Hi all,
When I run nmap on my home IP from an external source (in this case I am running from within a VPN, but on a LAN device, if that makes a difference) it shows that ports 80, 8080 and 443 are open. Why is this the case and how do I close them? Thanks
It could make a difference. Test from completely outside (maybe a cellular connection would be best).
And make sure you’re not using a VM.
I am not using a VM, and unfortunately I don't have any mobile data or any other alternate network available to me.
I did try https://www.speedguide.net/portscan.php which was recommended in another thread on a similar issue, and port 80 shows up as 'filtered' (443 and 8080 do not). There are a variety of other ports that show up as filtered too, none of which show up when I run netstat, so I am even more confused now.
Testing from outside is imperative.
Do you have any port forwards configured or have you changed anything in the configuration for the firewall?
I do not have any port forwards or anything of that sort. I have changed the firewall only in regards to setting up rules within the network (DMZ), not anything external. So these are stock settings with regards to outbound connections.
The device that is the dmz target is probably responding.
But it's not even on... I don't have anything on my network that is pointing out...
I have a memory from somewhere in the nmap manual that this is pretty much a expected results since the nmap sniffer sniffs every single node 360° up to the point to your designated target. I got something similar result my self.
So the actual port hits you mentioned can be at your ISP or the telecom company or a router in front of the device under test.
That sounds correct. It must be something between the router and public IP, maybe the ISP, the gateway, the modem?? I even tried blocking all input on those ports to 192.168.1.1 in the firewall rules and it did not change the outcome of this informal nmap test I did via VPN. I do hope this is the case and there is not a gaping hole in my router. It's probably fine but you really have to double and triple check this stuff...
Thanks to everyone who responded
I believe google has more information on this.
I finally came to the conclusion that if I want to test the WAN port I need to connect the computer with nmap directly to the WAN port. But that gave me another problem because then the computer needs to play the role of the ISP DHCP server.
I first thought I could test the router by putting another router between the computer with nmap and run the port scan directed to the ip of the router I wanted to test.
But I got about the same result as you which was the internal LAN ports of the in between router. And after some deeper research I gave up on the idea.
I tried to go from the big internet also but then I got even weirder results probably from my ISP equipment.
So in theory this should be a simple test but the real world is not so simple.
Try unplugging the router and running the test again. Since you said you don't have a mobile data option or any other easy way of testing, maybe have a friend do the test for you with the router plugged in and then disconnected. This will tell you if any of the ISP hardware is implicated in the ports appearing to be open (or this could also reveal that the test doesn't quite work as expected).
Can you clarify what exactly do you mean when you say that you do the test via a VPN?
Can you share your firewall config here, please?
I don’t think this method by disconnecting the device under test will give any meaningful results because nmap still need a specified target to start the scan.
The problem according to nmap manual if my memory serves me right from last year is that when nmap starts to knock ports it doesn’t address every knock so everyone connected on the interface line also get knocked on and nmap only receives the answers open/closed/filtered/(and some more alternatives) per port from every device in every direction that shares the connection.
So if ten devices answer closed and the eleventh device answer open on a specific port then nmap will say open or possibly filtered or open&filtered.
And port 80 and 443 is standard com ports so they will probably be open on general network devices.
So the port status answer from nmap is absolutely correct but the actual device under test isn’t isolated enough and nmap can’t say who on the connected line that the port scan answer belongs to since nmap assumes only the device under test is connected when running the port scan test.
Could it be your provider intercepting?
Suggest to run on the router tcpdump -n -i wan port 80 (replace wan with your wan interface) while you do the port scan to check if the request actually reaches your router.
Actually, the specific point of this test is to see if there is anything else that is accepting packets. If the real target device is offline, it should not be able to respond (obviously) so all ports will appear closed. However, if the isp equipment (modem/ont or a combo modem+router even in bridge mode) has anything listening and accepting packets, that would prove that it isn’t the OpenWrt device.
Would testing with vpn on your PC being an option?