Port 22, 1723 and 110 show open? I have no open ports…

Velcro

I ran a scan with https://www.grc.com as well as http://www.whatsmyip.org/port-scanner/server/

It sates I have the following ports open: 110, 1723 and 22?

I have no open ports on my WAN or VPN interface. I am not allowing access to these ports on any of my internal interfaces either…

Is there a way to prevent this? Is this a concern...if so how can I prevent this?

I humbly thank any body for thoughts...

V

dotdash

If you see the ports open on your WAN IP, and there are no rules on the WAN interfaces, it is probably the device in front of your firewall.

Velcro

Thanks Dotdash…

Makes sense...my poor little modem :-[

Are there any tests I can do to confirm this? Is this a concern?

Thanks again...really appreciate the thoughts.

NogBadTheBad

@V3lcr0:

It sates I have the following ports open: 110, 1723 and 22?

Odd, are you using a router infront of your pfsense box ?

TCP 110 = POP3 why would any type of network device use POP3!

TCP 1723 = PPTP

TCP 22 = SSH/SFTP

Velcro

Yes I am using a Arris Surfboard modem…

I am not using Pop3 for anything that I know off...I have my network pretty tight only allowing 53, 80 and 443...no open ports on WAN or VPN?? Not using TCP port 1723 or port 22...

What would cause this? Is this just me or do others see this with thier Arris Cable modem?


NogBadTheBad

@V3lcr0:

What would cause this?

Not sure about the POP3 but SSH :-

https://www.theregister.co.uk/2015/11/20/arris_modem_backdoor/

https://www.kb.cert.org/vuls/id/419568

Velcro

Scary! Seems like a bunch of Arris modem flaws in the market…

I haven't found my modem on any recent lists(including the links you sent). Called Arris tech support and apparently this has more to do with my cable company...off course my cable company said "...if you had one of our modems we could show you how to close them..."

What a racket...

Gertjan

@V3lcr0:

….
What a racket...

Well, think about it like this : clients pay them so they know about every device they propose to you.
If you should pay them so they support every device on planet earth, then it would become very $$$.

So, up to you to use a device that can be controlled entirely. Btw, normally, 'modems' are pretty dumb devices and have nothing to do with 'ports' or what so ever.

Note : even when your device is 'connectable' from the outside, that doesn't mean some one can enter the nest door : pfSense.AT most, some one could play around with your connection and settings …

chpalmer

http://badmodems.com

And now the CVE that affects the Atom which is used by the Intel Puma chipset found in many Arris and other modems..

https://www.dslreports.com/forum/r31713918-

If your modem has a Puma 5/6/7 chipset you probably want to find a Broadcom modem to replace it with.  For now..

Velcro

I did some more digging into these open ports and was hoping to get some help as to what might be causing this…my ports when scanned remain open. I added a floating rule(created an alias with ports 110, 1723 and 22)  to see if any traffic was actually  moving thru these ports. I was hoping for some help on interpreting this(see screen shot).

When I click on the "States" from tis rule I don't see anything?
Could Linux updates be causing this?
The states read "0/519 KiB" is this something in my network(data is on the right of "/"? If so why would my ports, when scanned with https://www.grc.com as well as http://www.whatsmyip.org/port-scanner/server/ be open and remain open?
Any better port scanners the community might recomend that are better?
Other trouble shooting tips?

Any thoughts or good next steps would be greatly appreciated!

V


Derelict

Just run a packet capture on tcp port 110 on WAN and run another shields up test.

If you do not see the traffic on the WAN port, shields up is seeing a response from something upstream.