RT-AC68U on 380.69 - Port 443 is showing open and too stupid to determine why

[BushAl]

Hi all,
On a routine check of the router (every 6 months or so) and noticed 443 was not stealthed but open.
I think i have checked all the normal things as below but nothing seems to help. Any tips or things to try very gratefully accepted.

Port trigger, port forwarding, dnz and NAT pass-though all disabled
AiCloud 2.0 has cloud disk, smart access and smart sync all off. in desperation i moved AiCloud Web access port to 9998. No change.
Enable UPnP is no
Enable SSH is lan only
Enable Web Access from WAN is no

I must have missed something as i have turned off every machine in the local network and retried from two different machines.

Thanks in advance
Al

 

[DonnyJohnny]

Did u mentioned u off aicloud service?
By the way what firmware version u using?

Maybe u want to show the iptables -S
Should show something there.

 

[martinr]

How did you carry out the routine check for open ports?

 

[st3v3n]

I wouldn't recommend waiting six months to run a routine check, have been using this for years: https://www.grc.com/x/ne.dll?bh0bkyd2
Cheers.

 

[BushAl]

Thanks for your comments, so far nothing obvious to my untutored eye.
The firmware is showing 380.69 which i think is the latest version.
I also used ShieldsUp for the scan.
AiCloud 2.0 has cloud disk, smart access and smart sync all off. I pressed the Uninstall button a few times, but it doesnt seem to do anything obvious.
I will append the iptables -S below - No sign of any port 443 but they seem to show a port forward or similar (NSFW?). However i have confirmed they are off in the GUI.
Is there an easy way i can reset the iptables to default position?
Failing that is it easiest way to reset to factory defaults, load the latest firmware and start again?
Thanks again for any help.

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ACCESS_RESTRICTION
-N FUPNP
-N INPUT_ICMP
-N NSFW
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N logaccept
-N logdrop
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A NSFW -i br0 -o eth0 -p ipv6-auth -j DROP
-A NSFW -i br0 -o eth0 -p ipv6-crypt -j DROP
-A NSFW -i br0 -o eth0 -p udp -m udp --dport 4500 -j DROP
-A NSFW -i br0 -o eth0 -p udp -m udp --dport 500 -j DROP
-A NSFW -i br0 -o eth0 -p udp -m udp --dport 1701 -j DROP
-A NSFW -i br0 -o eth0 -p gre -j DROP
-A NSFW -i br0 -o eth0 -p tcp -m tcp --dport 1723 -j DROP
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence - -log-tcp-options --log-ip-options
-A logdrop -j DROP

 

[martinr]

Can you try a different method to contact grc.com? So if you're currently doing the scan using your smart phone and 3G, try and use a public wifi instead, and vice versa (with 3G turned off).

 

[DonnyJohnny]

Can you try a different method to contact grc.com? So if you're currently doing the scan using your smart phone and 3G, try and use a public wifi instead, and vice versa (with 3G turned off).

Question... he is testing his router ip, why switch ip and test other ip not related to the router?

Regards resetting the firewall to default.
If you don’t have any customise firewall scripts in /jffs/firewall-start. Whenever you reboot or restart the firewall service, the firewall is loaded in default.

Have you tried testing the port scan after a reboot of the router? If you have tested it and result is the same . Port opened. Then I think the next step is a factory result.
If factory reset still don’t work, reflush the firmware and a factory reset.

 

[john9527]

Port forwards are set in the nat table.....so dump that to double check.

Also, have you replaced your modem since your last test? Maybe your modem is the one that is actually exposed?

 

[DonnyJohnny]

My bad..
iptables -t nat -S

 

[martinr]

Question... he is testing his router ip, why switch ip and test other ip not related to the router?
....

When I’ve done an external scan of my public IP, I’ve had the occosional anomalous result (false positive open port) depending on the networks used. Someone once gave an explanation but I can’t remember what it was.

 

[DonnyJohnny]

Still don't see the logic.
I live in door A, but I give u the door B address. U keep knocking at door B, I wouldn't know coz I am behind door A.

Door B opened the door look at you and ask who you looking for. You say u looking for the person behind door A. He give u the blur look. Hahaha

 

[ColinTaylor]

Check that the WAN IP address reported in the router's GUI matches that on the GRC testing site. You might be behind some sort of NAT.

 

[martinr]

Still don't see the logic.
I live in door A, but I give u the door B address. U keep knocking at door B, I wouldn't know coz I am behind door A.

Door B opened the door look at you and ask who you looking for. You say u looking for the person behind door A. He give u the blur look. Hahaha

Sorry; of course you’re right. He used Shieldsup, and I’d forgotten I’d been using the port scanner in my Network Toolbox app directed at my external IP address. Lovely analogy!

 

[DonnyJohnny]

I have a feeling John may be right... maybe the firewall is at the modem/router and not the router itself. Modem/router should be set to bridge mode. I am not sure...

 

[Deadeye]

I wouldn't recommend waiting six months to run a routine check, have been using this for years: https://www.grc.com/x/ne.dll?bh0bkyd2
Cheers.

I’m appreciative of Steve’s work in education and providing tools to help end users with common windows problems. I used his products including Spinrite, when I started my IT career back in the late 90’s. Sadly, his tools don’t appear to have been updated recently and while they may provide information I’d look to validate those results by using other tools as well. I have spent untold hours trying to get to the bottom of an issue that frankly didn’t exist because I didn’t verify his test results. The are other places that also do port scanning/pentest which are more comprehensive IMO.

BTW 443 will be open if a VPN is running. With so many people working from home via their computer, they don’t realize that the company’s software includes a VPN product to protect customers data.



Sent from my iPhone using Tapatalk

 

[john9527]

BTW 443 will be open if a VPN is running. With so many people working from home via their computer, they don’t realize that the company’s software includes a VPN product to protect customers data.

That's a good point. His first iptables output showed he wasn't running a VPN client on the router, but these results could also be obtained if he is running a VPN on one of his PCs (I think that would show up in the nat table as well)

 

[BushAl]

Thanks a heap for all these replies, though i am struggling to keep up with them!

ShieldsUp doesnt seem to allow the selection of an ip address so i used spiceworks scan with the same address and it reports 443 closed.

still chasing up some of the others (is the ip address reported my be somewhere else in the chain).

Thanks again
Al

 

[BushAl]

A few more bits of information.

I have tried rebooting the router several times.

I had an OpenVPN running some years back, but it is uninstalled (i turned off that machine and rebooted the router to be sure).

I am on a satellite link via Australia's NBN Sky Muster, so there is an NBN modem and my Ausus Router in the link.

The Asus router GUI reports the WAN port as the same as ShieldsUp (114.129.137.157)

Also tried to ping this address from outside, ICMP on Wan port was off, and 100% packet loss. Turned this on and i get results, turn off again and 100% packet loss. So i think the Asus Router Wan port is 114.129.137.157.

I also used Fing for port scan from an outside network and it also reports 443 open, so we have contradictory results from ShieldsUp (open), Spiceworks (closed) and Fing (Open).

unless anyone comes up with a better option i think i should factory reset and start again. Thanks again for the help.

The results of the iptables -t nat -S are below.
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DNSFILTER
-N LOCALSRV
-N PCREDIRECT
-N PUPNP
-N VSERVER
-N VUPNP
-A PREROUTING -d 114.129.137.157/32 -j VSERVER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s 114.129.137.157/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.31.13.0/24 -d 10.31.13.0/24 -o br0 -j MASQUERADE
-A VSERVER -j VUPNP

 

[Deadeye]

Something else that I didn’t see covered. Any website you visit that is using https will open port 443. If you are running a tool locally and have your browser pointed to a secure site, 443 will be open. Hence Gibson’s site will always report 443 open since he is using https.


Sent from my iPhone using Tapatalk

 

[ColinTaylor]

Something else that I didn’t see covered. Any website you visit that is using https will open port 443. If you are running a tool locally and have your browser pointed to a secure site, 443 will be open. Hence Gibson’s site will always report 443 open since he is using https.

Not true. Port 443 is opened on the server site only. The outgoing port from the client will be an ephemeral port.