[CLUE-Tech] How secure is a Linksys BEFSR41 with these ports
open
David Anselmi
anselmi at americanisp.net
Sun Aug 18 20:31:29 MDT 2002
bof wrote:
> Hello,
>
> I was seeking a firewall/NAT router for my DSL connection and bought a
> Linksys BEFSR41. This post is to see if anyone else could check or
> comment on my experiences with it.
>
> Following its instructions to set up blocking WAN requests (according to
> their User's Guide, this would deny ping requests to hide the network
> ports (their words)), I then checked how well it was hidden by running
> nmap against its IP address.
>
> Here's what I found (the IP address is not shown for privacy and no
> longer belongs to me anyway, since it was a DCHP allocation):
[ports 80/tcp and 53, 67, 69, 161, 520, and 5050/udp open, all else
snipped...]
I would say that things are not as they should (could?) be. But you
need to be specific about what you are seeing.
First, ping has nothing to do with ports. Ping uses the ICMP protocol
(which is a sibling of TCP and UDP). Since TCP and UDP are where ports
are defined there are no ports for ICMP and it is incorrect to say you
are pinging a particular port.
Second, you should be scanning from outside your LAN (that is, from the
Internet side of your firewall--as Grant said). If those ports are
open, what is listening on them? Is it the router/firewall? Is it a
machine behind the firewall?
Your firewall should not be listening for any connections from outside
because that allows it to be abused. For example, the Cisco 67x DSL
router has a web interface that the Internet can see (by default). One
attack is password guessing to get in and reconfigure it. Even worse
though are attacks that exploit bugs in the web server code. Code Red
happened to exploit one of those bugs (by accident, I think). So when
Code Red was wrecking IIS servers, it was also locking up Cisco DSL
routers. Don't let anyone outside talk to your border router/firewall
if you can help it.
Your firewall should not be passing inbound packets to machines behind
it unless they are related to traffic originated inside (part of an
outbound TCP connection or a response to an outbound UDP packet). The
only exception is when you are running a server that is publicly accessible.
Dave
More information about the clue-tech
mailing list