How to block the FTP port from showing open on WAN?

Daxx123

Occasional Visitor
First, I'm totally new at this, so hopefully this is a simple solution for the pros here.

My FTP port shows open on port scans, everything else is closed. I have everything FTP turned off in Merlin.

I tried adding to the iptables in the /jffs/scripts/firewall-start:
iptables -A INPUT -p tcp --dport 20 -j DROP
iptables -A INPUT -p tcp --dport 21 -j DROP

iptables -L showed it did load on reboot and was in the INPUT chain, but that didn't work.

Success: I can see your service on XXX.XXX.12.7 on port (21)
Your ISP is not blocking port 21

How should I go about doing this?
 

ColinTaylor

Part of the Furniture
False positive from your ISP's equipment?

Confirm that nothing is listening on that port with the following command:
Code:
netstat -nlp | grep :21

Check that port isn't being forwarded:
Code:
iptables-save -t nat | grep DNAT
 
Last edited:

Daxx123

Occasional Visitor
False positive from your ISP's equipment?

Confirm that nothing is listening on that port with the following command:
Code:
netstat -nlp | grep :21

Check that port isn't being forwarded:
Code:
iptables-save -t nat | grep DNAT

netstat -nlp | grep :21 returns nothing.

iptables-save -t nat | grep DNAT
Code:
[email protected]:/tmp/home/root# iptables-save -t nat | grep DNAT
-A DNSFILTER -j DNAT --to-destination 192.168.50.1
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source B4:AE:2B:AA:3B:32 -j DNAT --to-destination 192.168.50.1:18099
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source FC:77:74:C9:C1:C9 -j DNAT --to-destination 192.168.50.1:18099
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source D0:50:99:A8:D3:E1 -j DNAT --to-destination 192.168.50.1:18099
-A VUPNP -p udp -m udp --dport 4955 -j DNAT --to-destination 192.168.50.87:4955
-A VUPNP -p udp -m udp --dport 4950 -j DNAT --to-destination 192.168.50.87:4950
 

Daxx123

Occasional Visitor
Move it to the top of the list.

Use -I instead of -A to insert at the top.
Just tried that, it didn't work.

And I just stuck it on every chain:
iptables -A INPUT -p tcp --dport 20 -j DROP
iptables -A INPUT -p tcp --dport 21 -j DROP
iptables -A FORWARD -p tcp --dport 20 -j DROP
iptables -A FORWARD -p tcp --dport 21 -j DROP
iptables -A OUTPUT -p tcp --dport 20 -j DROP
iptables -A OUTPUT -p tcp --dport 21 -j DROP

Still shows open.
 

RMerlin

Asuswrt-Merlin dev
Do you have something on your network opening the FTP port through UPNP? Check on the port forward list, on the System Log page.

If nothing is open or forwarded on your router, then this might be a false alarm.
 

ColinTaylor

Part of the Furniture
netstat -nlp | grep :21 returns nothing.

iptables-save -t nat | grep DNAT
Code:
[email protected]:/tmp/home/root# iptables-save -t nat | grep DNAT
-A DNSFILTER -j DNAT --to-destination 192.168.50.1
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source B4:AE:2B:AA:3B:32 -j DNAT --to-destination 192.168.50.1:18099
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source FC:77:74:C9:C1:C9 -j DNAT --to-destination 192.168.50.1:18099
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source D0:50:99:A8:D3:E1 -j DNAT --to-destination 192.168.50.1:18099
-A VUPNP -p udp -m udp --dport 4955 -j DNAT --to-destination 192.168.50.87:4955
-A VUPNP -p udp -m udp --dport 4950 -j DNAT --to-destination 192.168.50.87:4950
You don't have port 20 or 21 open.
 

Daxx123

Occasional Visitor
Thanks, I think it must be false alarm. I can't find anything.

Port Forwarding log only shows UDP game ports for Warframe 4950 and 4955.
 

Tech Junky

Very Senior Member
Just tried that, it didn't work.

And I just stuck it on every chain:
iptables -A INPUT -p tcp --dport 20 -j DROP
iptables -A INPUT -p tcp --dport 21 -j DROP
iptables -A FORWARD -p tcp --dport 20 -j DROP
iptables -A FORWARD -p tcp --dport 21 -j DROP
iptables -A OUTPUT -p tcp --dport 20 -j DROP
iptables -A OUTPUT -p tcp --dport 21 -j DROP

Still shows open.
You still used -A which puts it at the end of the rules. Use -I to insert to the top.
 

Daxx123

Occasional Visitor
You still used -A which puts it at the end of the rules. Use -I to insert to the top.
I did try -I also. I had the rules at the top, at the bottom, and at one point both top and bottom. Still shows open.

I think it's a false positive coming from my ISP's rural wireless radio equipment, like Colin suggested.
 

ColinTaylor

Part of the Furniture
I think it's a false positive coming from my ISP's rural wireless radio equipment, like Colin suggested.
If you can use an external (i.e. not from your LAN) connection, e.g. mobile device, you could try connecting to that port and seeing what the banner page shows. If it's your router it should say "Asus". If it's not it'll say something different, e.g.:
Code:
# telnet www.xxx.yyy.zzz:21
220 (vsFTPd 3.0.3)
^C
 

Daxx123

Occasional Visitor
If you can use an external (i.e. not from your LAN) connection, e.g. mobile device, you could try connecting to that port and seeing what the banner page shows. If it's your router it should say "Asus". If it's not it'll say something different, e.g.:
Code:
# telnet www.xxx.yyy.zzz:21
220 (vsFTPd 3.0.3)
^C
Telnet to the ISP radio IP address on port 21 finds a host, opens a black screen, then immediately disconnects me and closes the screen.
 

ColinTaylor

Part of the Furniture
Telnet to the ISP radio IP address on port 21 finds a host, opens a black screen, then immediately disconnects me and closes the screen.
OK, it's not your router then.
 

Daxx123

Occasional Visitor
Thanks everyone, I appreciate all the help in tracing down this FTP open port mystery.

Problem solved.
 

Tech Junky

Very Senior Member
WTH is an ISP device doing with an open port?

These days even for management a port scan shouldn't be able to see that if they use proper management l techniques.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top