Whats up with all the open ports?

[raptorjesus]

Hi Im using AC68U_378.54_2.trx. Did a portscan from WAN which showed netbios ports and tcp/554 not dropping packets, this seems to be something that my ISP does. However it also led me to scan from LAN and wtf?

Anyone know what all these open ports are for?

Also, I was going to make my own (stricter, simpler) iptables ruleset. However the number of interfaces on the ac68u together with the complexity of the default firewallrules (lots of custom chains etc) made me wish for something to start with. Any examples of from-scrath iptables rulesets for the ac68u availible?

wizard@RT-AC68U:/tmp# netstat -an  | grep LISTEN
tcp        0      0 0.0.0.0:39616           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:5473            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:18017           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:3394            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:515             0.0.0.0:*               LISTEN      
tcp        0      0 10.0.0.1:139         0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:9100            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      
tcp        0      0 10.0.0.1:53          0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
tcp        0      0 10.0.0.1:445         0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:3838            0.0.0.0:*               LISTEN      
tcp        0      0 :::22                   :::*                    LISTEN      
unix  2      [ ACC ]     STREAM     LISTENING     738094 /var/nmbd/unexpected
unix  2      [ ACC ]     STREAM     LISTENING       1139 /var/run/avahi-daemon/socket

 

[Nullity]

Proprietary Broadcom stuff and a few expected ports, like HTTP, SMB(?), SSH, DNS, and probably a few others I do not recognize.

I do not understand why so many accept these proprietary ports being open (towards the LAN), but only a small minority (TinFoil Hat Club) shares my concerns.

You can compile your own firmware and/or kill unneeded services.

 

[raptorjesus]

Proprietary Broadcom stuff and a few expected ports, like HTTP, SMB(?), SSH, DNS, and probably a few others I do not recognize.

I do not understand why so many accept these proprietary ports being open (towards the LAN), but only a small minority (TinFoil Hat Club) shares my concerns.

You can compile your own firmware and/or kill unneeded services.

Editing source to tighten security and forking my own firmware i think is beyond my capabilities, unfortunately. If you changed your setup to meet these concerns, do you mind sharing? I think these concerns are not tin-foil hat paranoia, its just sensible security oriented thinking.

 

[Nullity]

Editing source to tighten security and forking my own firmware i think is beyond my capabilities, unfortunately. If you changed your setup to meet these concerns, do you mind sharing? I think these concerns are not tin-foil hat paranoia, its just sensible security oriented thinking.

I agree.

I tried a few things like editing the target.mak, auto-killing services, and a couple of other hacky, amateur things. Ultimately, I just stayed Merlin's build or John's fork because I felt it was safer to use a more popular, proven firmware instead of ignorantly hacking my own.

Though, partly for security purposes, I did replace my Asus router (which is now AP only) with pfSense. I prefer to have my internet gateway router run minimal services (No AiCloud, NAS, FTP, BitTorrent, etc) and zero proprietary services.

 

[raptorjesus]

Thats obviously awesome if you have the hardware to spare.

I'm thinking a custom iptables ruleset would be a "second best" solution, however the multitude of network interfaces and custom chains somewhat confuses me. You guys think something like this would work?

1. /jffs/scripts/firewall-start that flushes all chains (nat, mangle and filter) and iptables-restore < /jffs/myrules

2. write rules for br0 as internal iface, eth0 as external iface, simply ignore vlan1-2, eth1-2?

3. simply ignore/remove all custom chains such as FUPNP, PControls, logaccept, logdrop, VUPNP, VSERVER, PCREDIRECT, LOCALSRV, DNSFILTER?

4. set up strict rules, maybe even limit the routers OUTPUT -> LAN to http/https, dhcp, dns, ssh communication

 

[Nullity]

I would try to help but I have zero experience with iptables.

 

[raptorjesus]

I just did what i described above. /jffs/firewall-start and /jffs/nat-start that flushes all existing rules, replacing them with strict rulesets. However, nmap still reports 445/tcp open when scanned from LAN. This is true even -A INPUT -p tcp --dport 445 -j DROP is inserted at the top of the INPUT tabled. This is simply confusing

 

[RMerlin]

I just did what i described above. /jffs/firewall-start and /jffs/nat-start that flushes all existing rules, replacing them with strict rulesets. However, nmap still reports 445/tcp open when scanned from LAN. This is true even -A INPUT -p tcp --dport 445 -j DROP is inserted at the top of the INPUT tabled. This is simply confusing

Just disable Samba + Master Browser support, that will close all the SMB ports (139+445).

 

[martinr]

Fascinating thread, but I can't pretend to understand fully the discussion. I'd not heard of pfsense, but that has not been without its problems (multple vulnerabilities discovered in March 2015. But then, since last year, no-one now equates open source with near perfect security.)

Nevertheless, and I know there can, anyway, be no definitive answer to this, I wish I could evaluate the risks. Am I correct in thinking that open ports, LAN-side, are a risk only if, firstly, the hacker has access to the LAN, and, secondly, there is an exploitable vulnerability in the server listening on that port? Similarly, open ports WAN-side are a risk if there's a vulnerability in the server listening on that open port? But I realise that, until publication, a vulnerability is one of those "unknown unknowns" eg as with pfsense earlier this year. And I also subscribe to the philosophy: ".... I prefer to have my internet gateway router run minimal services (No AiCloud, NAS, FTP, BitTorrent, etc) and zero proprietary services."

 

[raptorjesus]

Just disable Samba + Master Browser support, that will close all the SMB ports (139+445).

Thanks for you reply, RMerlin, and thank you for your vast improvement of the standard asus firmware.

It indeed works as you described, what baffles me is how a specific rule at the top of the input chain to drop packets heading to a specific port does not seem to do that. Is there something in the network code for the firmware that circumvent the netfilter/iptables?

Also, just out of curiosity, is there any documentation you can point me to of the services listening to non-standard ports on the device?

 

[RMerlin]

Thanks for you reply, RMerlin, and thank you for your vast improvement of the standard asus firmware.

It indeed works as you described, what baffles me is how a specific rule at the top of the input chain to drop packets heading to a specific port does not seem to do that. Is there something in the network code for the firmware that circumvent the netfilter/iptables?

For some reason, I've had the same issue specifically with port 445 back when I was working on a different bug where port 445 was actually exposed to the WAN. I"ve never been able to fully figure out the reason why dropping port 445 in the INPUT chain wouldn't work back then.

Also, just out of curiosity, is there any documentation you can point me to of the services listening to non-standard ports on the device?

Search the forums, that discussion came up quite regularly. Most of these ports are for the printer sharing (instructions have been posted on how to manually disable the service), UPNP, and internal Broadcom services (such as the acsd daemon).

 

[ryzhov_al]

Also, just out of curiosity, is there any documentation you can point me to of the services listening to non-standard ports on the device?

You can find out which binaries keeps ports open by lsof. In my case:

admin@RTN66U:/tmp/home/root# lsof -i | grep LISTEN
wanduck  254  admin  4u  IPv4  1256  0t0  TCP *:18017 (LISTEN)
telnetd  261  admin  3u  IPv6  1263  0t0  TCP *:telnet (LISTEN)
dnsmasq  279 nobody  7u  IPv4  1477  0t0  TCP router.asus.com:domain (LISTEN)
dnsmasq  279 nobody  9u  IPv4  1479  0t0  TCP localhost.localdomain:domain (LISTEN)
httpd  280  admin  4u  IPv4  1491  0t0  TCP *:www (LISTEN)
ots  291  admin  4u  IPv4  1528  0t0  TCP *:9998 (LISTEN)
u2ec  423  admin  7u  IPv4  2114  0t0  TCP *:3394 (LISTEN)
u2ec  423  admin  9u  IPv4  2117  0t0  TCP *:5473 (LISTEN)
lpd  424  admin  3u  IPv4  1941  0t0  TCP *:Printer (LISTEN)
lpd  424  admin  4u  IPv4  1942  0t0  TCP *:laserjet (LISTEN)
lpd  424  admin  5u  IPv4  1943  0t0  TCP *:3838 (LISTEN)
u2ec  517  admin  7u  IPv4  2114  0t0  TCP *:3394 (LISTEN)
u2ec  517  admin  9u  IPv4  2117  0t0  TCP *:5473 (LISTEN)
u2ec  518  admin  7u  IPv4  2114  0t0  TCP *:3394 (LISTEN)
u2ec  518  admin  9u  IPv4  2117  0t0  TCP *:5473 (LISTEN)
pptpd  12047  admin  6u  IPv4 1885473  0t0  TCP *:1723 (LISTEN)

• wanduck - shows redirected message when no internet connection available,
• telnetd - self explained,
• dnsmasq - DHCP server and DNS server,
• httpd - webui and firmware logics,
• ots - (?) something related to access point,
• u2ec - USB2IP Elpida solution, used for printers,
• lpd - printer spooler,
• pptpd - self explained.

admin@RTN66U:/tmp/home/root# lsof -iUDP
COMMAND  PID  USER  FD  TYPE  DEVICE SIZE/OFF NODE NAME
syslogd  167  admin  5u  IPv4  774  0t0  UDP *:50831
wanduck  254  admin  5u  IPv4  1257  0t0  UDP *:18018
eapd  268  admin  6u  IPv4  1359  0t0  UDP *:38000
eapd  268  admin  7u  IPv4  1360  0t0  UDP *:42000
eapd  268  admin  8u  IPv4  1369  0t0  UDP *:43000
nas  274  admin  3u  IPv4  1383  0t0  UDP localhost.localdomain:38032
acsd  276  admin  4u  IPv4  1384  0t0  UDP localhost.localdomain:42032
dnsmasq  279 nobody  4u  IPv4  1473  0t0  UDP *:bootps
dnsmasq  279 nobody  6u  IPv4  1476  0t0  UDP router.asus.com:domain
dnsmasq  279 nobody  8u  IPv4  1478  0t0  UDP localhost.localdomain:domain
infosvr  283  admin  4u  IPv4  1531  0t0  UDP *:9999
networkma  284  admin  19u  IPv4  6772  0t0  UDP *:45305
udhcpc  320  admin  5u  IPv4 4169236  0t0  UDP *:bootpc
u2ec  423  admin  8u  IPv4  2116  0t0  UDP *:5474
u2ec  517  admin  8u  IPv4  2116  0t0  UDP *:5474
u2ec  518  admin  8u  IPv4  2116  0t0  UDP *:5474
vpnclient 12040  admin  5u  IPv4 4192015  0t0  UDP *:56901

• syslogd - self explained,
• wanduck - see above,
• eapd - Broadcom EAP dispatcher (wireless related stuff),
• nas - Broadcom Network Authentication Service (wireless related stuff),
• acsd - Broadcom Wireless Channel Service (wireless related stuff),
• infosvr - Asus daemon used with some Asus tools,
• networkma - for Windows Network map,
• udhcpc - DHCP client,
• u2ec - see above,
  
• vpnclient - self explained.

 

[martinr]

I'm getting "lsof: not found:". You're going to tell me to install entware plus.....?

 

[Virdo]

After installing entware this will do the trick:

opkg install lsof

 

[Chrysalis]

I do wonder the merits of having services like samba and media server turned on by default.

From a security perspective they should be off and needing manually turning on.

 

[martinr]

After installing entware this will do the trick:

opkg install lsof

Thank you. Ever since I started to learn from this superb forum some 9 months ago, I'd wondered how long it would be before I ended up installing Entware. Looks like the day's finally arrived (or it would if I had a usb drive plugged in) . Nine months ago, out of fear, I would have dismissed it, but thanks to the knowledge I've gained from the forum since then, I now have no trepidation at all.

Sincere thanks.