Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Port securing

Wed Jul 06, 2022 9:38 am

Hello,
I have a router that connected tto the internet using 4G-modem
I made all the connection to the router and the device behind it alloe only from the vpn netwrok
I have started to check my router using nmap to see "what can go wrong"

when I give the vpn address I get this
Not shown: 65525 closed ports
PORT      STATE    SERVICE        VERSION
21/tcp    open     ftp
22/tcp    open     ssh            OpenSSH 7.9p1 Raspbian 10+deb10u2+rpt1 (protocol 2.0)
2000/tcp  open     bandwidth-test MikroTik bandwidth-test server
5900/tcp  open     vnc            RealVNC Enterprise 5.3 or later (protocol 5.0)
8291/tcp  open     unknown
8728/tcp  open     routeros-api   MikroTik RouterOS API
64872/tcp filtered unknown
64873/tcp filtered unknown
64874/tcp filtered unknown
64875/tcp filtered unknown


I saw my bandwidth server is open - so I close it , then I run from the ISP address I get this
PORT     STATE    SERVICE    VERSION
21/tcp   open     tcpwrapped
25/tcp   filtered smtp
2222/tcp open     tcpwrapped
1. is this OK?
2. how can it be that I didn't get port 25 from my vpn , but I got it from my isp ?


Thanks,
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port securing

Wed Jul 06, 2022 10:59 am

1.,2.,3: while scanning using nmap, run /tool sniffer quick on the router itself, to see whether the packets towards ports 21, 25, 2222 indeed reach your Mikrotik.

If they do, which I suppose to be the case for ports 21 and 2222, your firewall rules are not good enough as they allow the TCP connections to reach the router, but the TCP sessions get ignored at application level (see what tcpwrapped means at https://security.stackexchange.com/a/71281). It probably means that you firewall doesn't block incoming TCP connections to these ports, but you have configured allowed networks under /ip service. This is less secure than blocking access to these ports for other than desired addresses using firewall as there could theoretically be some vulnerability in the FTP and/or ssh application.

As for port 25 - either you want it to get through to your SMTP server and you've configured the firewall accordingly, and then the rules you've added only allow incoming traffic to that port from the WAN interface, not from the VPN one, or you did not allow it in your firewall at all, and then it may be some activity of your ISP to prevent spam. In the latter case, you should not see incoming traffic at port 25 while doing the nmap scan, because it would be equipment of the ISP responding at that port on behalf of your router.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: Port securing

Wed Jul 06, 2022 11:41 am

about port 25 (SMTP) - I'm not using , I guess this is something from my ISP .

I didn't add any fw rules (just cahnge the allowed networks in the ip-service) , so you say it's better to also add incoming rules accorindg to the ip-service?
after adding the this rules - is there anything else I can or need to do ?

my logic is that if you are in VPN netwrok - then you should be able to enter the router
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port securing

Wed Jul 06, 2022 12:30 pm

I have no crystal ball so I don't know what was your starting point. There are firewall rules in the factory default configuration that fit the typical home user, but they are only provided on SOHO routers, for larger models the assumption is that people buying them know something about networking and will set up a firewall to their own liking before even connecting the device to the internet for the first time, so the firewall is empty in the factory default configuration for these routers.

Also your logic makes sense (unless we talk about large VPNs where each VPN client can be in a different trust group so not all users are allowed to access the router itself), but here you have to modify the rules to implement your logic. This is not Apple where the designers know better than you what you want, so they do everything automatically but you cannot customize anything. Here, nothing is automatic and you have to customize everything.

Who is online

Users browsing this forum: DanMos79, sindy, slimmerwifi, tangent and 97 guests