Router has 443 port opened and accepting connections even when www service is stopped

RouterOS General
1

I have scanned my router from external network with nmap and discovered that port 443 is opened.
I have no forwarding (dstnat) rules for 443 port and have disabled everyting in IP->Services except winbox on default port 8291.
Still have 443 port opened and accepting connections. Checked with curl:

  1. Can i get a list of opened ports by system processes on RouterOS (guess no)?
  2. What this could be if there’s no dsnat rules for port 443 ?
  3. How to check router was not compomized by some malware (it has long and random password)?
    image (72).png
    mikrotik-services.png
2

Could it be that you have any ISP’s device “in front” of your router (eg. media converter) and it takes port 443 over?

3

Could it be that you have any ISP’s device “in front” of your router (eg. media converter) and it takes port 443 over?

That’s unlikely. I’ve asked my ISP about this, they say they don’t do anything like this.

Also when we scan or connect with curl we see this requests in Tools->packet sniffer as rx packets.

4
  1. So try to open that 443 port and see what is talking with you.
  2. What is your router configuration? Are you sure that 443 is not allowed to talk.
  3. Are you sure that the router answers not any device to which the traffic is forwarded somehow?
  4. Block 443 explicity in input filters and raw chains and watch the effect.
5

Try something like:

/export terse show-sensitive verbose file=flash/custom.rsc

And then download that through webfig or scp and finally search the file for “443”.

6

  1. When we try curl we have no meaningful answer due to tls handshake failure. When we do curl http://:443 , we do not have any answer (“Empty reply from server”).

  2. Router has many configuration changes, should we send a dump of it? Kind of dangerous, there will be secrets for VPNs and etc…

  3. We’ve checked forwaring rules , only have forwarding for several explicit external IPs and incoming ports like 22443:
    mikrotik-forwarding.png

  4. If we block it explicitly in firewall, nmap stops showing it as open and connections with curl are being rejected.

7

Thanks, that gave us some info about SSTP server:

/interface sstp-server server set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default-encryption enabled=yes keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no

But in winbox SSTP server show as disabled:
mikrotik-sstp.png

8

My bad, checked it on another winbox.

SSTP was enabled. I’ve disabled it and nmap stopped showing port as open, curl also started refusing connections.

Thank you guys!

9

But you got “enabled=yes” for that SSTP according to the CLI config and I would trust that more than winbox.

You could try to enable www-ssl and set that to a different port like 8443 or such and login using https://:8443 or whatever port you select and see what webfig tells you about this setting in the GUI?

Another thing to test is to (if possible) reboot the device and see if winbox fixes its display if this feature is enabled or not, or connect from another mgmt-client.

Before you do it would be interresting if you can set this feature to “enabled=no” and then do a new portscan to see if the 443/TCP goes away from the results?

The default for sstp-server on a CRS326 running 7.15.2 stable is (as reference):


/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no

Bonus: Another hint was that your portscan detected TLS 1.3 which the builtin webfig when runned as www-ssl or api-ssl only seems to support up to TLS 1.2 as of writing. That is there is some other service being runned.

10

Glad that it got resolved :slight_smile: