Jump to content

UPnP keeps being open / event with disbaling it in the settings

netdoomer

Recommended Posts

netdoomer

netdoomer

Posted
Posted

hi there

 

i figured out, my netduma keeps UPnP active, even with UPnP disabled in the settings.

so basicly all devices with active UPnP in my network are visible on the internet  :ph34r: .

 

this could be a potential security issue.

 

can anybody else confirm that UPnP is active with the settings on disabled?

(maybe do a portscan in enabled/disabled mode?)

 

thanks

Link to comment
Share on other sites
Scrizzy

Scrizzy

Posted
Posted

Not sure exactly you mean by "visible on the internet".  Some applications clearly need some ports to be open in order to function properly.  The router wouldn't be very useful if it did not facilitate this.

 

But if you want to turn upnp off, did you just go to settings/Misc. and untick "enable Upnp forwarding"?  Because that just facilitates communication if you have another router in front of the Duma.  You need to go to Settings/Upnp and untick "enable" and hit "apply".  That should clear your existing port reservations.  Do the same in your other router if there is another connected in your chain.  Leave both disabled and reboot everything and that should leave your ports blocked if that is what you are trying to accomplish.  Also, make sure nothing is in the DMZ of your other router if you have one, as that will also leave all your ports open

Link to comment
Share on other sites
netdoomer

netdoomer

Posted
  • Author
Posted

Not sure exactly you mean by "visible on the internet".  Some applications clearly need some ports to be open in order to function properly.  The router wouldn't be very useful if it did not facilitate this.

 

But if you want to turn upnp off, did you just go to settings Misc. and untick Upnp forwarding?  Because that just facilitates communication if you have another router in front of the Duma.  You need to go to Settings/Upnp and untick enable.  That should clear your existing port reservations.  Do the same in your other router if there is another connected in your chain.  Leave both disabled and reboot everything and that should leave your ports blocked if that is what you are trying to accomplish.  Also, make sure nothing is in the DMZ of your other router if you have one, as that will also leave all your ports open

 

thanks for your input. i'm pretty sure i haven't misconfigured the router. there are no rules neither port forwardings.

 

however, what i mean: if i run a portscan over my WAN IP i see port 8080, 443 and others that are open. in my UPnP settings the checkbox for UPnP is disabled, but i see on the list what devices are still using UPnP.

however, i can activate and deaktivate UPnP - no difference. UPnP is always on.

yes i know some services need UPnP in order to run but i would like to have the option to deactivate it.

 

however, easy sample: QNAP nas is reachable on port 8080 over my WAN IP even if UPnP is deactivated in netduma.

 

while writing this it just hit me, maybe browser / cache / cookies problem. i'll investigate and let everybody know

 

but if there's somebody now who can check if disabling and enabling UPnP makes a difference in Portscans

Link to comment
Share on other sites
major masingil

major masingil

Posted
Posted

All I can think of is what Scrizzy was saying...some ports are always open to facilitate. For example, I have Directv that comes with an external device that allows "on demand" capabilities. The ports for the on-demand connection are always open. When I start up the XB additional ports are opened to allow that communication.

 

I'm sure you've thought of that. I'm just saying

Link to comment
Share on other sites
netdoomer

netdoomer

Posted
  • Author
Posted

yes, i'm aware of that. 

it's just, when you disable UPnP it should cut the services not not be able to connect from outside.

 

let me put an example:

 

Synology NAS or QNAP NAS with UPnP active. Netduma also active UPnP. then you can connect from outside to Port 80 or 8080 or 443 and have access to your Webinterface.

if you deactivate it, there should be no access - at leas that's how it works with other routers.

 

i've been trying this back and forward with different devices and there is no difference when enabled or disabled. so that's the issue. and i personaly think this could be a potential security issue. let's say you have weak password for your NAS or whatever is behind the duma and accessible from WAN. Could be ussed for a hack attempt.

 

but i'll wait and see what the guys will say maybe tomorrow if they read this

Link to comment
Share on other sites
netdoomer

netdoomer

Posted
  • Author
Posted

just to make it complete

UPnP disabled

Starting Nmap 6.00 ( http://nmap.org ) at 2016-02-21 18:18 EET
Initiating Ping Scan at 18:18
Scanning MY_WAN_IP [4 ports]
Completed Ping Scan at 18:18, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 18:18
Scanning MY_HOSTNAME (MY_WAN_IP) [100 ports]
Discovered open port 443/tcp on MY_WAN_IP
Discovered open port 80/tcp on MY_WAN_IP
Discovered open port 8080/tcp on MY_WAN_IP
Completed SYN Stealth Scan at 18:18, 1.26s elapsed (100 total ports)

[+] Nmap scan report for MY_HOSTNAME (MY_WAN_IP)
Host is up (0.035s latency).
Not shown: 79 closed ports

PORT      STATE    SERVICE
26/tcp    filtered rsftp
80/tcp    open     http
106/tcp   filtered pop3pw
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
144/tcp   filtered news
179/tcp   filtered bgp
389/tcp   filtered ldap
443/tcp   open     https
445/tcp   filtered microsoft-ds
514/tcp   filtered shell
873/tcp   filtered rsync
1755/tcp  filtered wms
1900/tcp  filtered upnp
2001/tcp  filtered dc
2121/tcp  filtered ccproxy-ftp
6646/tcp  filtered unknown
8080/tcp  open     http-proxy
8443/tcp  filtered https-alt
9100/tcp  filtered jetdirect
49154/tcp filtered unknown


Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds
           Raw packets sent: 148 (6.488KB) | Rcvd: 197 (11.217KB)

as in this case, my QNAP is reachable from the Internet for everybody (webinterface) with UPnP disabled

Link to comment
Share on other sites
Scrizzy

Scrizzy

Posted
Posted

All I can think of is what Scrizzy was saying...some ports are always open to facilitate. For example, I have Directv that comes with an external device that allows "on demand" capabilities. The ports for the on-demand connection are always open. When I start up the XB additional ports are opened to allow that communication.

 

I'm sure you've thought of that. I'm just saying

As major is saying, could be an ISP level issue.  I'm assuming you have an ISP provided modem/router in front of the Duma?  ISPs sometimes open, block, or reserve certain ports for various services (remote administration, etc.) through their supplied equipment/software.  In fact, I believe 443 is one of the common ones actually.  My Fios modem always reserves a few ports, even at factory default, and I have the same direct tv equipment as Major that does the same automatically as well.  That said, there are workarounds through your software firewall.  You could simply block those ports, reassign them to dormant IPs thereby essentially occupying/blocking them, or simply set rules to dump or reject all traffic over the specific ports.

 

But I'm curious to hear the admins response to your query 

Link to comment
Share on other sites
netdoomer

netdoomer

Posted
  • Author
Posted

As major is saying, could be an ISP level issue.  I'm assuming you have an ISP provided modem/router in front of the Duma?  ISPs sometimes open, block, or reserve certain ports for various services (remote administration, etc.) through their supplied equipment/software.  In fact, I believe 443 is one of the common ones actually.  My Fios modem always reserves a few ports, even at factory default, and I have the same direct tv equipment as Major that does the same automatically as well.  That said, there are workarounds through your software firewall.  You could simply block those ports, reassign them to dormant IPs thereby essentially occupying/blocking them, or simply set rules to dump or reject all traffic over the specific ports.

 

But I'm curious to hear the admins response to your query

 

Nah not an ISP issue, this are clear internal device that i have connected.

For now i took the duma offline, will check back tomorrow

 

  

Tick stealth mode in misc settings and re run the test.

Ok will try thar.

What's the stealth mode for in the settings?

Link to comment
Share on other sites
netdoomer

netdoomer

Posted
  • Author
Posted

Is it possible that the ports have already been opened via UPnP before you've disabled it? Maybe try rebooting after you've disabled UPnP.

Could be, but not sure. I'm pretty sure i rebooted several times and it is still active

I'll have a look tomorrow. Will keep you informed

Link to comment
Share on other sites
  • Netduma Staff
Netduma Crossy

Netduma Crossy

Posted
  • Netduma Staff
Posted

Hey Crossy

nothing changed, everything the same. UPnP is disabled but it is still active. rebooted multiple times. strange  :huh:

 

is that something you guys want to look into by remote?

 

I think Fraser or Iain would have to comment on that as Iain is the only person with remote access :)

Link to comment
Share on other sites
  • Administrators
Netduma Fraser

Netduma Fraser

Posted
  • Administrators
Posted

yes. and for some reasons, it keeps and keeps UPnP open. tried everything.

 

@Netduma guys: hard or soft reset? what do you guys recommend?

 

I'd always recommend reset from misc settings. 

 

I've passed it on to Iain so he can have a look at it, most likely Friday when he has some time

Link to comment
Share on other sites
  • 1 month later...
  • Administrators
Netduma Fraser

Netduma Fraser

Posted
  • Administrators
Posted

Sorry for the delay on this. Couldn't access your router today. Can you make sure R1 in DMZ and remote support enabled. If it's already in the DMZ remove any UPnP/port forwarding on the hub. If that's already done take out of the DMZ and port forward 1024 - 60,000 TCP to the R1 and we'll try accessing again next week :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...