Why are all these ports shown as open on my LEDE router?

mikewse · February 11, 2018, 5:21pm

I haven't verified my port security for a while and just now did a routine portmap test using https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap, see below. I am running LEDE 17.01.4 on my WNDR3800 and have the default firewall zone rules for LAN/WAN mapping.

Why are so many ports/services shown as open?

(the only major configuration I've done in LEDE is to connect the WAN side (WWAN) through 4G/NCM and I also have one disabled port mapping rule that I enable sometimes)

Initiating Service scan at 15:29
...
PORT      STATE    SERVICE          VERSION
7/tcp     open     tcpwrapped
9/tcp     open     discard?
13/tcp    open     daytime?
21/tcp    open     ftp?
22/tcp    open     tcpwrapped
23/tcp    filtered telnet
25/tcp    filtered smtp
26/tcp    open     rsftp?
37/tcp    open     time?
53/tcp    filtered domain
79/tcp    open     tcpwrapped
80/tcp    open     tcpwrapped
81/tcp    open     hosts2-ns?
88/tcp    open     kerberos-sec?
106/tcp   open     tcpwrapped
110/tcp   open     pop3?
111/tcp   closed   rpcbind
113/tcp   open     tcpwrapped
119/tcp   open     nntp?
135/tcp   filtered msrpc
139/tcp   open     netbios-ssn?
143/tcp   closed   imap
144/tcp   open     news?
179/tcp   open     tcpwrapped
199/tcp   open     tcpwrapped
389/tcp   open     ldap?
427/tcp   open     svrloc?
443/tcp   filtered https
444/tcp   open     snpp?
445/tcp   open     microsoft-ds?
465/tcp   open     smtps?
513/tcp   open     tcpwrapped
514/tcp   open     shell?
515/tcp   open     printer?
543/tcp   open     klogin?
544/tcp   filtered kshell
548/tcp   open     afp?
554/tcp   open     rtsp?
587/tcp   open     tcpwrapped
631/tcp   open     tcpwrapped
646/tcp   open     tcpwrapped
873/tcp   open     tcpwrapped
990/tcp   open     tcpwrapped
993/tcp   closed   imaps
995/tcp   open     tcpwrapped
1025/tcp  closed   NFS-or-IIS
1026/tcp  open     tcpwrapped
1027/tcp  filtered IIS
1028/tcp  open     tcpwrapped
1029/tcp  open     tcpwrapped
1110/tcp  open     tcpwrapped
1433/tcp  open     tcpwrapped
1720/tcp  open     tcpwrapped
1723/tcp  closed   pptp
1755/tcp  open     tcpwrapped
1900/tcp  open     tcpwrapped
2000/tcp  open     tcpwrapped
2001/tcp  filtered dc
2049/tcp  open     tcpwrapped
2121/tcp  open     tcpwrapped
2717/tcp  open     tcpwrapped
3000/tcp  open     tcpwrapped
3128/tcp  open     tcpwrapped
3306/tcp  open     tcpwrapped
3389/tcp  closed   ms-wbt-server
3986/tcp  open     tcpwrapped
4899/tcp  open     tcpwrapped
5000/tcp  open     tcpwrapped
5009/tcp  open     tcpwrapped
5051/tcp  open     tcpwrapped
5060/tcp  open     tcpwrapped
5101/tcp  open     tcpwrapped
5190/tcp  open     tcpwrapped
5357/tcp  open     tcpwrapped
5432/tcp  open     tcpwrapped
5631/tcp  open     tcpwrapped
5666/tcp  open     tcpwrapped
5800/tcp  open     tcpwrapped
5900/tcp  closed   vnc
6000/tcp  open     tcpwrapped
6001/tcp  open     tcpwrapped
6646/tcp  open     tcpwrapped
7070/tcp  open     tcpwrapped
8000/tcp  open     tcpwrapped
8008/tcp  open     tcpwrapped
8009/tcp  open     tcpwrapped
8080/tcp  open     tcpwrapped
8081/tcp  open     tcpwrapped
8443/tcp  open     tcpwrapped
8888/tcp  open     tcpwrapped
9100/tcp  open     jetdirect?
9999/tcp  open     tcpwrapped
10000/tcp filtered snet-sensor-mgmt
32768/tcp open     tcpwrapped
49152/tcp open     tcpwrapped
49153/tcp open     tcpwrapped
49154/tcp open     tcpwrapped
49155/tcp open     tcpwrapped
49156/tcp open     tcpwrapped
49157/tcp open     tcpwrapped

hnyman · February 11, 2018, 5:27pm

Good question, as those ports are not open with the default config.

My first guess is that you do not actually have a public IP, but your 4G modem actually gives you a private IP inside ISP's NAT. And then the scan results would show upstream situation, not your own. Just check that you wwan really has a public IP, so that the scan is about you. (many ISPs give only private IPs to 3G/4G modems)

mikewse · February 11, 2018, 5:35pm

I also had that thought, especially because another online portscan service gave different results each time.

But ifconfig -a shows the public IP on my 4G/NCM/USB device (the same IP is shown if I surf to whatismyip.com and similar services):

wwan0     Link encap:Ethernet  HWaddr 0C:5B:8F:27:9A:64
          inet addr:37.xxxxxxxxx  Bcast:37.xxxxxxxxxx  Mask:255.255.255.252
          inet6 addr: xxxxxxxxxxxxxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2838770 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2128708 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2372781055 (2.2 GiB)  TX bytes:659244477 (628.7 MiB)

hnyman · February 11, 2018, 5:43pm

Then it could be about your firewall rules.

mikewse · February 11, 2018, 7:06pm

Below is my firewall config. I think everything is defaults, or do you note something suspicious?

$ cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wwan2 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_port '22'
        option name 'ssh fw'
        option dest_ip '192.168.1.2'
        option enabled '0'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

anon57995562 · February 11, 2018, 8:19pm

For the WAN zone, I set my firewall as follows...

Input = drop
Output = accept
Forward = drop

Masquerading and MSS clamping are both checked.

In the firewall Traffic Rules, I have ICMP ping disabled.

Using these tests, all ports are stealthed, filtered, or open|filtered...which is what you want.

GRC ShieldsUP!

https://grc.com/x/ne.dll?bh0bkyd2

SpeedGuide Security Scan

https://www.speedguide.net/scan.php

mikewse · February 11, 2018, 9:17pm

I adjusted my settings to match yours (reject becomes drop and disabled ping) but I still get the same result with open ports (on speedguide also).
Hm, I'm wondering if my 4G ISP could be doing something funky. I need to investigate more. Do you guys have some things that could be interesting to try?

hnyman · February 11, 2018, 9:30pm

Quite possible.
Your "public IP" looks like some kind of tunnel, as your netmask is so narrow that it only allows 2 bits for the addresses, meaning in practice just two addresses (01, 10) as 00 and 11 are not allowed.

inet addr:37.xxxxxxxxx Bcast:37.xxxxxxxxxx Mask:255.255.255.252

That is not a normal routable internet subnet, but some kind of tunnel, probably.