UPnP: Actual security risks of allowing ports below 1024.
- Thread starter reerden
- Start date
AdvHomeServer
Senior Member
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Ports are ports. There's nothing magical except some are used for certain functions, 80 and 443 being two obvious examples. An open and forwarded port is a vulnerability, especially if UPnP controls the door. Assume a program that asks for an open port, which UPnP agrees too. That program turns out to be a security mess that a hacker trainee could breech. You lose.
Any time you have an open and forwarded / listening port, you need to know about it and accept the risk, mitigating it as best you can. Sometimes it's just keeping the software behind the open port updated, such as OpenVPN server if a vulnerability is discovered. Some ports are PROBABLY ok if open, such as those normally associated with a slingbox. I never see attacks on those ports. I'm guessing the linux heritage of the slingbox and the lack of anything valuable to steal makes them low on the hacker hit-list. If port 22 is open and you have no certificate covering SSH access, you are facing uncertainty.
I have no hacker skills. This makes me even more cautious about risks, since they are all 100 foot tall boogymen to me. I'm even more concerned about the risks yet to be discovered than the ones reported today and in the past.
PS I'm writing a new a article about things that seemed like a good idea but weren't. This reply will end up as a bullet point in it. Thanks for asking the question.
Ports are ports. There's nothing magical except some are used for certain functions, 80 and 443 being two obvious examples. An open and forwarded port is a vulnerability, especially if UPnP controls the door. Assume a program that asks for an open port, which UPnP agrees too. That program turns out to be a security mess that a hacker trainee could breech. You lose.
Any time you have an open and forwarded / listening port, you need to know about it and accept the risk, mitigating it as best you can. Sometimes it's just keeping the software behind the open port updated, such as OpenVPN server if a vulnerability is discovered. Some ports are PROBABLY ok if open, such as those normally associated with a slingbox. I never see attacks on those ports. I'm guessing the linux heritage of the slingbox and the lack of anything valuable to steal makes them low on the hacker hit-list. If port 22 is open and you have no certificate covering SSH access, you are facing uncertainty.
I have no hacker skills. This makes me even more cautious about risks, since they are all 100 foot tall boogymen to me. I'm even more concerned about the risks yet to be discovered than the ones reported today and in the past.
PS I'm writing a new a article about things that seemed like a good idea but weren't. This reply will end up as a bullet point in it. Thanks for asking the question.
But that's kind off the point why I'm asking this. I see no reason why a program that uses a port above 1024 can not have more vulnerabilities than a program that uses a port below 1024.
My problem is that I have several game consoles that list several ports below 1024 for port forwarding. I need to use UPnP as they auto negotiate alternative ports when one console is already using them, so manual port forwarding is not an option.
I saw many posts about forwarding ports below 1024 and most people never questioned the security impact when setting the internal minimal port to 1. I have used this setting for quite a while, but I was wondering if there were security implications.
ColinTaylor
Part of the Furniture
Have a look at System Log > Port Forwarding whilst using your consoles to see what ports are actually being used.
Most of the information on the web about port forwarding for consoles is entirely incorrect. For example, many sites tell you to "forward" ports 53 and 80 which is obviously nonsense. What they should be saying is don't block outgoing traffic on port 53 and 80 (which you won't be doing unless you're connected to a corporate LAN).
Well that doesn't work. I've tested this in the past and when the default port is in use by the other console, the second console chooses a random port that can change all the time.
Even if it doesn't, it still throws up an error message when UPnP isn't functioning and rejects incoming connections, regardless if the port is forwarded or not. So UPnP is always a must unless the default port can be used.
They list it on the official help page for the Xbox: http://support.xbox.com/en-us/xbox-one/networking/network-ports-used-xbox-live
How can I know for sure what port is incoming and outgoing if this list is incorrect? I've also noticed that some games tend to use different ports than others.
Nullity
Very Senior Member
Those must be outgoing. They are asking that you allow packets destined to those external ports to leave your network.
No sane person would require a gamer to have those ports listening for incoming packets.
Edit: For UPNPd to get access to the gateway's priveleged ports UPNPd would have be ran as root, which is batshit crazy. (or not)
No sane person would require a gamer to have those ports listening for incoming packets.
Edit: For UPNPd to get access to the gateway's priveleged ports UPNPd would have be ran as root, which is batshit crazy. (or not)
Last edited:
Nullity
Very Senior Member
That page is confusing...
The only part that seems to clarify is "You may have to make a configuration change to your firewall or network hardware, such as a router, for your Xbox One console to communicate with Xbox Live."
Their ports need to be open for you to connect to them (and you need to allow those packets out).
They do not need to connect to you.
Er, a TCP connection starts with a handshake. They keep their hands open, not you.
Seems to be the case. I looked at their actual help forum and one of their community guys posted that only 3074 needs to be forwarded. So I put the setting back to 1024 for internal allowed ports.
It seems that they list it like that because if any of those ports is taken or blocked, forwarding it causes it to become accessible to the console. So this makes it easier for their support desk to solve issues. After some more searching, it seems only 3074 needs to be forwarded, so I have put UPnP back to 1024-65535 for internal ports.
ColinTaylor
Part of the Furniture
That's exactly my point. With UPnP enabled you can see what ports are being used and it won't be 53 or 80!
Yeah, I know. However wrote that should be fired.
On one hand it says "Xbox Live requires the following ports to be open". In your case all outgoing ports are open by default. So it's not a problem.
But they also say "This configuration change is sometimes called opening ports or port forwarding", which is two different things! Really, however wrote that doesn't have a clue.
At least on the PlayStation FAQ they correctly refer to it as "open ports" and not "port forwarding".
The bottom line: Just enable UPnP for >= 1024.
ColinTaylor
Part of the Furniture
Er, we're talking about the ASUS router aren't we? In which case just about everything runs as the root user (albeit renamed to admin).
Nullity
Very Senior Member
Er, we're talking about the ASUS router aren't we? In which case just about everything runs as the root user (albeit renamed to admin).
Yeah... I dunno about AsusWRT.
I was just logically considering how miniupnpd would need to be setup in a standard unix system for priv port axs.
sfx2000
Part of the Furniture
Remember, uPNP is going to open a port for only the client that requests that port, and for the duration that the client application is running, after the application quits, the port should eventually close as part of the upnp daemon on the router/AP.
The challenge then is two fold:
1) how secure is the application? This is the key question, and that would be whether port forwarding manually or using uPNP - uPNP might actually be more secure than a manual port forward, as port forwards are always open until one goes into the Router and disables them (which most people don't).
2) how secure is the upnp daemon on the router, since most router/AP's run all tasks as a privileged user - typically Admin or Root - there have been problems in the past with various embedded linux uPNP daemons
But properly implemented, there is low risk...
AdvHomeServer
Senior Member
Being blunt ... UPnP on a router that allows anyone to get inside your network is universally considered to be a security threat to the person who uses it. The only people who disagree are those who hack for profit (IE those who will happily steal from you and laugh about it) and those who don't know any better.
Oh, you say, these are only people who will play games with my kids and keep them off my back ... even maybe the mfgr said it was OK.
Hackers of the world thank you and wish more were as enlightened as you.
AdvHomeServer
Senior Member
If you don't believe me or think I'm just blowing smoke because I'm not a smart as some anonymous page you probably misunderstood, Google UPnP and security risk. Some things are a matter of opinion. Some things aren't. Look it up and figure it out for yourself.
</blunt>
sfx2000
Part of the Furniture
Well, keep in mind that most SOHO Router/AP's have defense in depth, along with the client computers behind the gateway...
1) NAT - by it's nature, it's secure due to non-routable IP's behind the NAT
2) SPI Firewall on the router/AP - even though the port is open, traffic from the WAN is prohibited unless the client sends something, and this is on a per-packet basis
3) Client Firewalls - Windows XP and later all have OS level firewalls (which should be left enabled) and OSX has the same (which should be turned on) - so even if a blackhat were to gain access to the XBone or PS4, they're not going to get much further in OP's use case...
So, yes, always a risk to open ports, but knowing what is open, and how things work is more important...
Last edited:
sfx2000
Part of the Furniture
There's a lot of bat-shirt insanity in current Firmware builds on common Router/AP's - the key fact that everything runs as a privileged user is one, and even then, there is no privilege separation between the HTTP user vs. the Samba user vs. OpenVPN or uPNPd - design issue, and one that isn't easy to fix overall...
Nullity
Very Senior Member
Makes me all giddy for the even poorer security practices of the Internet of Things.
sfx2000
Part of the Furniture
Concur - and I'm in a position where I can actually do something about it for now...
Similar threads
Similar threads
Similar threads
-
iTunes and UPnP media server [RT-AC3100] not functioning after firmware upgrade to version 386.14
- Started by jgarrigan
- Replies: 3
-
is enabling firewall necessary (same for upnp) when on a provider with cgnat?
- Started by lgkahn
- Replies: 5
-
-
-
-
-
OpenVPN / site to site with special security/routing constraints
- Started by MarkusI
- Replies: 7
-
Isolating home security cameras and providing remote access?
- Started by MadPup
- Replies: 5
-
-