Urban75 Home About Offline BrixtonBuzz Contact

How much should you worry about open ports?

souljacker said:
You should definitely be closing 21, 23, 53 and 80. 21,23 and 80 are insecure and shit and should be closed even if you have a reason to open them. Telnet is one of the least secure applications the internet has ever produced.

Which device in your network is internet facing? Is it the router or the firewall? If you need to connect to whichever one is the internet facing device remotely, then you might still want 22 and 443 open but I wouldn't recommend it. It's safer to VPN onto your network and connect to them from inside.

Do you have any logging on this device? Because if you have port 22 and 443 open, they will be constantly being hit from hackers doing port scans and password cracks.
Click to expand...

I assume that result is the modem or the router (I use a separate one of each)

The only ports open on the firewall are 22 SSL and 53 DNS which with my limited knowledge seems about right?
 
MickiQ said:
Is this externally against your home router. You deffo need 53, 80 and 443, you most definitely do not need nor want 23 but so long as you don't have anything listening on that port it's not a problem. you probably don't want 21 either and we're having an agree to disagree moment about 22.
Click to expand...
You don't want any of these open. Why would a home network respond to DNS?
 
savoloysam said:
I assume that result is the modem or the router (I use a separate one of each)

The only ports open on the firewall are 22 SSL and 53 DNS which with my limited knowledge seems about right?
Click to expand...
Only if you use the firewall as your DNS server and only if you need to ssh to the firewall. These should never be open to the rest of the internet.
 
souljacker said:
You don't want any of these open. Why would a home network respond to DNS?
Click to expand...
If your getting responses back via TCP they should go to the original source port, If the server is returning them via UDP they come back to 53.
 
MickiQ said:
If your getting responses back via TCP they should go to the original source port, If the server is returning them via UDP they come back to 53.
Click to expand...
The original source port from your PC won't be 53 though. It will be something over 1024. The destination port will be 53. The response will come back to the source port but it's only opened briefly so the transaction can occur and is only opened in the first place because of the initial request from inside the network. It will never respond to an unsolicited request to that port unless you have a decent hack going on.

You would only open port 53 if you were a DNS server which I can bet a decent wedge that sam isn't doing.
 
I have the firewall configured to only use DNS over HTTPS via Quad9.

I have the option to add Google, Cloudfare, or Open DNS but apparently Quad9 is the safest. I have no idea if that's correct.
 
souljacker said:
The original source port from your PC won't be 53 though. It will be something over 1024. The destination port will be 53. The response will come back to the source port but it's only opened briefly so the transaction can occur and is only opened in the first place because of the initial request from inside the network. It will never respond to an unsolicited request to that port unless you have a decent hack going on.

You would only open port 53 if you were a DNS server which I can bet a decent wedge that sam isn't doing.
Click to expand...

See my post above about DNS.

I rarely use a laptop (odd occasions when my phone won't do) I use the network mostly for my phone, Two music streamers and my smart TV.

The biggest security risk is of course my laptop when it used. Windows being as vulnerable as it is.
 
savoloysam said:
Should I close port 22 then. It's supposed to be a secure protocol?
Click to expand...
I would. Last time I had an SSH server sat on the internet, it was getting hammered by connection requests from China. Yeah, it's secure, but that doesn't mean it's not hackable. Also, having SSH and HTTPS open on the internet can give hackers quite a bit of information on the type of device that is responding, making it easy for someone to fire up metasploit and see if there are any hacks they can use against the server.
 
souljacker said:
The original source port from your PC won't be 53 though. It will be something over 1024. The destination port will be 53. The response will come back to the source port but it's only opened briefly so the transaction can occur and is only opened in the first place because of the initial request from inside the network. It will never respond to an unsolicited request to that port unless you have a decent hack going on.

You would only open port 53 if you were a DNS server which I can bet a decent wedge that sam isn't doing.
Click to expand...
We're having another agree to disagree moment here. DNS was originally written to use UDP and started migrating to TCP about 10 years ago with the introduction of a larger packet size.
UDP packets are/were returned to port 53 whereas TCP packets are returned to the source port specified in the header.
Checking on the 2 devices I currently have running on my home network, 1 x Windows 10 and 1 x RHEL 7.9 neither of them have a listener on port 53 so any DNS UDP packets would end up getting lost but that's not a risk.
I personally would leave 53 open even though on my current setup (which does vary) it wouldn't respond to external connections.
savoloysam said:
Should I close port 22 then. It's supposed to be a secure protocol?
Click to expand...
I would say no, souljacker is clearly a vote for yes. It will probably do no harm if you do, if you find odd things that now don't work you could try opening it again and see if they do (so long as you don't forget you have done this).
 
savoloysam said:
See my post above about DNS.

I rarely use a laptop (odd occasions when my phone won't do) I use the network mostly for my phone, Two music streamers and my smart TV.

The biggest security risk is of course my laptop when it used. Windows being as vulnerable as it is.
Click to expand...
Does your DNS entry on the laptop point to the firewall? If so yes, it should be open but ONLY to the inside network, never to the outside world.
 
Anyhoo I am guessing I should just leave it as it is. The router has a lot of fully activated security options as it is and coupled with a physical firewall it's a decent set up and at the end of the day nothing will stop law enforcement or a determined and clued up enough hacker from causing some havoc or other.
 
Last edited:
souljacker said:
Does your DNS entry on the laptop point to the firewall? If so yes, it should be open but ONLY to the inside network, never to the outside world.
Click to expand...

I'll check the DNS service next time I use the laptop but I suspect the firewall will force the network configuration not vice versa.
 
MickiQ said:
We're having another agree to disagree moment here. DNS was originally written to use UDP and started migrating to TCP about 10 years ago with the introduction of a larger packet size.
UDP packets are/were returned to port 53 whereas TCP packets are returned to the source port specified in the header.
Checking on the 2 devices I currently have running on my home network, 1 x Windows 10 and 1 x RHEL 7.9 neither of them have a listener on port 53 so any DNS UDP packets would end up getting lost but that's not a risk.
I personally would leave 53 open even though on my current setup (which does vary) it wouldn't respond to external connections.
Click to expand...
That's not right. When a device requests a DNS record, it doesn't need port 53 open. A PC doesn't need port 53 open to do DNS and a router shouldn't have it open either. There is only one reason that you would have DNS open to the internet and that's if you were a DNS server.
 
savoloysam said:
I'll check the DNS service next time I use the laptop but I suspect the firewall will force the network configuration not vice versa.
Click to expand...
True. It could be doing your DHCP too.

I'm intrigued though. Why do you have a router and a firewall? Most home routers are perfectly capable of handling the firewalls job these days. What firewall is it?
 
souljacker said:
True. It could be doing your DHCP too.

I'm intrigued though. Why do you have a router and a firewall? Most home routers are perfectly capable of handling the firewalls job these days. What firewall is it?
Click to expand...

Just for extra security. I've got a firewalla blue plus which coupled with an app can show real time network info and has some other features the router doesn't.
 
savoloysam said:
Just for extra security. I've got a firewalla blue plus which coupled with an app can show real time network info and has some other features the router doesn't.
Click to expand...
If you had bought the gold or purple one, you wouldn't need your home router.

It has got a VPN server inside. What I do with my router is run a VPN server then block all other ports. That way, if you really need to see what is inside, you VPN in and connect as if you were local.
 
As said. unless you're running services you need to access from the web, you shouldn't really have any open (listening) ports.

Go here
www.whatsmyip.org

And check what your public IP address is. That's what should be scanned.

You can also scan it here.

GRC | ShieldsUP! — Internet Vulnerability Profiling

GRC Internet Security Detection System
www.grc.com www.grc.com

If you're using wifi at home and your smart phone is on wifi, the your public address is that of your router. Which should have an integrated firewall in most cases. Which should be on and blocking inbound connection attempts by default.
 
savoloysam said:
Should I close port 22 then. It's supposed to be a secure protocol?
Click to expand...
22 is one of the few ports I do have open. But that's because I want inbound ssh access to my machine, and because I am reasonably confident that the software listening on that port (sshd) is a) reasonably secure, and b) regularly updated.

I'd be much more wary of having a webserver sitting on an open port 80 (not that I imagine you do), or some of those Microsoft/NetBios type things running.
 
souljacker said:
If you had bought the gold or purple one, you wouldn't need your home router.

It has got a VPN server inside. What I do with my router is run a VPN server then block all other ports. That way, if you really need to see what is inside, you VPN in and connect as if you were local.
Click to expand...

Aye I thought about getting the Gold one but had invested £160 on a mid spec router before I heard about them. I'll settle with I have for now
 
I used to have 22 open on a VPS. It not unsurprisingly got hammered. I locked it down to key access only and also had fail2ban running as well. But change the bantime if you do use the latter, it's only set to 5 minutes by default. Don't get locked out yourself though. ;)

VPN is probably a better idea as said though.
 
The OP has asked me to delete this thread although it seems a unfair on people who given up their time to contribute useful information and I don't like deleting other people's content.

However, unless they change their mind, I will delete this thread in a day or two, so I'm giving people fair warning,
 
Internet hasn't seemed quite right lately. Lots of disconnections where it doesn't normally but that could be anything however scanning for open ports on the firewall is showing 80 and 443 being open on the outside when there didn't used to be any.

It says to block them you need to do it upon receiving an alarm but it hasn't come up as an alarm so I am assuming that the firewall doesn't consider a risk or thinks that the router wants them open.

My head hurts lol
 
You must log in or register to reply here.

Similar threads

teuchter
Recommendation How do you listen to internet radio?
Replies
11
Views
284
Sir Belchalot
Sir Belchalot
RubyToogood
  • Poll
Question How much do you hate your printer?
2 3 4
Replies
109
Views
2K
BigMoaner
BigMoaner
editor
Technical question about replacing a power supply for a device (with one you found about the house)
Replies
10
Views
512
two sheds
two sheds
Epona
Should I report BT to OFCOM or am I just barking down an empty rabbit hole?
Replies
4
Views
186
bemused
bemused
ATOMIC SUPLEX
Help I'm still running Catalina on my MacBook Pro, should I upgrade?
Replies
13
Views
412
ATOMIC SUPLEX
ATOMIC SUPLEX
Back
Top Bottom