1. I read in several unrealted sites (not reposts from other sites) that the HD does not support stealth mode.
    2. I chatted with Amplifi support and they also told me that stealth mode was not supported and was not a priority item to be added. They suggested that I make it a suggestion and hope that it would get moved up on the priority list, which I did.

    Since I really like Ubiquiti products and now that it supports stealth mode I will definitely purchase one for our new place.

    Thanks for your and others response.


  • @james-earl-ford I bet the support person you were talking about perhaps misunderstood what you meant by "stealth mode" or was otherwise misinformed. I'm glad this solves your concern!


  • @james-earl-ford said in Stealth Mode:

    ShieldsUp

    Big up to implement stealth-mode immidiately!


  • @james-earl-ford We drop all incoming TCP/UDP packets by default. Does it match your definition of "stealth mode"?


  • @dmitrijs-ivanovs The router should not respond to anything, including pings (ICMP). Stealth has improved since December, but Shields Up still shows the router responding to pings. Ports tested by Shields Up are all stealth.

    Here's what it reports after a Service Ports scan:
    Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

    Go test for yourself: [https://www.grc.com/x/ne.dll?bh0bkyd2](link url)

    By the way, I'm running 2.6.3.


  • @dmitrijs-ivanovs I think I'm with @jamie-pearson and others that I would like ICMP to be blocked, or at least to have it be blocked, on the WAN port.


  • This post is deleted!

  • @hanz-shcaerp Hanz, I don't mean to be rude but there's a lot of misinformation in that statement.


  • This post is deleted!

  • @hanz-shcaerp Wow.. As someone who is studying to become a Certified Ethical Hacker, I couldn't (respectfully) disagree more... As a Network Admin that sees all the random scans (and IPS prevent events) at our company, I can assure you, your IP doesn't matter. They don't care who you are or where you live, they are just looking for any unlocked door. I would prefer it if they didn't even know I had a door...

    This first line in our Security Awareness training is, "You are a target." Just because you aren't the Federal Reserve doesn't mean someone won't target you.

    Do I think that a standard router is enough for home? Probably. But by default anything incoming should be dropped. Or at least give an option to turn off/on for testing.


  • This post is deleted!

  • +1 here for blocking WAN pings (ICMP Echo Requests)

    My 6 year old cheap router used to provide this security so why not Amplifi HD ?

    I don't want hackers/bots knowing my static IP/router exists.

    Are Ubiquiti planning on adding this option to the next firmware release ?


  • I have the same issue. PING requests are not blocked and also port 135 is closed whilst the others are all stealth ? (Using the very latest HD Update)

    0_1538636152445_AmplifyIssue.png


Log in to reply
 

Looks like your connection to AmpliFi was lost, please wait while we try to reconnect.