cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14595
Views
0
Helpful
14
Replies

Help closing Open Ports

John Adams
Level 1
Level 1

Hello,

I've an 887va (used for providing internet via ADSL at a remote site).

From the inside 192.68.0.x network we all users out on all ports (unrestricted).

I've a requirement to allow SSH, HTTPs, SNMP and PING from 2 remote external IPs to the assigned WAN IP of my Router.

I own the 2 remote IPs - they are at a different office so I can remotely manage/monitor the ADSL Router at the remote site.

I've tested from my remote offices and I can ssh, https, snmp and ping sucessfully. (Config below where xx.xx.xx.xx & yy.yy.yy.yy are my external IPs).

I've tested from home (an IP not in the allowed ACL) and I correctly can't ssh, https but I can snmp and ping which is worrying me.

I've therefore got confusing results - I've done an NMAP scan from a completely different IP on the internet to the WAN IP of my Cisco Router and I can see some ports show as open which I need to address so hoping someone can offer some help.

Ports that show as open from the NMAP scan:

53 - tcp/udp - open/filtered.
1720 - tcp - filtered
1863 - tcp - open
5190 - tcp - open

123 - udp - open
161 - udp - open

I understand port 53 is because my Router is providing my local 192.168.0.1 network for DNS - but I don't want it exposed to the internet and need that to be closed (but obviously still work so my clients can do lookup).

I don't know what 1720, 1863 or 5190 are - I understand maybe voip? I don't use voip so would like to know how to close these.

161 is because I allow snmp but I thought my config restrcited it to certain IP - could do with some help on that one as that's a bad security issue for me.

123 is because i'm set to receive ntp - I want to sync the time but I don't want anyone to be able to come in on port 123 and could do with that closing.

I very much look forward to your help.

Thank you.

Show run of applicable settings:

!

ntp server 1.uk.pool.ntp.org

!

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 10 permit xx.xx.xx.xx(an external IP I own)

access-list 10 permit yy.yy.yy.yy(an external IP I own)

access-list 10 permit 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

!

snmp-server community nagios-SVR RO 10

!

ip dhcp pool myDHCPpool

import all

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 192.168.0.1

!

no ip http server

ip http access-class 10

ip http secure-server

!

ip dns server

!

ip domain name xxxxx.com

ip name-server 8.8.8.8

!

line vty 0 4

access-class 10 in

password 7 xxxxxxxxxx

login authentication local_auth

transport input ssh

14 Replies 14

John Blakley
VIP Alumni
VIP Alumni

John,

Nmap is a great tool, but sometimes it can misreport. Try scanning from the same source using "-sT" for a full scan. I'm assuming that you used a syn scan "-sS" (although I'm just guessing ). The syn scan will try to get a connection open, and if it receives a syn/ack, it will drop the connection and assume that the port is open. With the -sT flag, it will go through the complete process. I've done audits where it would show a port open, but when you do a full connect it would show closed.

Now, to answer the other question about how to close them. The only thing that you'd be able to do would be to protect your router with an acl, zbf, or cbac. You can also see if you have the control-plane command on the router and do "show control-plane host open-ports". This will bring up a netstat window on the router that will show you what ports are listening.

You can also do "show tcp brief all" and it will show you similar results. You should have an acl on your wan interface denying everything except what you're wanting in. If not, the router would be wide open to the world.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John

If you are not busy could you send me an e-mail as i need to pick your brains on something (BGP related) (nothing to with private message about IOS).

No problem if you cant.

jms.123@hotmail.co.uk

Jon

Thank you John Blakley.

I have just run  a new scan with the full connects (sT).

It showed tcp/udp53, udp123 and udp161 as open.

I can even telnet to tcp 53 from my home.

Perhaps tcp 1720,1863,5190 are false positives as I can't telnet and they did not show up in my latest scan.

I will maybe look again at them.

For now I need to make sure 53, 123 and 161 get closed - any ideas?

Thanks.

Collin Clark
VIP Alumni
VIP Alumni

You can deploy Control Plane Protection and specifically set those to drop (if they are indeed open).

https://supportforums.cisco.com/people/Collin_Clark/blog/2013/11/08/control-plane-protection-cppr

Thank you Collin I will take a look. I'm having some trouble viewing your link - it says:

'It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake.'

Sorry, they pulled the plug on the blog posts and must have restricted the views as well. Please see attached.

Thanks - it looks like that's something I could look at.

For now i'd like to understand why these ports are open and how to restrict rather than close off like that.

I'm also interested to know why my ACL for SNMP is not correctly working and allowing everyone in, yet for SSH and HTTPS the same ACL restricts and allows correctly.

Thanks.

The ACL for SNMP allows the two external IP's and 192.168.0.0 /24. What other subnets are able to access via SNMP?

1720 is netmeeting and H.323

1863 is Control Streaming Channel

5190 is also Control Stream and possibly chat

A full post of your config would help see if there is something in there that is open vs false positive. Also as John mentioned, post the result of show control-plane host open-ports to see what exactly is open.

Full config is as follows.

!
! Last configuration change at 17:31:15 GMT Wed Jan 8 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-xxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxxxxx
certificate self-signed 01
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                quit
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool myDHCPpool
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
!
!
!
ip domain name xxxxxxx.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn xxxxxxxxxxxxxx
!
!
username admin privilege 15 secret  xxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
description Uplink to Switch
switchport access vlan 50
no ip address
!
interface FastEthernet1
switchport access vlan 50
no ip address
shutdown
!
interface FastEthernet2
switchport access vlan 50
no ip address
shutdown
!
interface FastEthernet3
switchport access vlan 50
no ip address
shutdown
!
interface Vlan1
no ip address
!
interface Vlan50
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname user@xxxxxxxxx.com
ppp chap password 7 xxxxxxxx
no cdp enable
!
ip forward-protocol nd
no ip http server
ip http access-class 10
ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 10 permit xx.xx.xx.xx (External IP)
access-list 10 permit yy.yy.yy.yy (External IP)
access-list 10 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
snmp-server community nagios-RVR RO 10
snmp-server location xxx
snmp-server contact xxxx
!
!
!
!
line con 0
login authentication local_auth
no modem enable
line aux 0
login authentication local_auth
line vty 0 4
access-class 10 in
password 7 xxxxxxxxxxxxx
login authentication local_auth
transport input ssh
!
ntp server 1.uk.pool.ntp.org
!
end

John,

SNMP (161) is open because you have it enabled on the router, and 123 is used for NTP which is also running with your "ntp server" line. I don't see an acl on the dialer interface. To close everything, you could configure cbac on the device if it supports it.

See if you have the command "ip inspect". If so, try this config and then try your scan again:

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW icmp router-traffic

ip inspect name FW udp router-traffic

ip inspect name FW tcp router-traffic

access-list 100 deny ip any any

int dial1

ip access-group 100 in

ip inspect FW out

After you put this in, make sure all of your other stuff works like phones etc. This isn't meant to fix the issue, but this will enable an inspection policy on the router and a pseudo firewall. Run nmap against the device again after putting this in.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Would that config still allow everyone every port outbound and ssh/https/snmp access inbound from the external IPs I want to have access?

I think i've just understood what you're saying. I'm confused by my SNMP port shows - it shows because it is open - the ACL just restricts who can access it. I'd not understoofd that part.


I guess to be secure I need a firewall instead. My box supports the newer ZBF so I can use that but I've no idea how to achieve what I wish to achieve.

Looking at a different thread someone replied to my for I think they said this might work - though I don't really understand it.

ip access-list extended Outside-Mgmt-acl

permit tcp host x.x.x.x any eq 443

permit tcp host x.x.x.x any eq 22

permit tcp host y.y.y.y any eq 443

permit tcp host y.y.y.y any eq 22

permit udp host x.x.x.x any eq 161

permit udp host y.y.y.y any eq 161

zone security Inside

zone security Outside

int vlan50

zone-member security Inside

int dialer 0

zone-member security Outside

class-map type inspect match-any Inside-Outside-class

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-any Outside-Mgmt-class

match access-group name Outside-Mgmt-acl

policy-map type inspect Inside-Outside-policy

class type inspect Inside-Outside-class

inspect

class class-default

drop

policy-map type inspect Outside-Mgmt-policy

class type inspect Outside-Mgmt-class

inspect

class class-default

drop

zone-pair security Inside-Outside source Inside destination Outside

service-policy type inspect Inside-Outside-policy

zone-pair security Outside-self source Outside destination self

service-policy type inspect Outside-Mgmt-policy

Would that work -

The goals are to allow everything outbound, allow only ssh, https, ping and snmp inbound from 2 external IPs that I own. Everything else coming from the internet to my WAN address should be denied and nmap should report no open ports. I also don't want to slow my router down hence trying to do it with ACLs.

Do I still need the standard ACL statements for my ssh and http server still or no longer required?

Will my NTP/DNS fail with this config as those ports show as open?

Thanks.

John,

I tested this this morning and it seems like it would work fine. I don't have access to test nmap against it, but I was able to test locking down from the outside a single host and verifying that another host wouldn't be able to pass traffic if it wasn't a part of the acl. The trick with zbfw is that you need a defined pair in order to pass traffic. Currently, you have a zone-pair listed as Inside-Outside and Outside-self. If you host a web server for public access, you'll need another "Outside-Inside" zone pair that defines Outside source and Inside as a destination.

You won't need acls on the public interface if you're going to go this route, but it would be another layer of protection that you could use to do a catch all.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John Blakley - thank you very much.

Can you clarify - did you test your original suggestion or did you test the command that I typed out with the zone pairs? I think you mean the commands i typed out with the zone pairs but it's good for me to double check.

Can you comment on any performance impact that I might see with having the firewall turned 'on and inspecting'?

Also would DNS and NTP still function - is there a requirement to have a rule back in for these?

Thank you.

John,

Technically, the config looks correct for outbound traffic. I don't have a way of testing your scenario with real equipment, so I did everything through gns. As far as performance, anything 'extra' that's added to the router outside of routing would cause a slight impact. I'm not sure how noticeable it would be, but if you don't have a ton of users and you're not pushing the bandwidth limitations of your router, you shouldn't notice much of a difference if any. From your config, ntp *may* work, but you may need to create another zone from self to Outside and permit ntp out. DNS queries would come from the inside to outside interface since your workstations would be doing the request. If you want to do lookups from the router, as in pinging google.com and have a name server configured in the router, you would possibly need to add dns to that zone as well. Again, I don't have a way of testing this though, and it may work fine without adding the extra zone.

Testing, I can telnet to port 80 from a router that has zbfw configured and I don't have a zone from self to Outside, so I think your current config will work fine without additional configuration.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Review Cisco Networking for a $25 gift card