dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
21
share rss forum feed

lanwarrior

join:2007-08-09
Los Angeles, CA
reply to Mangix

Re: 2Wire 3801HGV - ports open (even when I didn't open it)

Yes, the IP address is correct. I tried it twice:

1). Through »www.whatismyip.com/
2). Using Dynamic DNS

I did not port forwards or put anything on DMZ.

I went to Settings --> Firewall --> Advanced Configuration --> "Stealth Mode" and verified this was ALREADY checked.

The ports are open, according to NMAP:

Discovered open port 80/tcp
Discovered open port 25/tcp
Discovered open port 110/tcp
Discovered open port 21/tcp
Discovered open port 443/tcp
Discovered open port 8080/tcp
Discovered open port 143/tcp
Discovered open port 3479/tcp

For testing, I unplug EVERYTHING from the 3801HGV and connect only the ASUS router. This ASUS router has been configured to block EVERYTHING. Then I configure the WAN IP address for the ASUS router and test it again as follow:

I. ASUS router uses private IP address from 2WIRE DHCP (192.168.1.xxx)
Run NMAP again (I was connected to the office via VPN, so all traffic are routed through there). The SAME IP addresses above are shown.

II. ASUS router uses public IP address from 2WIRE
From 2WIRE, go to Settings --> LAN --> IP Address allocation and for the ASUS router selected "Public (Select WAN IP mapping). The ASUS WAN port now have the public IP address (99.xxx.xxx.xxx). Run NMAP again, SAME IP addresses are shown.

Any other test I should do to ensure the ports were NOT open on the 2Wire router? I am not a security expert, so other than NMAP port scanning from another network (not while connected to the U-Verse network), I am not sure what other test I can do.

However, if my testing is correct, it seems that the 2WIRE router is opening up all the above ports to the Internet.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 edit
said by lanwarrior:

However, if my testing is correct, it seems that the 2WIRE router is opening up all the above ports to the Internet.

Port 3479 shows up in an Internet search as registered by AT&T for their U-verse modems.

Nice! Pace bought 2Wire, and my ISP issued me a Pace 4111N-030 residential gateway. Guess which port is open!
quote:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2012-12-04 at 09:02:57

Results from scan of ports: 3470-3490

1 Ports Open
0 Ports Closed
20 Ports Stealth
---------------------
21 Ports Tested

NO PORTS were found to be CLOSED.

The port found to be OPEN was: 3479

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

I don't have AT&T service; it is Sonic.net, LLC "Fusion" service. The GRC Shields Up! graphic lists port 3479 as, "2Wire RPC".

Port 3479 is NOT listed as listening when I run 'netstat -an' at a command prompt. So you can see my Pace 4111N modem from the Internet, though I have no clue how secure it is; but you can't reach the equipment on the LAN.

I expect it is used for remote configuration of the modem. Without access to the lowest OS layer in the RG, I see no way to "stealth" this port.

FWIW, none of your other enumerated 2Wire open ports tested open on my Pace. Below 1030, and 1720, 5000:
quote:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2012-12-04 at 09:16:00

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

Port 8080:
quote:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2012-12-04 at 09:16:53

Results from scan of ports: 8070-8090

0 Ports Open
0 Ports Closed
21 Ports Stealth
---------------------
21 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

Maybe AT&T is doing something with proxies, or maybe there are multiple issues with your hardware.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

lanwarrior

join:2007-08-09
Los Angeles, CA
Try to run the test using nmap or any other open source tool. Make sure you use SYN TCP scan.