Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | [2] | 3 | 4 | (show all)   Print Thread
Standard User 10forcash
(regular) Sat 18-Mar-17 19:27:54
Print Post

Re: Are these TCP ports vulnerable?


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
In reply to a post by 10forcash:
My primary reason for thinking this is that port 53 is not listed, without this, DNS will not function
Erm, nope. All the router needs to do is to pass the ISP or other open DNS server addresses to LAN clients via DHCP for them to work properly. There's no need for the router itself to listen on port 53 TCP or UDP.

Erm, nope. IF the scan is from LAN to WAN as the original poster asserted, then DNS would not function. Clearly, if the scan was from WAN to LAN, DNS would function normally as the DNS response would be a 'solicited response' and the router would pass the packet(s) using it's NAT IP table back to the soliciting LAN device.
Standard User 10forcash
(regular) Sat 18-Mar-17 19:34:45
Print Post

Re: Are these TCP ports vulnerable?


[re: Zadeks] [link to this post]
 
In reply to a post by Zadeks:
Use grc.com's ShieldsUP! All Service Ports scan.
Don't. It's inconsistent and fundamentally flawed. Better to use something written in the current century, preferably in the last five years.
Standard User legume
(experienced) Sat 18-Mar-17 23:05:32
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
In reply to a post by caffn8me:
In reply to a post by 10forcash:
My primary reason for thinking this is that port 53 is not listed, without this, DNS will not function
Erm, nope. All the router needs to do is to pass the ISP or other open DNS server addresses to LAN clients via DHCP for them to work properly. There's no need for the router itself to listen on port 53 TCP or UDP.

Erm, nope. IF the scan is from LAN to WAN as the original poster asserted, then DNS would not function. Clearly, if the scan was from WAN to LAN, DNS would function normally as the DNS response would be a 'solicited response' and the router would pass the packet(s) using it's NAT IP table back to the soliciting LAN device.

The OP said the scan was from LAN to WAN IP, so the scan is from LAN to the router its self and nowhere else beyond that. Just because it doesn't have a dns server running on it, it doesn't mean that dns to elsewhere won't work.

If a scanner wanted to test whether anything on the router was blocking/hijacking outbound ports then it would need to scan a remote third box, with known behavior, that lived somewhere out on the internet.


Register (or login) on our website and you will not see this ad.

Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 02:43:34
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Do you have telnet and ssh enabled for configuration and do you do this configuration over the internet?

Personally, I find it odd that you would have this many ports open.

Questions that spring to mind:
1. What do you need SSH remote access for?
2. What do you need telnet remote access for?
3. What web server / service are you running on port 80?

FYI: http://www.packetu.com/2012/04/17/whats-wrong-with-t...

Edited by ukhardy07 (Sun 19-Mar-17 02:45:51)

Standard User meditator
(fountain of knowledge) Sun 19-Mar-17 11:31:55
Print Post

Re: Are these TCP ports vulnerable?


[re: ukhardy07] [link to this post]
 
There are well over 50,000 ports on a home computer, of which about the first 1000 or so are the most important, so it's not surprising that a good many of them can be required to operate specific services at various times. Apple themselves publish a list of ports that users of Apple machines may find in use at certain times, and if you care to look back to an earlier posting of mine in this thread and use the link I've quoted you'll see that list.

Http, for instance, has to be open to allow a browser to work. Ssh is also something that seems to be a service that's commonly left open deliberately; I've even checked in an Apple Pro Series Training manual that I possess and the training schematics invariably show ssh as open. However, I don't profess to understand the exact whys and wherefores. Netbios (139) relates to a protocol used for file sharing between Apple and Windows machines, usually but not always I think, inside a LAN. Microsoft-ds (445) is a bit of an unknown quantity but isn't used by Apple anyway. For me, telnet is the biggest cause for concern. I think I'm correct in saying that telnet within the LAN has to be enabled in order that the user can communicate with the router and obtain the line operating stats (and possibly also instrumental in opening the GUI), but I've found it surprising that the telnet port on the Internet side of the router is open, or at least apparently so. I don't run telnet in remote access, and that's true of ssh too. Also, I'm not running a web server on port 80, as far as I'm aware, though what counts as a server could be something as straightforward as DHCP.

What that training manual makes a point of is that, where TCP ports are concerned, the numbers and types in use will vary from user to user, machine to machine, according to services and apps that need to run. And BTW, as an Apple user I've no control over which ports are left open and which aren't. At the machine level, to a large degree I have to rely on OSX's built-in firewall, which frankly isn't the most comprehensive of things, but at least it allows me to block unsolicited incoming connections from the Internet and to put the Apple machine into stealth mode. OSX's firewall relates only to the Apple machine, though, not to any external-facing ports on the router. For the latter, the router relies on NAT, plus a firewall of its own.

Whilst I'm prepared to believe that it may be admissible for ports 22, 80, 139 and 445 to be open, I can't say the same for port 23, telnet. Most people wouldn't want to do telnetting over the Internet; it's likely to be a security hole. But why it's come up in the result I don't know. I think that until someone can be found who truly understands how Port Scan works in the context of Apple machines (particularly regarding port scanning of the WAN IP address of the router) and can put an interpretation on my result that stands up to scrutiny, I, you and everyone else here will just be speculating.
Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 11:58:58
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
I understand the need for ports to be open sometimes, however it is very different having a port open on your internal network vs having the same port accessible to the internet.

If you have a ssh internet facing somebody will almost certainly attempt to guess the credentials to login. I have setup a SSH honeypot internet facing and within 1 minute I had random guesses hitting it.

I can never recommend to have these services internet facing. They are ok to be internally accessible, provided you trust users on your internal network.

FYI I have years of experience security & penetration testing in the banking sector mainly.
Standard User legume
(experienced) Sun 19-Mar-17 12:04:49
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
In reply to a post by meditator:
but I've found it surprising that the telnet port on the Internet side of the router is open, or at least apparently so. I don't run telnet in remote access, and that's true of ssh too. Also, I'm not running a web server on port 80, as far as I'm aware, though what counts as a server could be something as straightforward as DHCP.


Do you now know what's open from the internet? If

https://www.grc.com/x/ne.dll?bh0bkyd2 (common ports test)

shows open then fair enough - but I thought you were testing from LAN to router.

Your router from LAN will run a web server on port 80 so you can access it from a browser.
Standard User meditator
(fountain of knowledge) Sun 19-Mar-17 13:46:28
Print Post

Re: Are these TCP ports vulnerable?


[re: ukhardy07] [link to this post]
 
I understand the need for ports to be open sometimes, however it is very different having a port open on your internal network vs having the same port accessible to the internet.


Well yes, I understand that but you can't block literally everything that faces the Internet. With Macs these days there are certainly minimal services that have to run, such as DHCP, IDsec, etc, even when all incoming connections are notionally blocked. In fact, in the OSX firewall settings, OSX makes a point of telling you that.

Quite apart from this - and as I keep saying - I have no control over whether the ports I've listed are closed or not. There's certainly nothing normally available in the Mac for closing those ports, and as far as I know there's nothing in my router that can be configured to close them either. To close those ports at the Mac would require, I suspect a Terminal hack, meaning that you'd need to edit Unix code. As far as the router's concerned, if what you contend is the case then it'd surely be a very poor router that'd require those ports to be especially manually blocked in order to provide 'quick start' and subsequent safe surfing. Most people wouldn't have the wherewithall to do it.

At present (and here I'm talking about the Mac on the LAN, not the router) I've got all unsolicited incoming connections blocked and OSX is telling me that, despite that, it needs to keep a few minimal services running (but it doesn't detail which). It could perhaps be that if I were to unblock the incoming connections I'll then be allowed to selectively enable or disable certain of those services. But that's only my guess.

An oddity I've found in the last half an hour is that if I use OSX to perform a port scan on the LAN side of the router, eg. to 192.168.1.x, I get exactly the same result as the one obtained when it's asked to scan the router's WAN IP address (its external static address). On the face of it, this implies that the router isn't providing any blocking at all itself. But there are perhaps other possible explanations. It might be, for instance, that Port Scan as performed by OSX on the router's WAN address simply isn't designed to handle that sort of 'turnaround' scan and is meant only for internal scans (scans confined to within the LAN). Apple have been remiss in providing sufficient info on exactly what OSX's Port Scan does and where it's relevant.

I feel that the only way of getting a grasp on what's really happening is to use an independent and reliable external port scanner. But Shields Up (grc.com) no longer fits the bill, and other scanner websites may themselves be security risks.

Looking through the logs of both Console and Activity Monitor, two built-in network utilities in OSX, I've found nothing at all suspicious. And doing a netstat has yielded nothing of any great interest either. It identified the IP of a running connection with my Mac but when I did a Who-Is that connection turned out to be with Apple.
Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 14:11:58
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Running a mac does not automatically open up telnet and SSH to the internet.

If you enable these services, by default they will be NATd by the router and not magically become WAN facing unless you configure things this way. Not to mention you'd need to port forward or place the device into the DMZ. I've never seen SSH set itself up over UPNP but I could be wrong.

Some ports are required by services such as FaceTime and by default these ports are opened over UPNP or NAT hole punching to make them work.

I hear your argument that Apple devices have these ports internet facing out of the box to function, and all I can say is you are wrong.

I repeat again OSX does not make SSH and telnet internet facing on the ports listed by default. If you have no need for them to be internet facing ie you do not use these services remotely you should disable the ports. We can help you figure out what's causing it for sure and assist in disabling.
Standard User meditator
(fountain of knowledge) Sun 19-Mar-17 15:33:04
Print Post

Re: Are these TCP ports vulnerable?


[re: ukhardy07] [link to this post]
 
I don't think I've stated with any 100% conviction that open ssh and telnet, etc ports are a normality where Apple machines are concerned. I've merely pointed out that several indicators I managed to find, eg. the official Apple training manual, displayed them as normally open ports when a Port Scan was done. In the absence of anything to the contrary, all I could do therefore was to conclude that at least most of those five ports are normally found to be open. I sense from your authorative prose that you yourself are a Mac user and a knowledgeable and experienced one at that, so maybe at last I might be getting somewhere with this.

To digress slightly, I've returned to my router's GUI in order to look for a remote access configuration setting that includes control of ssh, telnet, ftp, etc., and which I vaguely recall seeing in earlier firmware of this self same router but which didn't seem to exist in the latest firmware. However, I've now finally found that setting. It seems that if you completely disable remote access in the router, the ssh, telnet etc options are no longer presented to screen. So I temporarily enabled remote access. All of them, with the exception of http, which was enabled but greyed out, then showed as being in the disabled state. Therefore, as far as my router goes, it should be blocking those services. So, to respond to your final paragraph, I've done (and had done, by default) what you're advocating.

But the question remains as to why, therefore, when the OSX Port Scan is used to do either an internal or external scan of the router, the answer I get is that all those ports are open! Is the scanner in OSX flawed and giving false results? BTW, it's OSX 10.9.5 I'm using and therefore not the latest. Been planning to do a major upgrade, including a wipe of the hard drive, for some time. Hence, wanting to get this open ports issue sorted out now rather than later.

I don't know if I mentioned this earlier in my postings but the router manufacturer maintains that if you do a port scan from within the LAN, to the WAN IP address of the router, you get a false result. Apparently, this is because of the way in which 'NAT loopback' works when the scan is initiated from the LAN side, ie from a computer on the LAN. This doesn't however explain why I also see these five ports as open when a scan's done on the router's LAN IP address. I'm at a loss. Go figure.
Pages in this thread: 1 | [2] | 3 | 4 | (show all)   Print Thread

Jump to