Unknown Port - System Logs

[Secret Squirrel Mission]

System logs are showing port forward is open with port 123 I never open ports on my network because I’m home most of the time.

I checked the port forward section and it’s disabled so there isn’t anything for me to disable. There is an open connection using that port under the connections list 64.113.44.54 (sbbsnet.net?) At a loss any help would be greatly appreciated!

 

[skeal]

System logs are showing port forward is open with port 123 I never open ports on my network because I’m home most of the time.

I checked the port forward section and it’s disabled so there isn’t anything for me to disable. There is an open connection using that port under the connections list 64.113.44.54 (sbbsnet.net?) At a loss any help would be greatly appreciated!

Thats NTP Time protocol, do you have NTP server enabled?

 

[Secret Squirrel Mission]

Thank you! Yes, I’m running NTP Merlin, is there a reason it needs to be open though or can I close it?

 

[skeal]

Thank you! Yes, I’m running NTP Merlin, is there a reason it needs to be open though or can I close it?

NTP Merlin likely requires it, but it shouldn't be necessary.

 

[dave14305]

It's like DNSFilter for NTP. It's not open to the world like an external port forward.

 

[Secret Squirrel Mission]

Blocked the port through network services filter so we will see if that holds. I was making life difficult and looking for a CLI way to block the port

 

[dave14305]

Must not be NTP then because I could connect to my Plex Server outside of my network. Also, in the connections tab on system log shows a connection from one of my security cameras going from the camera to the Destination IP of my router on port 123. Not trying to be overly paranoid just cautious.

Any help in how to close this port would be greatly appreciated!

You change the setting through ntpmerlin. Option 2 in the main menu of the script.

2.    Toggle redirect of all NTP traffic

You can see the rules if you run

iptables -t nat -S

You don't want to block outbound 123 from your network, otherwise how will your router sync time?

 

[dave14305]

Maybe @Jack Yaz can amend his script to only redirect traffic from the LAN interface.

iptables -t nat -A PREROUTING -i "$(nvram get lan_ifname)" -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
iptables -t nat -A PREROUTING -i "$(nvram get lan_ifname)" -p tcp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"

Edit: It doesn't do any good for hiding the redirect in the GUI. The key is to avoid DNAT and perhaps use REDIRECT like Merlin does for his built-in NTPD server.
https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/firewall.c#L1697

 

[skeal]

You could use the built in NTP Server and NTP intercept.

 

[Secret Squirrel Mission]

It's like DNSFilter for NTP. It's not open to the world like an external port forward.

Makes sense now each device is using port 123 to communicate with the gateway to sync time [emoji2357]

I think the external IP from the original post just threw me because I’ve been hacked before. Guess it’s time to buckle down and learn more about networks and network monitoring. Just picked up a copy of The Practice of Network Security Monitoring from No Starch.