WAN open ports 2601 & 2602

[azarug]

Hi,

Just installed AsusWrt-Merlin v386.7_2 in my old RT-AC68U.

When i do a nmap port scan to my public ip address i get two open ports:

Discovered open port 2601/tcp on xxx.xxx.xxx.xxx
Discovered open port 2602/tcp on xxx.xxx.xxx.xxx

Seems this two ports shouldnt be accesible from the internet.

I have no experience with merlin firmware and i would appreciate any help to fix this issue.

Thanks in advance for any help.

p.s. is there a option to filter all ports in the wan side unless there is a port forward (i have 2 open ports for my nas)? In the LAN side i dont mind all ports are open, its just me, but im concerned about having open ports in the internet.

 

[ColinTaylor]

The router doesn't use those ports. Are you initiating the port scan from inside your LAN or from the internet? It could be a false positive.

You can check the currently active port forwarding rules at System Log - Port Forwarding. You can see what ports the router itself is listening on with

netstat -nltup

p.s. is there a option to filter all ports in the wan side unless there is a port forward (i have 2 open ports for my nas)?

This is the default behaviour of the router's firewall.

 

[azarug]

Hi,

Thanks for thge quick reply.

I run nmap from outside my network (internet).

As suggested i used the netstat tool from the router itself and got this result:
(erased some entries to hide ip and specific ports i forward)

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:2601 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2602 0.0.0.0:* LISTEN
tcp 0 0 :::2601 :::* LISTEN
tcp 0 0 :::2602 :::* LISTEN

Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 8960 /var/run/amas_lib_socket
unix 2 [ ACC ] STREAM LISTENING 7450 /var/run/zserv.api
unix 2 [ ACC ] STREAM LISTENING 1607 /var/run/lldpd.socket
unix 2 [ ACC ] STREAM LISTENING 8012 /var/run/conndiag_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 367 /tmp/ps_sock
unix 2 [ ACC ] STREAM LISTENING 7072 /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 1189 /var/run/protect_srv_socket
unix 2 [ ACC ] STREAM LISTENING 123316 /var/run/rast_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 7381 /var/run/wlcnt_socket
unix 2 [ ACC ] STREAM LISTENING 983 @/sys/entropy/haveged
unix 2 [ ACC ] STREAM LISTENING 1248 /var/run/nt_center_socket
unix 2 [ ACC ] STREAM LISTENING 995 /var/run/netool_socket
unix 2 [ ACC ] STREAM LISTENING 123367 /var/run/rast_internal_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 1266 /var/run/nt_actMail_socket
unix 2 [ ACC ] STREAM LISTENING 9463 /var/run/cfgmnt_ipc_socket

This is after a fresh install just adding some port forward. Firmware downloaded from oficial webpage.

The ports seem to have something to do with "zserv.api" .. Just googled it (zebra server?).

Seems its a daemon that should be filtered from the WAN but not from the LAN ... Ill check whats in the firewall menu

Any suggestion appreciated.

 

[ColinTaylor]

Thanks. It would be more informative if you were to SSH into the router and run netstat -nltup. That will show you the processes associated with the ports.

Are you using IPv6?

 

[ColinTaylor]

EDIT: Are you using IPTV? It looks like some of those profiles (Moviestar?) might enable Quagga (zebra and ripd).

 

[azarug]

THANKS!

Movistar is my isp and saw it in the list and just used that option; i need a VLAN ID for my PPPOE internet and that just worked (internet - vid:6 prio:1).

After using a manual profile those ports wont show anymore. I actually dont use iptv, but seems to be the place to setup vlanid for my internet.

Allso no IPv6.

Thanks for pointing me in the correct direction.