How and where to shutdown unnecessary services and ports

[cherio]

Hello,

I am an experienced Linux user but this is my 1st ASUS Router (RT-AX88U, Merlin 388.1). When I setup and configure a new linux instance the 1st thing I do is get rid of unnecessary services and secure it on the network.

I am interested in eliminating as many unnecessary holes as possible. While WAN scan revealed nothing the LAN facing interface seems to expose a bit too much.
While I understand the need for DNS (53, 5353), HDCP (67) and obviously SSH and HTTPS for administration, I do not believe I need any other service. I'll NAT some outside ports in future but I am not planning to use the router for gaming, downloads, VPN, fileserver or serve content from it.

These are open ports I am not very familiar with:

5152 tcp sde-discovery or games
3702 tcp,udp ws-discovery UPNP v2 Discovery
7788 tcp,udp config synchronisation between AiMesh nodes
18017 tcp wanduck
18018 udp unassigned, ??? wanduck ???
9999 udp likely games
33251 udp avahi-daemon
59000 tcp,udp applications Tekkotsu, Cisco Agent Desktop

I do not need (correct me if I am wrong):

• Microsoft 137, 138, 139, 445 services
• 18017/18018 WAN DUCK. (SSH and HTTPS are enough for management)
• 7788 - config synchronisation between AiMesh nodes
• 9999 - router discovery: https://github.com/jduck/asus-cmd

These I am not aware of and likely don't need:

• 5152 & 3702 discovery ports. I'm not planning on running DNLA or serve content from the router
• 59000 - whatever it is

The big question is, How do I shut these services down?



================================
The scans below are purely informational.
First I retrieved opened ports from the router in an SSH session with netstat -tulpn and then ran nmap against those ports from within the network:

$> nmap -p 139,18017,3702,445,5152,53,7788 asus-router
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 00:00 UTC
Nmap scan report for asus-router (192.168.0.1)
Host is up (0.014s latency).

PORT STATE SERVICE
53/tcp open domain
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3702/tcp open ws-discovery
5152/tcp filtered sde-discovery
7788/tcp open unknown
18017/tcp open unknown
MAC Address: xx:xx:xx:xx:xx:xx (Asustek Computer)

$> nmap -sU -p 137,138,18018,33251,3702,53,5353,59000,67,7788,9999 asus-router
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 00:00 UTC
Nmap scan report for asus-router (192.168.0.1)
Host is up (0.0055s latency).

PORT STATE SERVICE
53/udp open domain
67/udp open dhcps
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
3702/udp open|filtered ws-discovery
5353/udp open zeroconf
7788/udp open|filtered unknown
9999/udp open|filtered distinct
18018/udp open|filtered unknown
33251/udp open|filtered unknown
59000/udp open|filtered unknown
MAC Address: xx:xx:xx:xx:xx:xx (Asustek Computer)

 

[ColinTaylor]

There are already posts that explain what these ports are used for. Many of them are Asus services that are required for the normal operation of the router. Others, like 137, 138, 139, 445 can be disabled in the GUI, e.g. USB Application > Servers Center.

 

[Tech9]

get rid of unnecessary services

You can disable all TrendMicro components in Administration, Privacy - Withdraw data sharing agreement. If you are an experienced user you don't need any 3rd party software assistance and your router will run much better without TrendMicro involvement.

 

[cherio]

There are already posts that explain what these ports are used for. Many of them are Asus services that are required for the normal operation of the router. Others, like 137, 138, 139, 445 can be disabled in the GUI, e.g. USB Application > Servers Center.

You are right. There are posts. I believe I am resourceful and enjoy research, it's just quality of search results here is not great.

Thanks!

 

[Tech9]

it's just quality of search results here is not great

Built-in search is pretty bad, actually. I use Google to search on SNB Forums, works better.

"search keywords" site:www.snbforums.com

 

[cherio]

Thank you everyone for directions!
Just for a record and if anyone else is interested I implemented the following to secure and lighten the router.

The following iptables rules do not break anything in my setup:

$> cat /jffs/scripts/firewall-start
# 7788 - config synchronization between AiMesh nodes, cfg_server # https://www.snbforums.com/threads/disable-unused-services.45369/post-389187
# 18017/18018 - wanduck
# 9999 - router discovery, infosvr, https://github.com/jduck/asus-cmd
# 59000 - eapd, Extensible Authentication Protocol, adds WPA3 capabilities; blocking port doesn't seem to affect anything

iptables -D INPUT -p tcp -i br0 -m multiport --dports 7788,18017 -j DROP
iptables -D INPUT -p udp -i br0 -m multiport --dports 7788,18018,9999,59000 -j DROP

iptables -I INPUT -p tcp -i br0 -m multiport --dports 7788,18017 -j DROP
iptables -I INPUT -p udp -i br0 -m multiport --dports 7788,18018,9999,59000 -j DROP

I couldn't find a civilized way to shut down the services I don't need, so I had to come up with a script that kills them:

$> cat /jffs/scripts/services-start
# Port u:9999 - router discovery; killing it is safe
kill $(ps -w | grep ' /usr/sbin/infosvr$' | grep -oE '^[ ]*[0-9]+') 2>/dev/null

# Ports t:18017/u:18018; killing this turns WAN LED red, although everything seems to be working
kill $(ps -w | grep ' /sbin/wanduck$' | grep -oE '^[ ]*[0-9]+') 2>/dev/null

# Port u/t:7788, AiMesh config sync; it re-spawns so no point in killing it. Simply close the port
# kill $(ps -w | grep ' cfg_server$' | grep -oE '^[ ]*[0-9]+') 2>/dev/null

# Port u:59000, Extensible Authentication Protocol, adds WPA3 capabilities; WPA2 works without it
kill $(ps -w | grep ' /bin/eapd$' | grep -oE '^[ ]*[0-9]+') 2>/dev/null

EDIT. As Colin noted below, killing wanduck is not safe

 

[Tech9]

All this is not necessary on RT-AX88U with quad-core ARMv8 CPU and 1GB RAM.

 

[ColinTaylor]

Killing wanduck will mean that the router won't react to changes in the WAN state. So it won't recover from errors, dual WAN failover won't work, etc. Not a good idea. If you don't want people to see the wan down web page just turn that option off in the GUI or block those ports.

 

[RMerlin]

Do not mess with system services, they are there for a reason.

Wanduck is responsible for managing the WAN interface. Infosvr is used for device discoverability. cfg_* is used for AiMesh config management.

Killing these or preventing these from running will cause a lot of major issues with your router. cfg_server for instance will constantly try to relaunch itself, resulting in high CPU load.

 

[jonnyc55]

Anyway to permanently stop my PC receiving the 7788 UDP packets then if we can't kill the process doing it?

 

[DJones]

Anyway to permanently stop my PC receiving the 7788 UDP packets then if we can't kill the process doing it?

Network Filter udp 7788 or block the port via skynet. You can block udp 7788 on your pc’s firewall as well.