I just did a port scan of my router running LEDE 17.01.4:
nmap -sS -O
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
Device type: WAP
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4.1
OS details: OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1)
This seems like too much. I don't need 80 and 443 open because I won't be running a web server. Port 53 is probably necessary for DynamicDNS, but I don't know why I would want to advertise any of my OS details.
So now I want to close 80 and 443 and hide these OS details. Truth be told, I want to have a minimal presence:
- drop ping requests
- open port 53 (if necessary for DynamicDNS)
- open some large numbered port for SSH
- hide OS details
It is, there shouldn't be any ports open on the WAN by default,.
Did you open LuCI to the Internet!?! If not, I'm not sure why you're worried about a security risk on the LAN.
- To drop ping, uncheck the accept Ping under the default Traffic Rules.
- Did you setup HTTPS for LuCI, as it's not enabled by default?
- Opening port 53 is not needed for DDNS, this is a minsconception based on the 'dns' portion of the name.
- That's simple to setup SSH, just configure SSH on that port and open the firewall with an INPUT Traffic Rule.
- To hide OS details, close the ports that display the LuCI banner at the bottom (80 and 443).
Unless one has specifically specified rules in either
/etc/firewall.user, all WAN ports are closed by default. The default
/etc/config/firewall does come with some default rules, although most can safely remove them, as they're not required for most use cases.
53, 80, 443 are showing open because they are open... on the LAN side, not the WAN side. The default behavior of
fw3 is to reject all inbound and forwarded WAN traffic, allowing only outbound WAN requests from LAN.
- Closing 80 & 443 LAN side will prevent access to LuCI
- Closing 53 LAN side will prevent internet access, since all domain name requests to the internet will be blocked.
Two sites where you can test for ports open to the Internet...
SpeedGuide Security Scan
Yes, that makes sense. I was running nmap against my Dynamic DNS hostname from within my own LAN. So it was, well, you get the idea.
Now I'm running the same nmap command through my cellphone's hotspot and again I get surprising results:
25/tcp filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1080/tcp filtered socks
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.18-8.el5 (Red Hat Enterprise Linux 5) (92%), Linux 2.6.20 (92%), Linux 2.6.20 (Ubuntu, x86_64) (92%), Linux 2.6.22 (92%), Linux 2.6.22 (Ubuntu, x86) (92%), Linux 2.6.27 (Ubuntu 8.10) (92%), Peplink Balance 380 router (91%), Buffalo TeraStation Pro II NAS device (89%), Linux 2.4.35 (89%), Linux 2.6.18 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops
No open or closed ports found is good news.
Definition of a filtered port from SpeedGuide...
"Filtered ports do not respond to a portscan at all, they don't appear to exist. This is the best security level for your ports, as it provides no information about your system or its existence (a.k.a. black hole)."
Run the ShieldsUP! and SpeedGuide tests.
You're not "advertising" any OS details, nmap is guessing the OS through a technique called TCP/IP stack fingerprinting. I suppose you could hide it by changing the default input policy of your wan to DROP instead of REJECT.
Filtered ports are usually an indication that these ports are blocked on the provider network level, they'll never reach your router.
It looks like I needed to understand the data and I definitely feel better about the firewall.
Thanks for your help.
seems I too was running port scan on my public ip from my own LAN and port 80, 443 appeared open.
when i used external network to scan my public, all ports was closed.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.