WAN side - are these ports really open?

Marvin · January 29, 2021, 8:44am

Any help with this would be greatly appreciated...
Done 3 nmap scans to assess router's security (mainly WAN side). The questions that I have:

Does scan A) really imply I have all these ports open on WAN side!? (I would've tested with some online sites, but considering I am on VPN and behind another communal router - this will be tough)
What's the deal with mit-ml-dev? I seem to remember running scans before latest OpenWRT upgrade and don't remember seeing this? Any thoughts on what's this service/port doing here?
More of a curiosity question... why C) shows 139, 445 as filtered, but A) and B) has no mention of them?

(nmap was run with default params)
P.S. I myself never opened any ports on the router

A) ON ROUTER SCANNED WAN ADDRESS

Nmap scan report for [WAN ADDRESS]
Host is up (0.00025s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
83/tcp open mit-ml-dev
443/tcp open https

B) ON ROUTER SCANNED LOCALHOST ADDRESS

Nmap scan report for localhost (127.0.0.1)
Host is up (0.00030s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
83/tcp open mit-ml-dev
443/tcp open https

C) ON LAN CLIENT SCANNED ROUTER'S LAN ADDRESS

Nmap scan report for [LAN ADDRESS]
Host is up (0.16s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
83/tcp open mit-ml-dev
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds

slh · January 29, 2021, 8:53am

No, you really need to scan from the outside, e.g. via cell phone, a remote server or from a friend to get a meaningful result. The router knows that you're scanning from LAN if you just use its WAN address from the inside.

By default, all ports are closed on WAN (reject), with only ping being answered.

LGA1150 · January 29, 2021, 8:53am

No. You are accessing the router itself so the port won't be filtered by firewall.

Run netstat -antp

Marvin · January 29, 2021, 9:05am

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN xxxx/lighttpd
tcp 0 0 0.0.0.0:83 0.0.0.0:* LISTEN xxxx/lighttpd

also found this in uci settings

glconfig.general=service
glconfig.general.port='83'

But why do we need 80 and 83?!

LGA1150 · January 29, 2021, 9:06am

Did you install lighttpd by yourself?

Marvin · January 29, 2021, 9:09am

No I didn't. The only installation I did on the router is:
opkg update
opkg install nmap

LGA1150 · January 29, 2021, 9:10am

So you are not using an official release, which does not include lighttpd by default.

Marvin · January 29, 2021, 9:18am

I've done the upgrade via the router manufacturer's (GL.iNet) web admin portal. Surprised that they would muck with the release.

Marvin · January 29, 2021, 10:14am

netstat -antp was a helpful tip, thanks. It helped me realise it is just router manufacturer's admin portal that is bound to this port (in addition to 80). I will do some mucking around with settings and see if I can drop both 80 and 83 as I am connecting to the admin portal via 443 anyway. Cheers!

vgaetera · January 29, 2021, 11:18am

OpenWrt firewall rules and policies are implemented and applied based in the ingress and egress interfaces.

Scanning any local IP from the host itself is performed via the loopback interface using permissive firewall policy and overriding any zone restrictions.

Scanning any router's IP from the LAN is performed via the LAN interface which is attached to the LAN zone and has permissive firewall policy by default.

system · March 18, 2021, 10:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.