[Solved] How to close ports 80 and 443

highpost · January 30, 2018, 8:41pm

I just did a port scan of my router running LEDE 17.01.4:

nmap -sS -O
...
Not shown: 997 closed ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https
Device type: WAP
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4.1
OS details: OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1)

This seems like too much. I don't need 80 and 443 open because I won't be running a web server. Port 53 is probably necessary for DynamicDNS, but I don't know why I would want to advertise any of my OS details.

So now I want to close 80 and 443 and hide these OS details. Truth be told, I want to have a minimal presence:

drop ping requests
open port 53 (if necessary for DynamicDNS)
open some large numbered port for SSH
hide OS details

lleachii · January 30, 2018, 8:52pm

Ummm...

It is, there shouldn't be any ports open on the WAN by default,.

Did you open LuCI to the Internet!?! If not, I'm not sure why you're worried about a security risk on the LAN.

To drop ping, uncheck the accept Ping under the default Traffic Rules.
Did you setup HTTPS for LuCI, as it's not enabled by default?
Opening port 53 is not needed for DDNS, this is a minsconception based on the 'dns' portion of the name.
That's simple to setup SSH, just configure SSH on that port and open the firewall with an INPUT Traffic Rule.
To hide OS details, close the ports that display the LuCI banner at the bottom (80 and 443).

JW0914 · January 30, 2018, 9:36pm

Unless one has specifically specified rules in either /etc/config/firewall or /etc/firewall.user, all WAN ports are closed by default. The default /etc/config/firewall does come with some default rules, although most can safely remove them, as they're not required for most use cases.

53, 80, 443 are showing open because they are open... on the LAN side, not the WAN side. The default behavior of fw3 is to reject all inbound and forwarded WAN traffic, allowing only outbound WAN requests from LAN.

Closing 80 & 443 LAN side will prevent access to LuCI
Closing 53 LAN side will prevent internet access, since all domain name requests to the internet will be blocked.

anon57995562 · January 30, 2018, 9:52pm

Two sites where you can test for ports open to the Internet...

GRC ShieldsUP!

https://grc.com/x/ne.dll?bh0bkyd2

SpeedGuide Security Scan

https://www.speedguide.net/scan.php

highpost · January 31, 2018, 7:02am

Yes, that makes sense. I was running nmap against my Dynamic DNS hostname from within my own LAN. So it was, well, you get the idea.

Now I'm running the same nmap command through my cellphone's hotspot and again I get surprising results:

25/tcp filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1080/tcp filtered socks
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.18-8.el5 (Red Hat Enterprise Linux 5) (92%), Linux 2.6.20 (92%), Linux 2.6.20 (Ubuntu, x86_64) (92%), Linux 2.6.22 (92%), Linux 2.6.22 (Ubuntu, x86) (92%), Linux 2.6.27 (Ubuntu 8.10) (92%), Peplink Balance 380 router (91%), Buffalo TeraStation Pro II NAS device (89%), Linux 2.4.35 (89%), Linux 2.6.18 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops

anon57995562 · January 31, 2018, 7:35am

No open or closed ports found is good news.

Definition of a filtered port from SpeedGuide...

"Filtered ports do not respond to a portscan at all, they don't appear to exist. This is the best security level for your ports, as it provides no information about your system or its existence (a.k.a. black hole)."

Run the ShieldsUP! and SpeedGuide tests.

escalade · January 31, 2018, 11:18am

You're not "advertising" any OS details, nmap is guessing the OS through a technique called TCP/IP stack fingerprinting. I suppose you could hide it by changing the default input policy of your wan to DROP instead of REJECT.

jow · February 1, 2018, 12:43pm

Filtered ports are usually an indication that these ports are blocked on the provider network level, they'll never reach your router.

highpost · February 1, 2018, 4:53pm

It looks like I needed to understand the data and I definitely feel better about the firewall.

Thanks for your help.

kingju · April 8, 2022, 3:59pm

seems I too was running port scan on my public ip from my own LAN and port 80, 443 appeared open.
when i used external network to scan my public, all ports was closed.

tmomas · April 18, 2022, 4:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.