Solved Bug Open TCP Ports 5152 / 7788 / 18017 [User Error]

[howarethingsgoing]

Hi,

It appears that there's a bug and envrams and cfg_server are listening and bound on 0.0.0.0 instead of just on localhost.localdomain. This makes them publicly accessible outside of your network.

xyz@RT-AX58U-5FE8:/tmp/home/root# netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:5152            0.0.0.0:*               LISTEN      274/envrams
tcp        0      0 0.0.0.0:7788            0.0.0.0:*               LISTEN      1337/cfg_server

As a temporary fix, I've added a port forward to an unopened port on a system. Is there a better fix currently available?

I'm on version 386.1_2 on a RT-AX58U.

 

[howarethingsgoing]

I've updated to 386.2_4, and now have a 3rd open port:

tcp        0      0 0.0.0.0:5152            0.0.0.0:*               LISTEN      274/envrams
tcp        0      0 0.0.0.0:18017           0.0.0.0:*               LISTEN      1025/wanduck
tcp        0      0 0.0.0.0:7788            0.0.0.0:*               LISTEN      1861/cfg_server

 

[dave14305]

The firewall won't allow the internet to reach those ports. By adding a forward rule, you've probably made it worse.

 

[howarethingsgoing]

I'd feel more comfortable if they weren't listening globally at all.

Also, how do you know the firewall won't allow traffic there? I'm not seeing any code or iptable rules about those 3 ports. And connecting with netcat to my public IP does work.

 

[eibgrad]

Listening on a port, and having a port open to the WAN, are NOT the same thing. Many processes commonly listen on *all* ports, but are typically blocked from the WAN by the firewall unless you explicitly open them.

 

[dave14305]

Also, how do you know the firewall won't allow traffic there? I'm not seeing any code or iptable rules about those 3 ports

The final DROP rule will deny any traffic that isn't explicitly allowed.

And connecting with netcat to my public IP does work.

Is that test from the internet or within your LAN?

 

[howarethingsgoing]

From the internet hitting my WAN IP address.

I've blocked the traffic with iptables, like so:

iptables -I INPUT -p tcp -i br0 --destination-port 5152 -j REJECT
iptables -I INPUT -p tcp -i br0 --destination-port 7788 -j REJECT
iptables -I INPUT -p tcp -i br0 --destination-port 18017 -j REJECT

Previously this worked:

nc home.xyz 5152

Now it no longer does, and nmap on my home WAN ip shows no open ports as I desired.

Edit: iptables isn't being persistent and seems to disappear fairly rapidly, without rebooting.

 

[howarethingsgoing]

The final DROP rule will deny any traffic that isn't explicitly allowed.

I think you may be right, and I see the final DROP rule. I'm unsure why I was able to open a connection to all these ports with netcat against my WAN ip though.

 

[eibgrad]

I think you may be right, and I see the final DROP rule. I'm unsure why I was able to open a connection to all these ports with netcat against my WAN ip though.

You said from the internet, but did you really mean by referencing your WAN ip from inside the LAN (i.e., NAT loopback)?

NAT loopback never reaches the internet. It simply dereferences the WAN ip back to a local ip. The routing remains completely within the LAN at all times.

 

[dave14305]

You can also try a site like https://canyouseeme.org/

 

[howarethingsgoing]

You said from the internet, but did you really mean by referencing your WAN ip from inside the LAN (i.e., NAT loopback)?

Thanks, checked from outside the LAN and I see the ports as filtered correctly now.

Derp.

 

[tomaskcz]

Hello all,

just comment - it is a fair point, that listening on '*' is always a bad practice as user can disable firewall by mistake or sm. else can happen and you have unnecessary exposure to the internet. These kind of services have no business listenning on WAN.

BTW I googled this question because I was curious about periodic broadcast traffic in my LAN network from router to port 7788, which I learnt is likely cfg_server for AiMesh.