What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Webadmin accessible on port 80 from WAN!

J

jamesbeeston

New Around Here
Last night I installed AsusWRT v378.55 on my Asus RT-N66U and restored defaults after installing the firmware and then reconfigured it using screenshots I'd made of my old standard Asus config.

I have set Enable Web Access from WAN to NO in the Administration page of the WEB UI. This does indeed prevent it from being accessible on the remote configuration port of 8080 however, very worryingly I can still access it from the WAN on port 80! I cannot understand this. I don't know if somehow it's just me or a bug in the release.

Here's a cut and paste of the netstat while SSH'd into the router where you can clearly see port 80 is listening.

admin@RT-N66U-A548:/tmp/home/root# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:5473 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:18017 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3394 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.1:1990 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.1:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9100 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9998 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:35735 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.1:445 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3838 0.0.0.0:* LISTEN


Please can someone else test this with this firmware release and let me know if they see the same behaviour and can anyone help figure out why on earth the web GUI is accessible on port 80 when remote administration is turned off.

Thanks in advance for any help offered.
 
Webui is definitely NOT accessible from the WAN unless you enable it, or you disable the firewall. Make sure you actually test it while outside your network - testing it from inside would totally bypass the firewall by looping within your LAN.
 
My firewall is disabled and the more reading I'm doing the more I'm thinking I need that enabled - your comment implies that disabling the firewall is utterly ridiculous and prior to now I had no idea how serious the consequences could be. I didn't realise that access to the webadmin was available from the internet if the firewall was turned off even if the remote administration was turned off. Definitely testing externally from my connection at work.

So it seems that noone should be disabling that firewall in the settings?

Are there any other recommendations you can suggest to thoroughly wipe and reset the router back to defaults if the process I followed last night is not thorough (your latest firmware applied then reset to defaults within the web gui then re-run through the out of the box setup wizard)? I'm fairly certain my router was compromised when running one of the official ASUS firmware versions so I want to be absolutely sure I've got rid of anything related to that.
 
James, have a read of Merlin's advice on restoring to factory default (and check that's what you did last night) and how to do it. That clears all your settings back to the baseline:

http://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/

I think I'm right in saying that in this restored, basic state you are quite safe in that those settings don't leave you dangerously exposed, then it's up to you to ensure any changes you make to those basic settings only enhance your security, or, put another way, if you make any changes that reduce security, you are doing so knowingly and are aware of the risks (far easier said than done!). Just come back with any questions on specific settings.

I suppose if you feel the router's been compromised you could re-flash with 378.55, but I'm sure that is essentially identical to a restore to factory default, but you might get a warmer feeling of everything having been wiped.
 
I had read that earlier this afternoon and I believe I've cleaned it sufficiently by flashing THEN restoring defaults and as restore defaults through the web-gui seems to be one valid option to wipe the config it seemed that I'd carried out a valid reset process. However, I thought I read another article somewhere where someone did a restore defaults and it didn't clear a setting they'd changed but I don't recall where I saw that now and it potentially was with old firmware. It just made me a bit nervous as to how definite the flash then restore defaults would be in removing any compromised settings.

I don't recall whether the firewall was on or off in the default newly flashed image. However, the text at the top of the firewall administration page says "Enable the firewall to protect your local area network against attacks from hackers. The firewall filters the incoming and outgoing packets based on the filter rules." which sort of implies protecting the LAN and not the router itself. I'm sorry if I appear a bit picky but I'm just rather surprised that with the firewall off, the admin pages of the router are published to the WAN even with the remote administration setting turned off. If this is by design then it would seem wise to add a warning to this effect at the top of the firewall page eg. "Note: Turning off the firewall will make services such as the web administration page accessible from the internet even if remote administration is turned off". I'm sure there could be a better way of doing things here (only bind the web service to the router's LAN interface and on configuration of the remote administration set up an iptables forward rule to that service) .

In the meantime, I will enable the firewall and ensure that the admin page is no longer accessible.
 
jamesbeeston said:
So it seems that noone should be disabling that firewall in the settings?
Click to expand...

Correct. At least nobody who uses that router to front their Internet. Disabling the firewall should only be for people with very specialized setups (for example where they use the router to route an internal subnet, without NAT involved, within an existing LAN).
 
You must log in or register to reply here.

Similar threads

garycnew
Is Lighttpd still used in Asuswrt-Merlin 388?
Replies
5
Views
466
RMerlin
RMerlin
T
Web GUI is not working
Replies
3
Views
7K
ColinTaylor
C
garycnew
Asuswrt-Merlin Port 80 DNAT's
Replies
12
Views
3K
garycnew
garycnew
cherio
How and where to shutdown unnecessary services and ports
Replies
10
Views
3K
DJones
D
L
A victim of prolonged hacks, intimidation and disruption
2
Replies
26
Views
13K
airgap
A
Similar threads
Thread starter Title Forum Replies Date
M Network places accessible from internet Asuswrt-Merlin 6
Kees17760 Port based routing won't work Asuswrt-Merlin 0
P VLAN Access Port for Untagged Only Asuswrt-Merlin 1
i0ntempest How to limit upload and download bandwidth of a ethernet port? Asuswrt-Merlin 8
L 2.5g port Asuswrt-Merlin 3
B BE88U Firewall port forwarding set in GUI not working. Anyone else? Asuswrt-Merlin 2
U SMB hooked up to the USB port disconnects often AXE11000 Asuswrt-Merlin 1
R OpenVPN client can't connect to local resources over port 80/443, but can ping them by IP Asuswrt-Merlin 6
R VPN Client and Server using Trust.Zone public IP and port forwarding Asuswrt-Merlin 2
R Regarding my new BE88U and the 10Gb "WAN/LAN" port(s) Asuswrt-Merlin 29

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 811 (members: 22, guests: 789)
Back
Top