[CLUE-Tech] How secure is a Linksys BEFSR41 with these ports open

bof bof at pcisys.net
Thu Aug 22 10:41:05 MDT 2002 

David Anselmi wrote:

> [ports 80/tcp and 53, 67, 69, 161, 520, and 5050/udp open, all else 
> snipped...]
>
> I would say that things are not as they should (could?) be. 

Here's what should have been after I enable it, according to the Linksys 
User's Guide, p. 55:

    Blocking WAN Requests

    By enabling the Blocking WAN request feature, you can prevent your
    network from being "pinged", or detected, by other Internet users.
    The Block WAN Request feature also reinforces your network security
    by hiding your network ports.

<snip>

> Second, you should be scanning from outside your LAN (that is, from 
> the Internet side of your firewall--as Grant said).  If those ports 
> are open, what is listening on them?  Is it the router/firewall?  Is 
> it a machine behind the firewall?
>
I was running nmap from a system outside the Linksys router (it was 
acting as my firewall) against the external IP address of the Linksys 
--- just as someone seeking to crack it would. I wanted to see what was 
open on the firewall. The results were the ports that I listed.

> Your firewall should not be listening for any connections from outside 
> because that allows it to be abused. <snip>  Don't let anyone outside 
> talk to your border router/firewall if you can help it. 

I concur --- which is what prompted the experiment to begin with. The 
results were not what I expected, so I thought I would publish them to 
see if anyone else with a Linksys like mine could replicate them.

> Your firewall should not be passing inbound packets to machines behind 
> it unless they are related to traffic originated inside (part of an 
> outbound TCP connection or a response to an outbound UDP packet).  


This was my understanding of what a stateful packet inspection firewall 
does. Linksys says that their router uses SPI.
 

> The only exception is when you are running a server that is publicly 
> accessible.

But I am not running any servers, and the firewall still shows open 
access points (or ports, as I call them) in spite of what the User's 
Guide says.

I don't like this, as I think it is a potential weakness and may be 
asking for trouble.

So I don't know if this is a design flaw, or if I just had a faulty 
machine. As I did for Grant, I'll offer to run nmap against this router 
for anyone who owns one if they want to see what happens and we can see 
what is open: contact me privately to set this up.


BOF

More information about the clue-tech mailing list