Nmap reports access to admin access port

chrisjx · Sep 1, 2013, 6:14 PM

I'm trying to clear extra open ports from my pfsense setup.

I have cable on my wan, and dsl on wan2. I have a few IP addresses associated with wan2.

I set up a unique port to access the web admin pages, port 83.

The problem, I think, is that when I scan any of the wan2 associated IP/domain names with nmap it always reports that port as open. Nmap reports:
Discovered open port 83/tcp on xx.xx.xx.xx

Accessing the webGUI from any of the WAN2 domain names results in this error:

Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname.

I thought it was only available internally on the LAN interface. I can't seem to find where that port is defined as open on the WAN2 interface.

Thanks for any advice,
Chris.

–
2.0.3-RELEASE (i386)
built on Fri Apr 12 10:22:21 EDT 2013
FreeBSD 8.1-RELEASE-p13

You are on the latest version.

BTW, I have the same problem with nmap detecting port 53. Nmap reports:
Discovered open port 53/tcp on xx.xx.xx.xx

chrisjx · Sep 1, 2013, 6:19 PM

Perhaps my post is too long winded…

How do I shut down ports 83 (my webgui admin port) and 53 (dnsmasq) from WAN2 nmap reports.

Thanks,
Chris.

phil.davis · Sep 2, 2013, 5:43 PM

By default, everything will be blocked on WAN2. What firewall rules do you have on WAN2?

chrisjx · Sep 2, 2013, 6:43 PM

I have 17 firewall rules on WAN2, none of them reference ports 83 (my web admin port) or 53 (dnsmasq?). I used System: Advanced: Admin Access page to enter the custom port number for the webConfigurator.

I just don't see the reference to ports 83 or 53 on WAN2 so I am suspecting some checkbox that sets these behind the scenes.

I do see the Anti-Lockout Rule on the LAN interface for port 83. There is also a Default allow LAN to any rule. Those are the only ones on the LAN.

Thanks for any tips,
Chris.

PS: is there a listing or file I can open to see my real config?

doktornotor · Sep 2, 2013, 6:47 PM

Perhaps you should just stop "testing" WAN rules from within LAN, as the "Potential DNS Rebind attack detected" suggests you have done?

chrisjx · Sep 2, 2013, 7:22 PM

hmm. doktornotor, are you suggesting that I'm getting these extra open port reports from nmap because my laptop, from which I am running nmap, is on the LAN interface?

I'll try again from my work office tomorrow.

Thanks,
Chris.

chrisjx · Sep 2, 2013, 7:33 PM

Here's the nmap report (from a laptop connected to the LAN interface), most personal info altered…

$ nmap -v -T4 -A -v mydomain.net

Starting Nmap 6.00 ( http://nmap.org ) at 2013-09-02 12:13 PDT
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Initiating Ping Scan at 12:13
Scanning mydomain.net (999.999.999.999) [2 ports]
Completed Ping Scan at 12:13, 1.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:13
Completed Parallel DNS resolution of 1 host. at 12:13, 0.02s elapsed
Initiating Connect Scan at 12:13
Scanning mydomain.net (999.999.999.999) [1000 ports]
Discovered open port 3389/tcp on 999.999.999.999
Discovered open port 80/tcp on 999.999.999.999
Discovered open port 53/tcp on 999.999.999.999
Discovered open port 22/tcp on 999.999.999.999
Discovered open port 83/tcp on 999.999.999.999
Completed Connect Scan at 12:13, 4.72s elapsed (1000 total ports)
Initiating Service scan at 12:13
Scanning 5 services on mydomain.net (999.999.999.999)
Completed Service scan at 12:13, 24.89s elapsed (5 services on 1 host)
NSE: Script scanning 999.999.999.999.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:13
Completed NSE at 12:13, 2.21s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for mydomain.net (999.999.999.999)
Host is up (0.00053s latency).
rDNS record for 999.999.999.999: dslxxx1.sfo4.dsl.speakeasy.net
Scanned at 2013-09-02 12:13:07 PDT for 33s
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh?
53/tcp open domain dnsmasq 2.65
| dns-nsid:
|_ bind.version: dnsmasq-2.65
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-methods: GET HEAD POST OPTIONS
|http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|/
|_http-favicon: Unknown favicon MD5: xxx
3389/tcp open ms-wbt-server xrdp
83/tcp open ssl/http lighttpd 1.4.32
| ssl-cert: Subject: commonName=www.mydomain.net/organizationName=My Domain/stateOrProvinceName=Texas/countryName=US/emailAddress=chris@mydomain.net/localityName=Dallas
| Issuer: commonName=internal-ca/organizationName=My Domain/stateOrProvinceName=Texas/countryName=US/emailAddress=chris@mydomain.net/localityName=Dallas
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2013-09-01 06:47:02
| Not valid after: 2023-08-30 06:47:02
| MD5: xxx
| SHA-1: xxx
| –---BEGIN CERTIFICATE-----
| xxx
|-----END CERTIFICATE-----
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon: Unknown favicon MD5: xxx
|_http-title: 501

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.49 seconds

ptt · Sep 2, 2013, 11:07 PM

You should test your WAN Firewall Rules "From Outside", when you are connected to the LAN of the pfSense, you can use something like the "Nmap Online Scanner" to test your Rules ;)

http://nmap.online-domain-tools.com/

doktornotor · Sep 3, 2013, 12:31 AM

What ptt said above. You cannot meaningfully test WAN from LAN. (Best case, it will get NAT-reflected back to LAN.)