RT-AC68U on 380.69 - Port 443 is showing open and too stupid to determine why

[Deadeye]

Not true. Port 443 is opened on the server site only. The outgoing port from the client will be an ephemeral port.

It is true, on the client side, if only for an ephemeral amount of time. I’ll agree that 443 is open only when browser communications take place then the port closes. However if you are having a shields up performed while your browser is communicating with GRC securely the possibility of a false positive exists.




Sent from my iPhone using Tapatalk

 

[ColinTaylor]

It is true, on the client side, if only for an ephemeral amount of time. I’ll agree that 443 is open only when browser communications take place then the port closes. However if you are having a shields up performed while your browser is communicating with GRC securely the possibility of a false positive exists.

I'm afraid you are misunderstanding how HTTPS works. The client PC opens an ephemeral port locally (say 50000) that connects to the remote server's port 443. Two-way communication takes place between these two ports. At no point in this process is port 443 opened on the client PC.

 

[john9527]

I can't see anything on the router side that would account for an open port. I'm back to thinking that they have the port open at the modem for support/diagnostics. Is there a tech support line you can ask?

 

[Deadeye]

I'm afraid you are misunderstanding how HTTPS works. The client PC opens an ephemeral port locally (say 50000) that connects to the remote server's port 443. Two-way communication takes place between these two ports. At no point in this process is port 443 opened on the client PC.

Thank you for your explanation. I did have a misunderstanding and appreciate your demeanor in pointing that out. Too many times people are “slammed” for misunderstandings.


Sent from my iPhone using Tapatalk

 

[ColinTaylor]

@Deadeye No problem. It's an understandable and extremely common misunderstanding.

 

[DonnyJohnny]

A few more bits of information.

I have tried rebooting the router several times.

I had an OpenVPN running some years back, but it is uninstalled (i turned off that machine and rebooted the router to be sure).

I am on a satellite link via Australia's NBN Sky Muster, so there is an NBN modem and my Ausus Router in the link.

The Asus router GUI reports the WAN port as the same as ShieldsUp (114.129.137.157)

Also tried to ping this address from outside, ICMP on Wan port was off, and 100% packet loss. Turned this on and i get results, turn off again and 100% packet loss. So i think the Asus Router Wan port is 114.129.137.157.

I also used Fing for port scan from an outside network and it also reports 443 open, so we have contradictory results from ShieldsUp (open), Spiceworks (closed) and Fing (Open).

unless anyone comes up with a better option i think i should factory reset and start again. Thanks again for the help.

The results of the iptables -t nat -S are below.
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DNSFILTER
-N LOCALSRV
-N PCREDIRECT
-N PUPNP
-N VSERVER
-N VUPNP
-A PREROUTING -d 114.129.137.157/32 -j VSERVER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s 114.129.137.157/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.31.13.0/24 -d 10.31.13.0/24 -o br0 -j MASQUERADE
-A VSERVER -j VUPNP

Let’s DOS this IP!!!!!!! ;p

I don’t see any port open in any table
If there is any, you should see
-A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT

Just want to be sure your modem is not a router with its own firewall.

Previously the last test, was the port open? Same firmware version or older version during the test?

It could be firmware upgrade issue? Did u do a factory reset after flashing the firmware?

I tested various port scan site on 443
Shield up - stealth
Mxtoolbox - Filtered (recommended to use)
Spicework - closed

I tried opening my VPN server in tcp 443,
All show open.

So I assume the site port scan is valid and accurate.


I would suggest a factory reset first and before setting up stuff, do the test first.
If factory reset don’t work, flash the firmware again follow by factory reset.

 

[BushAl]

Most of the tests have been on the same current firmware. When i first found the issue i was on the previous one but did an upgrade immediately. I did not do a factory reset.
Yes I agree with DonnyJohnny - I will reset and retest as he suggests. Will take a day or so as i cant go offline just yet.
Thanks again to all

 

[BushAl]

OK, now i am really confused...
I have done as DonnyJohnny suggests above, and have restored to Factory default (Note this is the version on the admin menu not the hold down the power key thing) 443 still open.
so updated the firmware again and restored to Factory settings - no different.
To be clear the test was run as soon as possible after the restores, before i changed anything but the admin password which it forces me to do before the wan is available. At that time everything in the house was switched off bar the machine doing the router admin and the shieldsup test. Fing from my mobile phone on 3g only confirmed the port is open.

Going down the modem in front of the router option i did a tracert google.com i think this shows there is no ip addressable device in front of the router (due to the satellite latency)

1 <1 ms <1 ms <1 ms RT-AC68U-CDD0.lelal.lan [10.31.13.254]
2 1906 ms 639 ms 638 ms 114.129.128.1
3 609 ms 639 ms 678 ms 180.181.0.130
4 641 ms 718 ms 719 ms 103.206.236.98
5 692 ms 709 ms 720 ms 108.170.247.81
6 712 ms 719 ms 1919 ms 74.125.37.201
7 632 ms 638 ms 639 ms syd15s03-in-f14.1e100.net [172.217.25.142]

Trace complete.

I am coming to the conclusion that there is a problem somewhere in the firmware.

Should my next test be to load up the standard asauswrt firmware rather than the Merlin version?
Or are there any other options i should try.
I assume the hold down the power key is just an extreme version of going back to the standard asus firmware?
Thanks again
Al

 

[ColinTaylor]

My gut feeling is that there's nothing wrong with the router/firmware and that what you are seeing is some upstream device that is peculiar to your satellite service.

You can easily check whether something on the router is listening on port 443 by going to Network Tools > Netstat and selecting Netstat/Display listening server sockets/No resolve. Look down the local address column for any entries that end in ":443".

 

[RMerlin]

Connect to it with a browser and see what comes up. That will tell you what it's from.

 

[ColinTaylor]

Connect to it with a browser and see what comes up. That will tell you what it's from.

Tried that . The port's open but it doesn't respond with anything.

 

[st3v3n]

Deadeye and gents: Steve Gibson made Shields Up and his other tools are available as a free, secure service for anyone to use. Unlike the countless hackers who are always scanning the web and your system, you'll never have to worry that Steve would inspect or mine your data, or look at your ports. Some of the dates on his entries go back a good while. There are many other good port scanners, one we used recently is http://www.advanced-port-scanner.com/

I used Spin Rite to recover a client's drive one Sunday in the 90s; on that one day it covered my operating expenses for a month. The client didn't have time to ship the drive to a data recovery service. I recovered all of their files, transferred them to another drive, as well as installed the OS on another drive, assuring me of all their business for life. With the referrals, it was the kind of work that never stops paying. Haven't yet found a tool that does exactly what Spin Rite can do or as well as long as you can just let it run. it's a selective tool for a particular problem. If Steve could update it to use the RAM capacity of the board it's attached too, that would be a speed enhancement that would be worth the cost of the upgrade. (at least we don't have to work with rope memory). There are some incredibly fast forensic programs as well good the freeware tools for recovering restoring deleted/lost partitions and drives, that Spin Rite doesn't do. Cheers.

 

[Odkrys]

@RMerlin
I built lsof with the firmware by replacing obj-n to obj-y in the Makefile.
It seems fine and make easy to confirm which port depend on what service.
This has any potential conflict with firmware ?

 

[RMerlin]

@RMerlin
I built lsof with the firmware by replacing obj-n to obj-y in the Makefile.
It seems fine and make easy to confirm which port depend on what service.
This has any potential conflict with firmware ?

Shouldn't cause any problem, no.

 

[BushAl]

Hi all,

I have tried ColinTaylor's suggestion and run nestat on the router with no sign of 443 open, so i suspect he is correct and something upstream is doing this. I will take the router over to a neighbour who has adsl in a while, but they are away at the moment, so it will be a week or more till i report that.

Thanks again for all your help.
Al