Nmap reports access to admin access port



  • I'm trying to clear extra open ports from my pfsense setup.

    I have cable on my wan, and  dsl on wan2.  I have a few  IP addresses associated with wan2.

    I set up a unique port to access the web admin pages, port 83.

    The problem, I think, is that when I scan any of the wan2 associated IP/domain names with nmap it always reports that port as open.  Nmap reports:
    Discovered open port 83/tcp on xx.xx.xx.xx

    Accessing the webGUI from any of the WAN2 domain names results in this error:

    Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
    Try accessing the router by IP address instead of by hostname.

    I thought it was only available internally on the LAN interface.  I can't seem to find where that port is defined as open on the WAN2 interface.

    Thanks for any advice,
    Chris.


    2.0.3-RELEASE (i386)
    built on Fri Apr 12 10:22:21 EDT 2013
    FreeBSD 8.1-RELEASE-p13

    You are on the latest version.

    BTW, I have the same problem with nmap detecting port 53.  Nmap reports:
    Discovered open port 53/tcp on xx.xx.xx.xx



  • Perhaps my post is too long winded…

    How do I shut down ports 83 (my webgui admin port) and 53 (dnsmasq) from WAN2 nmap reports.

    Thanks,
    Chris.



  • By default, everything will be blocked on WAN2. What firewall rules do you have on WAN2?



  • I have 17 firewall rules on WAN2, none of them reference ports 83 (my web admin port) or 53 (dnsmasq?).  I used System: Advanced: Admin Access page to enter the custom port number for the webConfigurator.

    I just don't see the reference to ports 83 or 53 on WAN2 so I am suspecting some checkbox that sets these behind the scenes.

    I do see the Anti-Lockout Rule on the LAN interface for port 83.  There is also a Default allow LAN to any rule.  Those are the only ones on the LAN.

    Thanks for any tips,
    Chris.

    PS: is there a listing or file I can open to see my real config?


  • Banned

    Perhaps you should just stop "testing" WAN rules from within LAN, as the "Potential DNS Rebind attack detected" suggests you have done?



  • hmm.  doktornotor, are you suggesting that I'm getting these extra open port reports from nmap because my laptop, from which I am running nmap, is on the LAN interface?

    I'll try again from my work office tomorrow.

    Thanks,
    Chris.



  • Here's the nmap report (from a laptop connected to the LAN interface), most personal info altered…

    $ nmap -v -T4 -A -v mydomain.net

    Starting Nmap 6.00 ( http://nmap.org ) at 2013-09-02 12:13 PDT
    NSE: Loaded 93 scripts for scanning.
    NSE: Script Pre-scanning.
    NSE: Starting runlevel 1 (of 2) scan.
    NSE: Starting runlevel 2 (of 2) scan.
    Initiating Ping Scan at 12:13
    Scanning mydomain.net (999.999.999.999) [2 ports]
    Completed Ping Scan at 12:13, 1.20s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 12:13
    Completed Parallel DNS resolution of 1 host. at 12:13, 0.02s elapsed
    Initiating Connect Scan at 12:13
    Scanning mydomain.net (999.999.999.999) [1000 ports]
    Discovered open port 3389/tcp on 999.999.999.999
    Discovered open port 80/tcp on 999.999.999.999
    Discovered open port 53/tcp on 999.999.999.999
    Discovered open port 22/tcp on 999.999.999.999
    Discovered open port 83/tcp on 999.999.999.999
    Completed Connect Scan at 12:13, 4.72s elapsed (1000 total ports)
    Initiating Service scan at 12:13
    Scanning 5 services on mydomain.net (999.999.999.999)
    Completed Service scan at 12:13, 24.89s elapsed (5 services on 1 host)
    NSE: Script scanning 999.999.999.999.
    NSE: Starting runlevel 1 (of 2) scan.
    Initiating NSE at 12:13
    Completed NSE at 12:13, 2.21s elapsed
    NSE: Starting runlevel 2 (of 2) scan.
    Nmap scan report for mydomain.net (999.999.999.999)
    Host is up (0.00053s latency).
    rDNS record for 999.999.999.999: dslxxx1.sfo4.dsl.speakeasy.net
    Scanned at 2013-09-02 12:13:07 PDT for 33s
    Not shown: 995 filtered ports
    PORT    STATE SERVICE      VERSION
    22/tcp  open  ssh?
    53/tcp  open  domain        dnsmasq 2.65
    | dns-nsid:
    |_  bind.version: dnsmasq-2.65
    80/tcp  open  http          Apache httpd 2.2.22 ((Ubuntu))
    |_http-methods: GET HEAD POST OPTIONS
    |http-title: Site doesn't have a title (text/html).
    | http-robots.txt: 1 disallowed entry
    |
    /
    |_http-favicon: Unknown favicon MD5: xxx
    3389/tcp open  ms-wbt-server xrdp
    83/tcp open  ssl/http      lighttpd 1.4.32
    | ssl-cert: Subject: commonName=www.mydomain.net/organizationName=My Domain/stateOrProvinceName=Texas/countryName=US/emailAddress=chris@mydomain.net/localityName=Dallas
    | Issuer: commonName=internal-ca/organizationName=My Domain/stateOrProvinceName=Texas/countryName=US/emailAddress=chris@mydomain.net/localityName=Dallas
    | Public Key type: rsa
    | Public Key bits: 2048
    | Not valid before: 2013-09-01 06:47:02
    | Not valid after:  2023-08-30 06:47:02
    | MD5:  xxx
    | SHA-1: xxx
    | –---BEGIN CERTIFICATE-----
    | xxx
    |-----END CERTIFICATE-----
    |_http-methods: No Allow or Public header in OPTIONS response (status code 200)
    |_http-favicon: Unknown favicon MD5: xxx
    |_http-title: 501

    NSE: Script Post-scanning.
    NSE: Starting runlevel 1 (of 2) scan.
    NSE: Starting runlevel 2 (of 2) scan.
    Read data files from: /usr/bin/../share/nmap
    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 33.49 seconds


  • Rebel Alliance

    You should test your WAN Firewall Rules "From Outside", when you are connected to the LAN of the pfSense, you can use something like the "Nmap Online Scanner" to test your Rules  ;)

    http://nmap.online-domain-tools.com/


  • Banned

    What ptt said above. You cannot meaningfully test WAN from LAN. (Best case, it will get NAT-reflected back to LAN.)


Log in to reply