port 1024 closed or open not stealth

[JS_racer]

latest merlin and version 3 of the fork are showing my 1024 port as closed or open, but not stealth.
previous versions of merlin were shown as stealth. nothing i am aware of has changed on my end. only use samba local, no outside access granted i don't think.

is a fresh factory restore and setup recommend ?? (last one was at the end of the sk5 versions)

any tips, ideas, suggestions would be great. Thanks!!

(also not seeing the command screen thing any more, say for backing up or restoring dhcp stuff)

 

[L&LD]

The command screen, I can't remember the name too, has been removed because of possible security issues.

I did not have a problem with ports not being in stealth mode with this firmware, even though I am now using the latest RMerlin 376.47. I had used it on RT-AC66U, RT-AC56U, RT-AC86U and RT-N66U routers.

I would recommend a reset to factory defaults and manually setting up any required settings. It seems like something is carrying over from previous firmware and nvram remnants.

 

[JS_racer]

ok, sounds like a plan. Thank you

is it flash, reset to defaults, then power cycle, input stuff again, reboot ?? or am i missing some steps here ??

 

[L&LD]

When I do a full and proper reset to defaults for a customer or when I want to be sure that firmware is truly and properly at default values:


1) Reboot the router. Wait at least 5 minutes for all startup processes to finish.

2) Create a backup of the current config and name it descriptively including the firmware version it should be used with, the router mode and the date of the backup too.

3) Save copies of any custom files created in JFFS folder (if used).

4) Save a copy of the actual firmware itself and put all of this in a single RAR (zipped) file. With WinRAR, I also add a recovery record and also test the new rar file.


With the preventative steps out of the way... let's continue


5) Unplug all USB devices from router.

6) Unplug all LAN network cables from router (unless using one to connect to the controlling computer, of course). Do not unplug the WAN cable.

7) Reboot the router.

8) Reboot the router. Wait at least 5 minutes for all startup processes to finish.

9) Flash the new firmware. Verify it is for the router you're flashing.

10) After the router has rebooted with the new firmware, do the minimum necessary to access the internet. Do not configure anything else.

11) Reboot the router. Wait at least 5 minutes for all startup processes to finish.

12) Go to the gui and do a reset to factory defaults. If it asks for a reboot when it's done, I will physically pull the power from the device. If the router reboots on it's own, I will physically pull the power two minutes after it has rebooted.

13) I will leave it without power attached, along with also turning off the ISP modem (and any other switches, AP's, NAS', printers and any other network devices, for at least 10 minutes and up to 30 minutes or more at this point.

14) Power up the ISP's modem. Wait 2-5 minutes depending on the ISP service provided.

15) Power up the router. Wait at least 5 minutes for all startup processes to finish.

16) Create new ssid's (easier than forgetting the old ssid's on all devices) for both bands.

17) Configure router with your custom requirements.

18) But: Don't change defaults for most settings, yet.

19) Reboot the router. Wait at least 5 minutes for all startup processes to finish.

20) Create a backup of the current config and name it descriptively including the firmware version it should be used with, the router mode and the date of the backup too.

21) Save copies of any custom files created in JFFS folder (if used).

22) Save a copy of the actual firmware itself and put all of this in a single RAR (zipped) file. With WinRAR, I also add a recovery record and also test the new rar file.

23) When you're ready to test these settings, do a hard reboot of the router.



With all of the above steps completed, you are ready to try tweaking the default settings to see what works best for you. I recommend at least a reboot via the gui or a hard reboot after you've made the changes you want to test.

You can now quickly go back to either your original firmware configuration or your new default firmware's configuration to quickly test and compare settings.



The above may sound like a lot, but doing it is actually easier than reading or typing it out.

 

[JS_racer]

Amazing response, thanks so much for the time and effort to type that out. Saved it to a text for use today and in the future.

Strange, showing stealth not changing anything on my part. Well I did unplug my usb hard drive, but only using local access I would think should have no impact on my green results.
Have not done the restart and reload process yet. Could be something on my win7 box reaching out, I see dhcp something in the log, of course I cleared it after a reboot, now no entrees listed.

Suppose the complete reset can't hurt, just a little time to complete.

Hard drive reconnected, still stealth. Win7 box has been idle for a few hours, checking from my tablet, strange

 

[john9527]

Port 1024 is used by a lot of trojans/malware....see http://www.speedguide.net/port.php?port=1024

Have you run a virus scan lately?

 

[JS_racer]

Yes, but I'll run some more. Kaspersky latest anti-virus software, up to date.

 

[john9527]

OK...had to ask on the virus scan.....

Two other thoughts.....

Do a double check for any port forwards direct from nvram and make sure there isn't something wrong there.

nvram get vts_rulelist

Lastly, maybe your ISP node is responding to the port scan (like some VPN providers do). You may want to check for doc/forums on your particular ISP.

 

[fisherman]

When I do a full and proper reset to defaults for a customer or when I want to be sure that firmware is truly and properly at default values:


1) Reboot the router....

Please clarify: when you say "reboot the router" you mean simply the Reboot button in the browser?

And what do you mean by "Hard reboot"?

 

[L&LD]

Yes, reboot via the webgui.

A hard boot is pulling the power from the router while it is running. See step 12 in post #4.

 

[fisherman]

Yes, reboot via the webgui.

A hard boot is pulling the power from the router while it is running. See step 12 in post #4.

Thanks L&LD, that's what I suspected but I wanted to be sure.

 

[L&LD]

Thank you for pointing it out - I thought I had stated that in the original post.

 

[JS_racer]

hmm, router reboot shows stealth on 1024 for a few days, then back to closed.
no clue how to track this down. dang.

still need to follow the great guide posted in this thread, for a clean install to see if that corrects the issue.

 

[john9527]

Next time the port shows up as other than stealth....ssh/telnet to the router and see what the following command shows (if anything)...

iptables -t nat -S | grep 1024

 

[JS_racer]

ok after a day or 2, back to closed. enabled telnet on the admin page, back to stealth after the little reboot it did enabling the feature.
at least i have telnet on the computer and enabled on the router now, for next time.

just to check things i tried iptables -t nat -S | grep 1024 in putty, unknown iptables v1.3.8: Unknown arg `-S' was returned

 

[john9527]

just to check things i tried iptables -t nat -S | grep 1024 in putty, unknown iptables v1.3.8: Unknown arg `-S' was returned

I double checked and the version of iptables used by the N66U doesn't include the -S arg....Sorry. Please try

iptables -t nat -L -v | grep 1024

 

[JS_racer]

I double checked and the version of iptables used by the N66U doesn't include the -S arg....Sorry. Please try

iptables -t nat -L -v | grep 1024

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.10.03 05:10:59 =~=~=~=~=~=~=~=~=~=~=~=
RT-N66R login: ***
Password:


ASUSWRT-Merlin RT-N66U_3.0.0.4 Sun Sep 7 09:19:35 UTC 2014
jas@RT-N66R:/tmp/home/root# iptables -t nat -L -v | grep 1024
jas@RT-N66R:/tmp/home/root#


port is stealth at this time, that could be why the response?? or lack of. (should be closed in another 24hrs. super strange.
thanks very much for the time and effort here, much appreciated.

 

[john9527]

What that command is checking is if there is a port forward being sneaked in somewhere. So no response is a good thing. If it stays no response when the port changes state, at least we can cross that possibility off the list.