Open Ports (53, 80, 123, 443)

stephenw10

Those ports are commonly blocked by the provider. No-one should ever allow incoming connections on them!

johnpoz

Closed Ports: 2 (Ports: 135, 445)

Pfsense sure isn't going to do anything on those ports, at least not what they are normally used for.. So yeah those are prob blocked by something in front of pfsense. But you would think they should show just that stupid term stealth vs closed.

But yeah the isp will block some ports even in a modem - there was recently a port about that, you can sometime view what ports are blocked via a snmp query.

Skiny

@Skiny said in Open Ports (53, 80, 123, 443):

NTP Mode 6 vulnerability.

Thanks for all the replies.

Why would Shodan show those 4 ports as being open? And my ISP warning of an NTP Mode 6 vulnerability (which I assume was related to port 123)?

stephenw10

As I said above if you don't have a static IP it's probably just an old report.

Skiny

@stephenw10 said in Open Ports (53, 80, 123, 443):

have a static IP it's probably just an o

My ISP keeps sending the warnings regarding NTP though, so must be an on-going issue?

johnpoz

@Skiny what are the rules on your wan? Do you have any rules in floating.. Again out of the box there is no unsolicited inbound traffic allowed.. Yes pfsense can run ntp, and yes it can listen on wan.. But if you did not create a rule to allow it.. Then it would not be open to the internet.

I just tried simple ntpdate to all the ips you have used to talk to the forum with, and don't get any answer..

Skiny

Other than the 2 default rules, I have one for OpenVPN, using the standard port. Otherwise there's nothing bar 2 old disabled rules.

Nothing in floating.

My current IP ends .128

Normally I wouldn't suspect anything, except for regular ISP warnings, and then what I saw on Shodan.

johnpoz

@Skiny yeah I test one that ends in .128, no response to sending ntp query on port 123 udp

Even sniff while doing so to see if maybe sending something back that wasn't viable to sync ntp with.. no responses at all

Skiny

@johnpoz said in Open Ports (53, 80, 123, 443):

something back that wasn't

It's very strange, I can't think of any explanation for it.

stephenw10

Is it a static IP address? Do you have more than one IP?

johnpoz

@Skiny as can see from ips you have talked to forum with there have been changes..

Also mode 6 issues was many years ago.. even back then the default ntp config in pfsense mitigated them - while depending on the scanner might not account for that in how it tested. So even if your ntp server was open at some point..

These isp mess up all the time, and sometimes right hand doesn't know what the left is doing. So the guy that had the IP before might have had an open ntp server?

What I can tell you is currently none of the ips you have used to talk to forums with answer ntp at all..

Here is another thing you can do, as a sanity check - is your ntp server listening on your wan even?

Go into ntp and select only the interface(s) you want it to listen on - notice mine isn't set to listen on wan.

Here I limited this to only ipv4, because didn't want to have to hide my gua IPv6 address, but it doesn't listen on the wan interface Ipv6 either.. And you can see ntp isn't even listening on my public wan IP

I mean you could contact your isp about it - saying hey look I am not running ntp all, let alone open to mode 6.. Why do you keep sending me this email.. But that would most likely be an exercise in futility..

stephenw10

@johnpoz said in Open Ports (53, 80, 123, 443):

So the guy that had the IP before might have had an open ntp server?

Yup that would be my bet.

@johnpoz said in Open Ports (53, 80, 123, 443):

..that would most likely be an exercise in futility..

As, unfortunately, would that!

Gertjan

@Skiny said in Open Ports (53, 80, 123, 443):

In front of it there's just the cable modem.

So you're good for a test.
Remove pfSense.
Connect a PC to the modem, and set up the connection.
Do the same test again.

Surprise ......

Skiny

Apologies for my late reply!

The IP does change from time to time, but usually over a long period (a few months). I've received such notices from the ISP for many months too, though I'm not sure if it was the same or not when they first started emailing me.

That said, I never thought someone else having the IP before could have caused it. It's the only plausible explanation that I've come across and could well explain it.

I did think to contact my ISP, but they're totally useless at the best of times. Will be switching to another provider within a couple of weeks, so will see if it continues after that.

Also, just a thank you to everyone who offered help