Anyone know how to close TCP ports?

[gatekeeper]

I recently did a scan on my WAN IP address, looking for open TCP ports and was surprised to find the following:-

port:22 ssh
port: 23 telnet
port:80 http
port: 139 netbios-ssn
port: 445 microsoft-ds

I recognise port 80 as being valid but I'm not so sure about the others, particularly telnet. I thought telnet was a longstanding security risk. So, does anyone know how to close some of these ports? Although the 8800's user manual shows a section where Telnet, Java, etc can be enabled/disabled, in practise there appears to be no such group of settings, at least not in the 8800NL Mk1 running under f/w 2.32d.dh65.

[billion_fan]

I recently did a scan on my WAN IP address, looking for open TCP ports and was surprised to find the following:-

port:22 ssh
port: 23 telnet
port:80 http
port: 139 netbios-ssn
port: 445 microsoft-ds

I recognise port 80 as being valid but I'm not so sure about the others, particularly telnet. I thought telnet was a longstanding security risk. So, does anyone know how to close some of these ports? Although the 8800's user manual shows a section where Telnet, Java, etc can be enabled/disabled, in practise there appears to be no such group of settings, at least not in the 8800NL Mk1 running under f/w 2.32d.dh65.

Make sure the Firewall is enabled for the WAN interface, if it is not, these ports will show as open. (Configuration >> WAN >> WAN Service' then edit your current WAN connection, screen shot example attached)

If I remember correctly it should the PTM interface, as you are now on VDSL

If you are using a program internally to scan these ports (via nat loop back), they will show as open, externally they will be closed. (using a external scanner)

I normally use Shields Up to check for external open ports

[gatekeeper]

Yes, I've had that Firewall setting ticked. Thanks for pointing out its significance.

Yup, to see the status of those TCP ports, I'm using a Port Scan utility built into Apple OSX. So, yes an 'internal program'.

Haven't used Shields Up for donkeys years. Nowadays, I wonder whether, like with so many so-called security websites, using my IP address at that site could prove more of a security risk than the scan itself. Must admit I've become somewhat paranoid about security in recent years.

[gatekeeper]

If you are using a program internally to scan these ports (via nat loop back), they will show as open, externally they will be closed (using an external scanner)

I normally use Shields Up to check for external open ports

Billion_fan, I've been pursuing this matter on other forums too and have been getting all sorts of contradictory views. But concentrating for the moment on what you've said, is it really possible to get a meaningful internal port scan result when the IP being scanned is the router's external address? I ask because you've mentioned something called NAT loopback and I've no idea what that is. It's been suggested in some quarters that what the Mac computer might be doing when scanning the WAN IP address is initiating a port scan on the router from a legitimate, dedicated server on the Internet somewhere, in which case it would be a genuine external scan.

Regarding Shields Up, I've been advised not to bother using it, as apparently its Ports Scan facility is these days well out-of-date and the result can't be relied upon.

On the other forums I've merely succeeded, it seems, in getting a lot of very speculative explanations for the result I got. I suppose this is what so often happens when you ask tech questions on the Web; you always need to take the answers with a pinch of salt. My view is that nobody appears to know quite how Apple's Port Scan works at the detailed level, leaving me certainly none the wiser as to whether those particular ports are truly seen from the Internet side as open. If they are open, then I think you'll agree that the very least likely result from that is that myriad scanners on the Internet would continuously probe the WAN IP address looking for any sort of vulnerability or way in.

[gatekeeper]

I've even had one suggestion on one of those other forums that a possible reason for me seeing what I'm seeing is that my router isn't in the DMZ. Well, what do you make of that? The so-called experts seem to be grasping at straws. Doesn't seem to make any sense to me. My own understanding of DMZ is that a DMZ is a sort of subnet or perimeter network that can be logically organised to sit between the router and any LAN connected behind the router. It occupies a kind of buffer zone. However, it's used only in specialised (usually commercial) circumstances, and to get it to operate you'd need to set up a DMZ host. Again, from what little I know about the DMZ zone setting, that particular one in most SOHO routers is usually (and safely) left in its default state, ie. no DMZ is chosen. Am I right?

Demilitarised zoning aside, one thing I've been researching is "fullcone NAT". Would I be correct in saying that enabling fullcone NAT can seriously compromise a LAN and the devices on it? From what I've read on the Web, fullcone NAT allows all incoming connections, completely bypassing normal NAT. Since it's a setting on the 8800 that sits beside the one for 'firewall' (see your earlier screenshot), it could easily get set by mistake.

[gatekeeper]

Billion_fan,

I'm pleased to report that you were you absolutely right in saying that, when scanning interally, the ports will invariably show as open but that if you actually do a proper external scan (and provided you've not wrongly configured the 8800, especially in respect of Remote Access settings) the ports will properly present as being closed. What I did in the end was to get my ISP to run an external scanner on my WAN IP. This gave the result that there were no visible open ports.

I'm glad I've finally got that one sorted, as I was genuinely wondering about the integrity of the router.

Although I hasten to add that other internally-based scanners are almost certainly going to give the self same misleading results, Billion users with Apple Macs that have Port Scan as a built-in network utility should refrain from using it to test for vulnerabilities on the WAN (Internet) side of the router. Instead, if you can, get your ISP to perform the scan, or run a scan from a website offering that sort of service.