Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | (show all)   Print Thread
Standard User meditator
(fountain of knowledge) Fri 17-Mar-17 16:29:34
Print Post

Are these TCP ports vulnerable?


[link to this post]
 
I recently performed a scan on my WAN IP address and was surprised to find the following open TCP ports:-

22 ssh
23 telnet
80 http
139 netbios-ssn
445 microsoft-ds

Now, I recognise port 80 as being valid - but I've no idea about the others, really. Anyone got any opinions? I thought telnet was something that was always highly vulnerable to being used by nefarious factions on the Internet, or am I wrong about that?

Anyone know how to close off some of these? This is on a Mac, incidentally. Presumably, if I were to block port 23 I wouldn't be able to telnet into my router to look at stats, and that would also include the GUI version of the stats?
Standard User 10forcash
(regular) Fri 17-Mar-17 19:18:28
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Which side did you scan from? If you scanned from within your LAN to find ports open to your router, then it's fine, if you scanned from 'the internet' to your WAN IP address, it's bad, very bad. Ideally, no open ports should be visible from 'the internet' to your router's WAN IP. Open ports as listed can indicate an already compromised router or LAN device.
Standard User TheEulerID
(experienced) Fri 17-Mar-17 19:33:49
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Do you mean your WAN facing IP address (that is the one you get if you go to this, or similar sites)

http://whatismyipaddress.com/

Or do you mean the address of your router as seen from your computer?

If it's the former, then that's not good. Generally ports to the Internet should be closed unless you are port forwarding or have some very good reason to open them. In either case, you need to know what you are doing. I would certainly not expect to see telnet as an open port to the Internet as that invites trouble.

If it's the latter, then what you have is fairly normal. I'm guessing that you probably scanned the local router address (which will probably be a 192.x.x.x address of some sort).

You can't generally scan your Internet facing port from a local computer, but there are sites, like this one, which will scan from common vulnerabilities.

https://mxtoolbox.com/PortScan.aspx


Register (or login) on our website and you will not see this ad.

Standard User meditator
(fountain of knowledge) Fri 17-Mar-17 21:31:46
Print Post

Re: Are these TCP ports vulnerable?


[re: TheEulerID] [link to this post]
 
Thanks, everyone.

I was scanning from a utility running on a computer on my LAN so, to answer your repeated question, it was an 'internal' scan, not a scan from the actual Internet. I'm obviously relieved to learn that this result is normal and is nothing to get concerned about.

Since posting this query I've also heard from the manufacturer of my router that it includes a firewall - other than that naturally resulting from NAT - to block access on these ports and, as long as that firewall is enabled (which it is), unsolicited access on these ports, past the router, is barred from the Internet (but, from within the LAN, these ports are meant to appear open).

Phew!
Standard User 10forcash
(regular) Fri 17-Mar-17 22:43:04
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Are you sure? is it possible that this 'utility' contacted an external server to run a vulnerability scan on your WAN IP, commanded from within your LAN
If these ports are indeed the only ones open from your LAN to WAN, then your use of the internet is very restricted - I assume you use email? If so, there should be TCP ports 25 & 110 or if you use secure transmission, 465 & 993 with TCP port 143 available for IMAP4 if used.
Secondly, are these ports firewalled on a per machine basis or at the router?, standard SOHO / domestic routers have an outbound policy of 'allow all' (totally insecure, but what ISP's want to prevent their first line phone answerers having to explain how to configure a router securely).
If the firewall is actually a machine based one, i'm intrigued as to why port 445 is open, this is typically used for Microsoft RPC's - such as credential exchange on a microsoft network - i'm not sure this is open on an Apple OS unless it is domain joined. It can and is, however, used as an attack vector from WAN to LAN.
Other outbound ports i'd expect to see available include NTP and DNS, other traffic can usually be ported through 80 or 443 if required.

Edited by 10forcash (Fri 17-Mar-17 22:47:12)

Standard User legume
(experienced) Sat 18-Mar-17 00:53:20
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
Are you sure? is it possible that this 'utility' contacted an external server to run a vulnerability scan on your WAN IP, commanded from within your LAN
If these ports are indeed the only ones open from your LAN to WAN, then your use of the internet is very restricted


I guess the scan was to the router, not to somewhere through it.
Knowing exactly what the scanner tested and how would be useful to answer the port 445 question.
Standard User meditator
(fountain of knowledge) Sat 18-Mar-17 15:31:35
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
Are you sure? is it possible that this 'utility' contacted an external server to run a vulnerability scan on your WAN IP, commanded from within your LAN.

Well, I can't be 100% certain about it. That's why I'm asking for second opinions.

I'm not sure if the following makes it any clearer to us all: https://support.apple.com/en-gb/HT202944. For instance, are we to presume that all of the named services in that article are normally left open, or is it just a list and will depend on machine usage and user preferences? Or what exactly? There's no guidance given there as to how and why any of them should be manually closed or left open. Another thing that's apparent is that RFC numberings are not set in stone for all time (if I'm understanding things correctly). For instance, ssh is port 22 normally, but according to that article is now port 4253. Similarly, for the other services in my original list.

I can understand why perhaps port 139 is found open. That's because some time ago I experimented with file sharing between a Windows machine and the Mac (on the same LAN), albeit that I no longer use the machines in that way any longer. Port 445 might be listed simply because I use MS Office for Mac and need to download updates from time to time. I'm surprised to see telnet so prominent, though. I always thought that telnet was potentially an open door for Internet scanners, but I guess it needs to be open, if only across the LAN, so as to make the router's GUI and showtime stats available.

Perhaps whether certain ports get reported on depends on which version of OSX is in use and how the various applications on the machine are configured? 'macOS' per se refers specifically to the latest version of OSX called Sierra, which I'm not using at present and instead am using an earlier version of OSX, so I'm not sure whether the statement "The application firewall in macOS ..... instead of by port" at the beginning of that Learn More section of the article has any significance.

Knowing exactly what the scanner tested and how would be useful to answer the port 445 question.

This is a case where there just doesn't seem to be any useful in-depth info given by Apple about 'Port Scan', to determine what it actually does and which ports could be vulnerable if left open, and in which direction.
Standard User 10forcash
(regular) Sat 18-Mar-17 16:31:09
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
It would help if you could describe your physical setup, including manufacturer names of items, I strongly suspect that you were initiating a scan from an external server to your WAN IP. My primary reason for thinking this is that port 53 is not listed, without this, DNS will not function (unless you have some pretty complex port redirect rules in your firewall config.) and you will have to input web addresses as an octet string. If i'm right, those ports you list are open on your WAN IP to unsolicited traffic. BTW port 445 is irrelevant to Office on Apple OS, It is primarily used for domain authentication and RPC traffic - it does have some use in RDP under certain configurations, hence why it would be open in a compromised router / firewall. It would also be worth looking at the NAT tables in your router / firewall to see which machine these open ports are pointing to.
Standard User caffn8me
(knowledge is power) Sat 18-Mar-17 16:51:02
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
My primary reason for thinking this is that port 53 is not listed, without this, DNS will not function
Erm, nope. All the router needs to do is to pass the ISP or other open DNS server addresses to LAN clients via DHCP for them to work properly. There's no need for the router itself to listen on port 53 TCP or UDP.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sat 18-Mar-17 16:55:32)

Standard User Zadeks
(experienced) Sat 18-Mar-17 16:58:15
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Use grc.com's ShieldsUP! All Service Ports scan.
Standard User 10forcash
(regular) Sat 18-Mar-17 19:27:54
Print Post

Re: Are these TCP ports vulnerable?


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
In reply to a post by 10forcash:
My primary reason for thinking this is that port 53 is not listed, without this, DNS will not function
Erm, nope. All the router needs to do is to pass the ISP or other open DNS server addresses to LAN clients via DHCP for them to work properly. There's no need for the router itself to listen on port 53 TCP or UDP.

Erm, nope. IF the scan is from LAN to WAN as the original poster asserted, then DNS would not function. Clearly, if the scan was from WAN to LAN, DNS would function normally as the DNS response would be a 'solicited response' and the router would pass the packet(s) using it's NAT IP table back to the soliciting LAN device.
Standard User 10forcash
(regular) Sat 18-Mar-17 19:34:45
Print Post

Re: Are these TCP ports vulnerable?


[re: Zadeks] [link to this post]
 
In reply to a post by Zadeks:
Use grc.com's ShieldsUP! All Service Ports scan.
Don't. It's inconsistent and fundamentally flawed. Better to use something written in the current century, preferably in the last five years.
Standard User legume
(experienced) Sat 18-Mar-17 23:05:32
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
In reply to a post by caffn8me:
In reply to a post by 10forcash:
My primary reason for thinking this is that port 53 is not listed, without this, DNS will not function
Erm, nope. All the router needs to do is to pass the ISP or other open DNS server addresses to LAN clients via DHCP for them to work properly. There's no need for the router itself to listen on port 53 TCP or UDP.

Erm, nope. IF the scan is from LAN to WAN as the original poster asserted, then DNS would not function. Clearly, if the scan was from WAN to LAN, DNS would function normally as the DNS response would be a 'solicited response' and the router would pass the packet(s) using it's NAT IP table back to the soliciting LAN device.

The OP said the scan was from LAN to WAN IP, so the scan is from LAN to the router its self and nowhere else beyond that. Just because it doesn't have a dns server running on it, it doesn't mean that dns to elsewhere won't work.

If a scanner wanted to test whether anything on the router was blocking/hijacking outbound ports then it would need to scan a remote third box, with known behavior, that lived somewhere out on the internet.
Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 02:43:34
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Do you have telnet and ssh enabled for configuration and do you do this configuration over the internet?

Personally, I find it odd that you would have this many ports open.

Questions that spring to mind:
1. What do you need SSH remote access for?
2. What do you need telnet remote access for?
3. What web server / service are you running on port 80?

FYI: http://www.packetu.com/2012/04/17/whats-wrong-with-t...

Edited by ukhardy07 (Sun 19-Mar-17 02:45:51)

Standard User meditator
(fountain of knowledge) Sun 19-Mar-17 11:31:55
Print Post

Re: Are these TCP ports vulnerable?


[re: ukhardy07] [link to this post]
 
There are well over 50,000 ports on a home computer, of which about the first 1000 or so are the most important, so it's not surprising that a good many of them can be required to operate specific services at various times. Apple themselves publish a list of ports that users of Apple machines may find in use at certain times, and if you care to look back to an earlier posting of mine in this thread and use the link I've quoted you'll see that list.

Http, for instance, has to be open to allow a browser to work. Ssh is also something that seems to be a service that's commonly left open deliberately; I've even checked in an Apple Pro Series Training manual that I possess and the training schematics invariably show ssh as open. However, I don't profess to understand the exact whys and wherefores. Netbios (139) relates to a protocol used for file sharing between Apple and Windows machines, usually but not always I think, inside a LAN. Microsoft-ds (445) is a bit of an unknown quantity but isn't used by Apple anyway. For me, telnet is the biggest cause for concern. I think I'm correct in saying that telnet within the LAN has to be enabled in order that the user can communicate with the router and obtain the line operating stats (and possibly also instrumental in opening the GUI), but I've found it surprising that the telnet port on the Internet side of the router is open, or at least apparently so. I don't run telnet in remote access, and that's true of ssh too. Also, I'm not running a web server on port 80, as far as I'm aware, though what counts as a server could be something as straightforward as DHCP.

What that training manual makes a point of is that, where TCP ports are concerned, the numbers and types in use will vary from user to user, machine to machine, according to services and apps that need to run. And BTW, as an Apple user I've no control over which ports are left open and which aren't. At the machine level, to a large degree I have to rely on OSX's built-in firewall, which frankly isn't the most comprehensive of things, but at least it allows me to block unsolicited incoming connections from the Internet and to put the Apple machine into stealth mode. OSX's firewall relates only to the Apple machine, though, not to any external-facing ports on the router. For the latter, the router relies on NAT, plus a firewall of its own.

Whilst I'm prepared to believe that it may be admissible for ports 22, 80, 139 and 445 to be open, I can't say the same for port 23, telnet. Most people wouldn't want to do telnetting over the Internet; it's likely to be a security hole. But why it's come up in the result I don't know. I think that until someone can be found who truly understands how Port Scan works in the context of Apple machines (particularly regarding port scanning of the WAN IP address of the router) and can put an interpretation on my result that stands up to scrutiny, I, you and everyone else here will just be speculating.
Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 11:58:58
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
I understand the need for ports to be open sometimes, however it is very different having a port open on your internal network vs having the same port accessible to the internet.

If you have a ssh internet facing somebody will almost certainly attempt to guess the credentials to login. I have setup a SSH honeypot internet facing and within 1 minute I had random guesses hitting it.

I can never recommend to have these services internet facing. They are ok to be internally accessible, provided you trust users on your internal network.

FYI I have years of experience security & penetration testing in the banking sector mainly.
Standard User legume
(experienced) Sun 19-Mar-17 12:04:49
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
In reply to a post by meditator:
but I've found it surprising that the telnet port on the Internet side of the router is open, or at least apparently so. I don't run telnet in remote access, and that's true of ssh too. Also, I'm not running a web server on port 80, as far as I'm aware, though what counts as a server could be something as straightforward as DHCP.


Do you now know what's open from the internet? If

https://www.grc.com/x/ne.dll?bh0bkyd2 (common ports test)

shows open then fair enough - but I thought you were testing from LAN to router.

Your router from LAN will run a web server on port 80 so you can access it from a browser.
Standard User meditator
(fountain of knowledge) Sun 19-Mar-17 13:46:28
Print Post

Re: Are these TCP ports vulnerable?


[re: ukhardy07] [link to this post]
 
I understand the need for ports to be open sometimes, however it is very different having a port open on your internal network vs having the same port accessible to the internet.


Well yes, I understand that but you can't block literally everything that faces the Internet. With Macs these days there are certainly minimal services that have to run, such as DHCP, IDsec, etc, even when all incoming connections are notionally blocked. In fact, in the OSX firewall settings, OSX makes a point of telling you that.

Quite apart from this - and as I keep saying - I have no control over whether the ports I've listed are closed or not. There's certainly nothing normally available in the Mac for closing those ports, and as far as I know there's nothing in my router that can be configured to close them either. To close those ports at the Mac would require, I suspect a Terminal hack, meaning that you'd need to edit Unix code. As far as the router's concerned, if what you contend is the case then it'd surely be a very poor router that'd require those ports to be especially manually blocked in order to provide 'quick start' and subsequent safe surfing. Most people wouldn't have the wherewithall to do it.

At present (and here I'm talking about the Mac on the LAN, not the router) I've got all unsolicited incoming connections blocked and OSX is telling me that, despite that, it needs to keep a few minimal services running (but it doesn't detail which). It could perhaps be that if I were to unblock the incoming connections I'll then be allowed to selectively enable or disable certain of those services. But that's only my guess.

An oddity I've found in the last half an hour is that if I use OSX to perform a port scan on the LAN side of the router, eg. to 192.168.1.x, I get exactly the same result as the one obtained when it's asked to scan the router's WAN IP address (its external static address). On the face of it, this implies that the router isn't providing any blocking at all itself. But there are perhaps other possible explanations. It might be, for instance, that Port Scan as performed by OSX on the router's WAN address simply isn't designed to handle that sort of 'turnaround' scan and is meant only for internal scans (scans confined to within the LAN). Apple have been remiss in providing sufficient info on exactly what OSX's Port Scan does and where it's relevant.

I feel that the only way of getting a grasp on what's really happening is to use an independent and reliable external port scanner. But Shields Up (grc.com) no longer fits the bill, and other scanner websites may themselves be security risks.

Looking through the logs of both Console and Activity Monitor, two built-in network utilities in OSX, I've found nothing at all suspicious. And doing a netstat has yielded nothing of any great interest either. It identified the IP of a running connection with my Mac but when I did a Who-Is that connection turned out to be with Apple.
Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 14:11:58
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Running a mac does not automatically open up telnet and SSH to the internet.

If you enable these services, by default they will be NATd by the router and not magically become WAN facing unless you configure things this way. Not to mention you'd need to port forward or place the device into the DMZ. I've never seen SSH set itself up over UPNP but I could be wrong.

Some ports are required by services such as FaceTime and by default these ports are opened over UPNP or NAT hole punching to make them work.

I hear your argument that Apple devices have these ports internet facing out of the box to function, and all I can say is you are wrong.

I repeat again OSX does not make SSH and telnet internet facing on the ports listed by default. If you have no need for them to be internet facing ie you do not use these services remotely you should disable the ports. We can help you figure out what's causing it for sure and assist in disabling.
Standard User meditator
(fountain of knowledge) Sun 19-Mar-17 15:33:04
Print Post

Re: Are these TCP ports vulnerable?


[re: ukhardy07] [link to this post]
 
I don't think I've stated with any 100% conviction that open ssh and telnet, etc ports are a normality where Apple machines are concerned. I've merely pointed out that several indicators I managed to find, eg. the official Apple training manual, displayed them as normally open ports when a Port Scan was done. In the absence of anything to the contrary, all I could do therefore was to conclude that at least most of those five ports are normally found to be open. I sense from your authorative prose that you yourself are a Mac user and a knowledgeable and experienced one at that, so maybe at last I might be getting somewhere with this.

To digress slightly, I've returned to my router's GUI in order to look for a remote access configuration setting that includes control of ssh, telnet, ftp, etc., and which I vaguely recall seeing in earlier firmware of this self same router but which didn't seem to exist in the latest firmware. However, I've now finally found that setting. It seems that if you completely disable remote access in the router, the ssh, telnet etc options are no longer presented to screen. So I temporarily enabled remote access. All of them, with the exception of http, which was enabled but greyed out, then showed as being in the disabled state. Therefore, as far as my router goes, it should be blocking those services. So, to respond to your final paragraph, I've done (and had done, by default) what you're advocating.

But the question remains as to why, therefore, when the OSX Port Scan is used to do either an internal or external scan of the router, the answer I get is that all those ports are open! Is the scanner in OSX flawed and giving false results? BTW, it's OSX 10.9.5 I'm using and therefore not the latest. Been planning to do a major upgrade, including a wipe of the hard drive, for some time. Hence, wanting to get this open ports issue sorted out now rather than later.

I don't know if I mentioned this earlier in my postings but the router manufacturer maintains that if you do a port scan from within the LAN, to the WAN IP address of the router, you get a false result. Apparently, this is because of the way in which 'NAT loopback' works when the scan is initiated from the LAN side, ie from a computer on the LAN. This doesn't however explain why I also see these five ports as open when a scan's done on the router's LAN IP address. I'm at a loss. Go figure.
Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 15:36:58
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
If you PM me your external IP address I am happy to run a ports scan for you.

https://www.whatismyip.com/

Do not post your IP here.
Standard User legume
(experienced) Sun 19-Mar-17 17:02:23
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
In reply to a post by meditator:
I don't know if I mentioned this earlier in my postings but the router manufacturer maintains that if you do a port scan from within the LAN, to the WAN IP address of the router, you get a false result. Apparently, this is because of the way in which 'NAT loopback' works when the scan is initiated from the LAN side, ie from a computer on the LAN. This doesn't however explain why I also see these five ports as open when a scan's done on the router's LAN IP address. I'm at a loss. Go figure.


Even without nat loopback it's normal for a default setup linux box to answer all the IPs it owns on any interface, so whether you use the WAN IP or the LAN IP its just two different ways of accessing the router.
The firewall set up on the router will prevent access from the internet.
Standard User caffn8me
(knowledge is power) Sun 19-Mar-17 18:24:11
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Looking at the selection of ports which respond on your router's WAN IP when probed from the LAN, it seems perfectly normal for a router which has web, SSH and telnet management (many do), and a USB port into which you can plug a printer or storage device. It's just a fairly typical domestic router.

Even when you disable remote management via SSH and telnet, the router may still respond to these ports from LAN connected devices.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sun 19-Mar-17 18:28:45)

Standard User 10forcash
(regular) Sun 19-Mar-17 19:39:29
Print Post

Re: Are these TCP ports vulnerable?


[re: legume] [link to this post]
 
Let's start with the basics, it'll help clear up a lot of the disinformation and outright C~rap above.
A firewall will allow or disallow packets to traverse it in either direction, according to the rules programmed into it. *most* domestic firewalls are a sub-function of the router used to connect the local network (LAN) to the internet (WAN). Generally, these type of firewalls default setting is to allow all outbound traffic on all ports, note that these 'ports' are nominally allocated by the IETF and IEEE in some cases to separate different types of traffic, it is possible that some ports have multiple uses, either due to programmers ignoring the 'rules' or attempting to subvert blocking techniques. Conversely, inbound traffic (from WAN TO LAN) is generally blocked completely unless it is a reply to a request sent from within the LAN. So, if as the original post states, the test was from LAN to WAN, then as port 53 is not open, NO DNS requests will reach any DNS server on the WAN side of the firewall. This is not the same as suggesting that there is a local DNS server on the LAN - Which in any case would be useless as any cached record would become stale after their TTL expired and if it's on the LAN, would not need a firewall rule to allow access to it from other LAN devices. As I suggested previously, the fact that the original poster did not state that they have problem accessing the internet or have to type in an octet string, the likelihood that the test is actually LAN to WAN Is low, which leaves the scenario that all the ports listed are actually open to the WAN...
All of which means that the firewall rules need to be examined and corrected. If this was an issue with NAT loopback, then ALL PORTS WOULD BE OPEN - remember that domestic routers trust the LAN by default and do not apply an active mitigation strategy to any LAN traffic.

Edited by 10forcash (Sun 19-Mar-17 19:44:09)

Standard User ukhardy07
(knowledge is power) Sun 19-Mar-17 19:43:31
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
All of which means that the firewall rules need to be examined and corrected.
my sentiments exactly. Provided the ports are even open which they might not be.

Edited by ukhardy07 (Sun 19-Mar-17 22:08:14)

Standard User legume
(experienced) Sun 19-Mar-17 21:10:41
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
Let's start with the basics, it'll help clear up a lot of the disinformation and outright C~rap above.

Please quote what disinformation you refer to.
A firewall will allow or disallow packets to traverse it in either direction, according to the rules programmed into it. *most* domestic firewalls are a sub-function of the router used to connect the local network (LAN) to the internet (WAN). Generally, these type of firewalls default setting is to allow all outbound traffic on all ports, note that these 'ports' are nominally allocated by the IETF and IEEE in some cases to separate different types of traffic, it is possible that some ports have multiple uses, either due to programmers ignoring the 'rules' or attempting to subvert blocking techniques. Conversely, inbound traffic (from WAN TO LAN) is generally blocked completely unless it is a reply to a request sent from within the LAN.

OK so far.
So, if as the original post states, the test was from LAN to WAN, then as port 53 is not open, NO DNS requests will reach any DNS server on the WAN side of the firewall.

Here's where you go wrong, as I have already said. The OP is testing the router its self, either by LAN IP or WAN IP, NOT what the router does to traffic that passes through to to the internet.
This is not the same as suggesting that there is a local DNS server on the LAN - Which in any case would be useless as any cached record would become stale after their TTL expired and if it's on the LAN, would not need a firewall rule to allow access to it from other LAN devices.

No one suggested there was a DNS server on the LAN.
As I suggested previously, the fact that the original poster did not state that they have problem accessing the internet or have to type in an octet string, the likelihood that the test is actually LAN to WAN Is low, which leaves the scenario that all the ports listed are actually open to the WAN...

That does not follow at all. The OP is testing the router from LAN side, you say yourself that inbound traffic from WAN (note WAN here meaning WAN interface = from the internet, NOT WAN IP which is owned by the router) is blocked
All of which means that the firewall rules need to be examined and corrected.

It would if telnet were accessible from the internet - but that is undetermined at time of writing.
If this was an issue with NAT loopback, then ALL PORTS WOULD BE OPEN - remember that domestic routers trust the LAN by default and do not apply an active mitigation strategy to any LAN traffic.

LOOPBACK was tossed in later by some router helpdesk - ignoring for now to avoid sidetracking.

On trusting LAN by default:
For traffic to internet (FORWARD chain in netfilter) yes.
For traffic to themselves (INPUT chain in netfilter) - variable eg. an unlocked Huawei blocks ports from anywhere to its self.
It's possible the OPs router also does - I mean 53 is blocked isn't it. But then we don't know what the scanner is doing. It may just be looking for running tcp services ie. send SYN get SYN/ACK back and say "open".
What it does if it sends a SYN and gets a RST is unknown - does it say "open" because the port is open but there's nothing listening, or does it call that as closed - I don't know.
Standard User caffn8me
(knowledge is power) Sun 19-Mar-17 21:32:11
Print Post

Re: Are these TCP ports vulnerable?


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
So, if as the original post states, the test was from LAN to WAN, then as port 53 is not open, NO DNS requests will reach any DNS server on the WAN side of the firewall.
10forcash? I'll give you six fifty wink

You seem to have misunderstood what a port scan of the router's WAN IP from the LAN shows. Of course, clients on the LAN can access external DNS servers, subject to ISP filtering. The scan done by meditator wasn't testing for that.

What the scan actually shows is that the router itself is not showing as being open on port 53 on its WAN IP address when viewed by clients on the LAN. That tells you nothing whatsoever about whether LAN clients can access external DNS servers.

It would be quite normal for a domestic router to listen for DNS queries only on its LAN IP address and respond only to LAN clients. This stops the router beng an open DNS resolver which could form part of a DNS amplification attack.

meditator, to check what you can reach as far as DNS is concerned, try the following if you have a Mac;

1. Open up a Terminal window from under Applications > Utilities
2. At the prompt type
dig @8.8.8.8 www.bbc.co.uk a

You should see something like this;
macchiato:~ sarah$ dig @8.8.8.8 www.bbc.co.uk a

; <<>> DiG 9.11.0-P3 <<>> @8.8.8.8 www.bbc.co.uk a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5839
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.bbc.co.uk.			IN	A

;; ANSWER SECTION:
www.bbc.co.uk.		139	IN	CNAME	www.bbc.net.uk.
www.bbc.net.uk.		205	IN	A	212.58.244.70
www.bbc.net.uk.		205	IN	A	212.58.246.94

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Mar 19 20:59:39 GMT 2017
;; MSG SIZE  rcvd: 100
If you run Windows;

1. Press the Windows Key + R and type "cmd" to open a command prompt.
2. Type;
nslookup

3. Then type;
server 8.8.8.8

4. Finally enter;
www.bbc.co.uk
and you should see something like this;
C:\Users\sarah>nslookup
Default Server:  ns1.zen.co.uk
Address:  212.23.3.1

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> www.bbc.co.uk
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    www.bbc.net.uk
Addresses:  212.58.244.68
          212.58.246.92
Aliases:  www.bbc.co.uk

>
What this test shows is that you can query an external DNS server. Now try the same test again substituting your router's LAN address for 8.8.8.8 and your router's WAN address for 8.8.8.8 and report back smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User XRaySpeX
(eat-sleep-adslguide) Sun 19-Mar-17 23:03:14
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
Just run Shields UP! -- Internet Connection Security Analysis's All Ports Scan. All ports should be reported "Stealth", unless you have deliberately opened them.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User meditator
(fountain of knowledge) Mon 20-Mar-17 11:59:12
Print Post

Re: Are these TCP ports vulnerable?


[re: ukhardy07] [link to this post]
 
Well, I really do seem to have whipped up a storm! Never imagined that the simple question I originally posed would attract such conflicting views. I'm nonetheless extremely grateful for everyone's attempts over the last couple of days to help me with this issue; you've all invested a lot of your time on this. I'd especially like to thank ukhardy07 for the offer recently of running an external scan on my behalf.

But ... there's a happy ending. First thing this morning (Mon), and as a long shot, I e-mailed my ISP about it and asked whether they themselves could run a port scan test on my router. They're quite familiar with this particular router anyway. Amazingly, they've obliged and have done it and given me the result.

Seen from the Internet, there are no visible open ports. In fact, my ISP is of the view that what the OSX Port Scan must be doing is fallaciously reporting the status on the internal side of the router, ie. 192.168.x.x, even though I told it (giving it the router's WAN IP) to scan the external side. This is also what the manufacturer of the router gave as their reply, though not specifically citing OSX Port Scan as being untrustworthy.

It seems there's really no substitute for a reliable external scanner. Needless to say, I'll not be bothering to ever use OSX's Port Scan again. You know, I was really beginning to wonder whether there was a serious bug in my router that made it look as though, in the GUI, most of these ports were closed to the external world, but which in reality was actually leaving them open. But that was not, and is not, the case - thank goodness.

If a lesson's to be learnt from this it's not to trust an 'internal' port scanner (ie. a scanner operating on a machine inside a LAN) to do an external scan. Do it instead with an external scanner.

[As a sequel, my ISP has commented that it's common to see these particular ports open on the LAN side, and that the only time you'd really ever want to have them open on the WAN side is if you were doing port forwarding to a server running some associated services].

Edited by meditator (Mon 20-Mar-17 12:06:21)

Standard User caffn8me
(knowledge is power) Mon 20-Mar-17 12:10:02
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
You can't blame OS X port scan for a router's normal default behaviour. Any port scanner lanuched from the LAN would give the same results.

What you were trying to do was to do an external port scan from the internal network, and that's not going to give reliable or useful results.

If you want to do an external port scan, you absolutely must do it from an externally connected device. OS X port scan is absolutely fine, it's the way you were trying to use it.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User meditator
(fountain of knowledge) Mon 20-Mar-17 13:19:05
Print Post

Re: Are these TCP ports vulnerable?


[re: caffn8me] [link to this post]
 
Any port scanner launched from the LAN would give the same results.

I don't think I've stated anywhere that OSX's Port Scan is unique in this. So yes, other internally-based scanners will very likely give exactly the same result. (When I used it I wasn't to know this).

What I would take issue with is that, in Port Scan, OSX in no way warns against this. Indeed, it invites you to test any IP; you actually give it the precise IP to go away and test. So it is, in my view, Apple who are at fault. Port Scan should have recognised that I'd entered an Internet IP and warned that the result was not to be trusted. I can only hope that Apple's modified its workings and incorporated qualifiers in newer versions of OSX. I'm afraid that this has been a not untypical case of Apple simply having not provided enough information to the user.
Standard User caffn8me
(knowledge is power) Mon 20-Mar-17 13:55:22
Print Post

Re: Are these TCP ports vulnerable?


[re: meditator] [link to this post]
 
In reply to a post by meditator:
What I would take issue with is that, in Port Scan, OSX in no way warns against this. Indeed, it invites you to test any IP; you actually give it the precise IP to go away and test. So it is, in my view, Apple who are at fault
This is the way it's supposed to work.

It's a tool which allows you to scan any IP address for open ports. It makes no distinction between local RFC 1918 and internet routed IP addresses, nor should it. It's just like other port scanners including nmap, Angry IP scanner and many others.

Bear in mind that your OS X device doesn't actually know what the external IP address of the router is so it can hardly flag up a warning when you ask to scan it. It only knows that its default gateway is the internal LAN address of the router.

Please don't blame the tools because you don't fully understand their use and the results they give.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Mon 20-Mar-17 13:59:08)

Pages in this thread: 1 | 2 | 3 | 4 | (show all)   Print Thread

Jump to