UPnP is off but a port is still exposed

fulltim3e41 · February 16, 2023, 9:04am

Hi everyone. Ive run into a conundrum - a fresh OpenWrt install with limited packages that shouldnt have UPnP functionality shows a port offering it. All I have are Statistics, MWAN3, SQM, Custom Commands and their dependencies.

Im using the ShieldsUP! UPnP Internet Exposure Test:

This Internet probe sends up to ten (10) UPnP Simple Service Discovery Protocol (SSDP) M-SEARCH UDP packets, one every half-second, to our visitor's current IPv4 address (xxx.xxx.xxx.xxx) in an attempt to solicit a response from any publicly exposed and listening UPnP SSDP service.

Any idea what could be doing this? A device in my home?

My firewall has standard rules. I do have five Windows machines with network discovery enabled which I believe turns on UPnP. Network discovery is also enabled on my controller-only Unifi WLAN. I know those things can do whatever they like...

How can I track down the culprit?

frollic · February 16, 2023, 9:11am

try changing reject to drop in the firewall settings, then there will be no reply from the fw when scanned.

fulltim3e41 · February 16, 2023, 9:13am

I already have it set to drop. In any case would UPnP not ignore this rule? No idea how listening or soliciting works...

trendy · February 16, 2023, 11:39am

This site is testing by probing udp/137 and udp/1900. Even if you have reject as wan zone policy, it will still report as closed. The question is: do you have anything like this listening?
netstat -lnp | grep 137; netstat -lnp | grep 1900

fulltim3e41 · February 17, 2023, 1:01am

Ive installed grep, however when i run this command nothing happens. Like it has run and done something, but theres no grep...

What is the powershell equivalent? If i replace grep with select-string nothing happens either, I just get a display of the available netstat quantifiers. Dont see -l in there at all.

psherman · February 17, 2023, 1:22am

grep is installed by default (I think as part of busybox) on OpenWrt.... you shouldn't need to install anything.

Did you run the command on your router (via an ssh session)?

fulltim3e41 · February 17, 2023, 1:26am

I have, i doesnt display anything:

root@Router:~# netstat -lnp | grep 137; netstat -lnp | grep 1900
root@Router:~# netstat -lnp | grep 137; netstat -lnp | grep 1900
root@Router:~#

It wasnt installed by default, I had to download it. Busybox is installed, version 1.35.0-5.

psherman · February 17, 2023, 1:32am

The grep command only returns something if it matches... so, this suggests that nothing is running on ports 137 and 1900.

You can see all services running by simply issuing this:

netstat -lnp

And you can verify that grep is working like this:

echo test | grep test
echo tes | grep test

where the first line should return "test" and the second line should return nothing.

fulltim3e41 · February 17, 2023, 1:42am

Brilliant! Thank you for that, very useful. This is what I see:

root@Router:~# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3017/uhttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      4694/dnsmasq
tcp        0      0 xxx.xx.xxx.xxx:53       0.0.0.0:*               LISTEN      4694/dnsmasq
tcp        0      0 192.168.8.100:53        0.0.0.0:*               LISTEN      4694/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      4694/dnsmasq
tcp        0      0 192.168.1.1:22          0.0.0.0:*               LISTEN      2660/dropbear
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3017/uhttpd
tcp        0      0 :::80                   :::*                    LISTEN      3017/uhttpd
tcp        0      0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::*                    LISTEN      4694/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      4694/dnsmasq
tcp        0      0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::*                    LISTEN      4694/dnsmasq
tcp        0      0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::*                    LISTEN      4694/dnsmasq
tcp        0      0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::*                    LISTEN      4694/dnsmasq
tcp        0      0 :::443                  :::*                    LISTEN      3017/uhttpd
udp        0      0 127.0.0.1:53            0.0.0.0:*                           4694/dnsmasq
udp        0      0 xxx.xx.xxx.xxx:53       0.0.0.0:*                           4694/dnsmasq
udp        0      0 192.168.8.100:53        0.0.0.0:*                           4694/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           4694/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           4694/dnsmasq
udp        0      0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::*                                4694/dnsmasq
udp        0      0 ::1:53                  :::*                                4694/dnsmasq
udp        0      0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::*                                4694/dnsmasq
udp        0      0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::*                                4694/dnsmasq
udp        0      0 xxxx::xxxx:xxxx:xxxx:xxxx:53 :::*                                4694/dnsmasq
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING       1056 587/ubusd           /var/run/ubus/ubus.sock

No help there right?

psherman · February 17, 2023, 1:45am

Well, this is useful in that it shows your router is not running any services on the ports you are concerned about.

We can take a look at your firewall if you want.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/firewall

fulltim3e41 · February 17, 2023, 1:56am

True, the flagged port is not present. Is it ok to mention which port? Anyway, heres the output:

root@Router:~# ubus call system board
{
        "kernel": "5.10.161",
        "hostname": "Router",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Ubiquiti EdgeRouter X",
        "board_name": "ubnt,edgerouter-x",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.3",
                "revision": "r20028-43d71ad93e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.3 r20028-43d71ad93e"
        }
}

root@Router:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'DROP'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wanb'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'torrents'
        option src 'wan'
        option src_dport '52321'
        option dest_ip '192.168.1.10'
        option dest_port '52321'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Forced DNS'
        option src_dport '53'
        option dest_port '53'
        option src 'lan'

Seems fine too.

I should mention that I have a failover router on WANB. It also has UPnP turned off.

psherman · February 17, 2023, 1:59am

There is nothing in the firewall that could allow those ports to be open/exposed. And there is nothing on the router that runs services with those ports. So you probably have a false positive on the port scan.

You can run a scan with your phone (on a cellular connection, not your WiFi) using a port scanner app and pointing at your wan ip. See what that reveals.

fulltim3e41 · February 17, 2023, 2:17am

Running nmap from a VPN tunnel machine gives me this:

Host is up.
Not shown: 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE         SERVICE
55295/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds

One other thing, which I was going to start a new topic about - I have a torrent client that reports incoming connections on a machine that should only have outgoing access. The client (qbittorent) has UPnP disabled and the firewall has no forward for its port. Its not the port we are talking about.

Perhaps the issues are related?

psherman · February 17, 2023, 2:20am

To be absolutely sure about what is open/exposed on your wan, you should not be using any VPNs that are associated with your home network, and you should not be connected to your wifi at all. Run the scan from a mobile phone on cellular using a port scanner app and pointing at your WAN IP.

I'm not sue what 55295 is, but it could certainly be a related session that was opened by a service on your network.

fulltim3e41 · February 17, 2023, 3:06am

Im using a windows VPN app on a single PC. The tunnel is not configured for port forwarding. It should not have any effect on others in the network... I thought. Hmm.

Ive run scans over cellular, they report that the port is closed. I cant find a directed UPnP scan like the one ShieldsUP uses though. Is there a nmap command that can do this?

psherman · February 17, 2023, 3:14am

I'd consider this pretty definitive.

ShieldsUP can cause false positives and is not always the best way of scanning. You don't have upnp installed/running, so you don't have to worry about "directed upnp scan" things -- it's really just ports. If you do a scan of the full range of ports with nmap or a proper port scanner on your phone, you should be covering everything.

fulltim3e41 · February 17, 2023, 5:15am

Thank you, very informative for a newbie. I will take your assertion as given, though a read of this tells me that I probably shouldnt discount what im seeing.

Maybe its some cache or cookie issue with grc.com... i just hope im using the right app. And its not related to the torrent client getting incoming connections.

Edit:
Hmm. It seems that all UDP ports are found by nmap to be "open|filtered". How can this be?

53/udp    open|filtered domain
69/udp    open|filtered tftp
123/udp   open|filtered ntp
161/udp   open|filtered snmp
1900/udp  open|filtered upnp
5353/udp  open|filtered zeroconf
11211/udp open|filtered memcache

psherman · February 17, 2023, 5:52am

If you've run a port scan from your own device (i.e. phone) on a remote network (i.e. cellular or any network that's not the one you're testing) against your network's WAN IP, you've basically done the same thing as any of the port scan websites would do... but you're doing it in a way that is generally more accurate.

When scanning from outside, "filtered" ports (in the nmap world) did not get a response, but did not get a reject either. That's fine. It's like calling someone on the phone and not getting an answer... you don't know for sure if they are unable to answer the phone, or if they have just chosen not to answer, but either way, you didn't get to talk to them. They also didn't pick up and say "stop calling me" (which would be the reject). Because UDP is stateless, not getting any response would make it seem open/filtered.

Here's a good explanation

open|filtered

Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

fulltim3e41 · February 17, 2023, 5:54am

Awesome, truly

Would a torrent client that hasnt got any ports forwarded report being online if it was connected to a private tracker? Over a random UDP port? Ill probably need to research that.

Thank you for the help!

psherman · February 17, 2023, 6:10am

I'm not exactly sure how torrents function at this level... I've never setup any torrenting and I don't need to worry about them. That said, anytime a network connection is opened, there can be additional sessions that are also opened that are 'established and related' -- for example, when you connect to a website, the responses all fall into the 'established and related' category and will have the ability to send traffic back through the firewall. Obvioulsy this is necessary for a 2-way conversation to occur. It is possible that the torrent networks operate in that same capacity, but I honestly don't know if you need to actively open ports or not.

While torrents may not be the equivalent of opening your firewall entirely, if you're concerned about the potential security implications, you may want to rethink your use of torrents.