How can I close ports?
Are these open ports a threat?
Scanned through nmap
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http OpenWrt admin httpd (rejected RFC1918 address)
|_http-title: Site doesn't have a title (text/html).
110/tcp open tcpwrapped
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
143/tcp open tcpwrapped
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
993/tcp open tcpwrapped
995/tcp open tcpwrapped
3128/tcp open tcpwrapped
8080/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=4/28%Time=5EA8112F%P=x86_64-apple-darwin19.0.0%
SF:r(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x84\0\x01\0\0\0\0\0\0\x07ve
SF:rsion\x04bind\0\0\x10\0\x03")%r(DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x
SF:04\0\0\0\0\0\0\0\0");
Where did you perform the nmap scan (On your local network or from the internet)?
Have you installed any services on your router since the original installation?
Are you experiencing any specific issues or do you have reason to believe that there is a real problem ?
What version of OpenWrt are you using and what is the brand/model of your router?
Please post the output of the following commands. Remember to redact passwords, MAC adresses and any public IP addresses you may have:
Scan from the internet network.
Installed packages:
opkg install openvpn-openssl
opkg install ip-full
opkg install luci-app-openvpn
OpenWRT CI setup with NordVPN service configured
I believe that open ports can be used to attack my device.
I'm using Current Stable Release - OpenWrt 19.07.2, x86 for VirtualBox
cat / etc / config / network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.xxx .x .x'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
config interface 'wan'
option ifname 'eth1'
option force_link '1'
option proto 'dhcp'
option peerdns '0'
list dns '103.86.96.100'
list dns '103.86.99.100'
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT``
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input DROP
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
cat /etc/firewall.user
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
On the router, run netstat -lnp to see which process has bound those ports.
In a basic OpenWrt installation, only ports 22, 53, and 80 should be open to the LAN. However when nmap reports 'tcpwrapped', it isn't really a fully open port and may be a false positive.