Port 445 (Shields Up)

[Soap]

I am running the latest Merlin build on an AC68R and when I ran Shields Up I notice that port 445 shows open. I am checking through the config pages and I don't see anything enabled that would cause this. Can someone help point me in the right direction please? Thank you.

 

[morden]

You may have a trojan in your system, a trojan known as Lioten has been sighted to use that port. You will find more info on port 445 from GRC (The same website that Shields Up! tests that you used is located at)
https://www.grc.com/port_445.htm

 

[Soap]

Yea, I saw that mentioned on the website but I am not finding that on my system. I had checked Shields UP before I switched out my old router for this one and everything was good previously. As soon as I stood up the new router and ran it I got the port 445 hit.

 

[morden]

What version of windows are you using and are you using the latest service patches on it? I've also found more info on port 445 if its infected as well
http://www.speedguide.net/port.php?port=445

 

[morden]

I would recommend that you also be running an antivirus along with an anti-malware program in the back that helps to reduce the security risks your computer may have from viruses, trojans, worms, etc. Currently I'm using a combination of Malwarebytes' Anti-Malware and Panda Cloud Antivirus Pro (which has a firewall built into it as well). I recommend that you should try installing both and running a full computer scan with each of them if you haven't tried them yet.

 

[Soap]

Let me do some more digging and I will report back, the reason why I question this being something on my systems is because I passed the ShieldsUP! test right before I swapped out the new asus router. As soon as I re-tested it failed on port 445. This is why I am digging through the router. How do I just block this port on the router?

 

[Soap]

I don't see how it can be any of my computers in the house. I have powered them all down and pulled out a freshly loaded Windows 8.1 laptop and did a scan and I still get that same port as showing open. Again this was not the case until I swapped my old router out for the new asus.

 

[bluepoint]

Connect your old router, is it still close?

 

[Soap]

Yea, I guess I need to do the obvious and just swap this one out. I do still have my old router (Netgear WDR7000v3) but I installed dd-wrt on it and put it in another part of the house and connected as a repeater bridge. I did already turn that router off to make sure my issues wasn't that device.

 

[Quiller]

As far as I know AICloud uses port 445. If you have that enabled, try switching it off and scan again.

 

[RMerlin]

As far as I know AICloud uses port 445. If you have that enabled, try switching it off and scan again.

It uses 443 (for https access).

 

[Soap]

So if I flash the current stock firmware and probe the port it shows 'closed' but not stealth. If I re-apply the latest Merlin build it shows 'open' again.

 

[RMerlin]

Asus has been doing some stuff regarding SMB on the AC56 and AC68U in recent versions to resolves performance issues caused by connection tracking overhead. In their latest code they changed the firewall rules a bit, however those new rules broke disk sharing on the LAN when I tested them, so I haven't implemented them yet. I still need to revisit these rules and find a better way to implement them, I just haven't had the time yet.

This is only specific to the AC56 and AC68.

 

[DaveMishSr]

Asus has been doing some stuff regarding SMB on the AC56 and AC68U in recent versions to resolves performance issues caused by connection tracking overhead. In their latest code they changed the firewall rules a bit, however those new rules broke disk sharing on the LAN when I tested them, so I haven't implemented them yet. I still need to revisit these rules and find a better way to implement them, I just haven't had the time yet.

This is only specific to the AC56 and AC68.

IMHO, you need not account for yourself Merlin. You provide a product free of charge and spend about a bazillion hours each week doing it. I am very appreciative of both your product the effort you put forth in production.

 

[RMerlin]

I had left the rules as they are because Samba itself is configured to only listen to LAN. Looks like the name resolution service (nmbd) however doesn't follow that configuration entry and will still listen to any interfaces on the router.

Best solution at this point is to create a firewall-start script, with the following rules:

#!/bin/sh
iptables -t filter -D INPUT -p udp --dport 137:139 -j ACCEPT
iptables -t filter -D INPUT -p udp --dport 445 -j ACCEPT
iptables -t filter -D INPUT -p tcp --dport 137:139 -j ACCEPT
iptables -t filter -D INPUT -p tcp --dport 445 -j ACCEPT

iptables -t filter -I INPUT -i br0 -p udp --dport 137:139 -j ACCEPT
iptables -t filter -I INPUT -i br0 -p udp --dport 445 -j ACCEPT
iptables -t filter -I INPUT -i br0 -p tcp --dport 137:139 -j ACCEPT
iptables -t filter -I INPUT -i br0 -p tcp --dport 445 -j ACCEPT

This will at least modify the INPUT chain to reflect what Asus is using in their more recent firmwares, however you might be unable to access network shares through a VPN tunnel.

 

[Soap]

Appreciate the responses Merlin. Thank you.