[CLUE-Tech] How secure is a Linksys BEFSR41 with these ports
open
bof
bof at pcisys.net
Thu Aug 22 10:41:05 MDT 2002
David Anselmi wrote:
> [ports 80/tcp and 53, 67, 69, 161, 520, and 5050/udp open, all else
> snipped...]
>
> I would say that things are not as they should (could?) be.
Here's what should have been after I enable it, according to the Linksys
User's Guide, p. 55:
Blocking WAN Requests
By enabling the Blocking WAN request feature, you can prevent your
network from being "pinged", or detected, by other Internet users.
The Block WAN Request feature also reinforces your network security
by hiding your network ports.
<snip>
> Second, you should be scanning from outside your LAN (that is, from
> the Internet side of your firewall--as Grant said). If those ports
> are open, what is listening on them? Is it the router/firewall? Is
> it a machine behind the firewall?
>
I was running nmap from a system outside the Linksys router (it was
acting as my firewall) against the external IP address of the Linksys
--- just as someone seeking to crack it would. I wanted to see what was
open on the firewall. The results were the ports that I listed.
> Your firewall should not be listening for any connections from outside
> because that allows it to be abused. <snip> Don't let anyone outside
> talk to your border router/firewall if you can help it.
I concur --- which is what prompted the experiment to begin with. The
results were not what I expected, so I thought I would publish them to
see if anyone else with a Linksys like mine could replicate them.
> Your firewall should not be passing inbound packets to machines behind
> it unless they are related to traffic originated inside (part of an
> outbound TCP connection or a response to an outbound UDP packet).
This was my understanding of what a stateful packet inspection firewall
does. Linksys says that their router uses SPI.
> The only exception is when you are running a server that is publicly
> accessible.
But I am not running any servers, and the firewall still shows open
access points (or ports, as I call them) in spite of what the User's
Guide says.
I don't like this, as I think it is a potential weakness and may be
asking for trouble.
So I don't know if this is a design flaw, or if I just had a faulty
machine. As I did for Grant, I'll offer to run nmap against this router
for anyone who owns one if they want to see what happens and we can see
what is open: contact me privately to set this up.
BOF
More information about the clue-tech
mailing list