By:
Filters
What's new
Carbonite

South Africa's Top Online Tech Classifieds!
Register a free account today to become a member! (No Under 18's)
Home of C.U.D.

Are open ports a risk?

iamgigglz

iamgigglz

VIP
VIP Supporter
Rating - 100%
311   0   0
Joined
Aug 19, 2014
Messages
8,684
Reaction score
2,335
Points
10,155
Location
Parkhurst
Confession time: All ports are open to all traffic on my home router (Unifi USG). I don't know how much of a risk that actually is - should I be doing something about it?

My first idea was to block everything and then open ports where necessary. The problem is I have so much going on through my router; games, Unifi Controller, Sonarr, Plex, iOS updates, smart home stuff, Netflix through a VPN, iCloud/Gdrive syncing with a NAS...the list goes on.

How the heck do I build a comprehensive list of ports to open? Is there a better way to tackle this?
 
iamgigglz said:
Confession time: All ports are open to all traffic on my home router (Unifi USG). I don't know how much of a risk that actually is - should I be doing something about it?

My first idea was to block everything and then open ports where necessary. The problem is I have so much going on through my router; games, Unifi Controller, Sonarr, Plex, iOS updates, smart home stuff, Netflix through a VPN, iCloud/Gdrive syncing with a NAS...the list goes on.

How the heck do I build a comprehensive list of ports to open? Is there a better way to tackle this?
Click to expand...

You'd be surprised how many unsolicited access attempts you get when you do that.I had an ftp server and rdp access on default ports. Some days i would get hundreds of brute force attempts to log in. Just make sure you set it up correctly. Guys are constantly port scanning IP ranges trying to find ways to load ransonware and backdoors on your machines.

CP out.
 
iamgigglz said:
Not something I'm using afaik. Access to my media is handled through Plex, which in turn accesses my NAS via a mapped network drive.
Click to expand...
UPnP lets your services request ports to be open and they get opened dynamically as needed, it's not as secure as blocking everything and opening manually as needed but it's a lot better than just having everything open DMZ style.
 
CRE4MPIE said:
You'd be surprised how many unsolicited access attempts you get when you do that.I had an ftp server and rdp access on default ports. Some days i would get hundreds of brute force attempts to log in. Just make sure you set it up correctly. Guys are constantly port scanning IP ranges trying to find ways to load ransonware and backdoors on your machines.

CP out.
Click to expand...
This! ^

If you make sure your passwords are setup properly, then you SHOULD be okay for the average bot passing by. There is obviously a risk, as you are aware. If you have sensitive data, then this is a big nono.

UPnP is a good alternative, it would help with repeated brute force attempts from the same IPs. (Or am I thinking of a different tech? Been quite awhile since I learnt this stuff...)

You could also google your router/other hardware, to check if there are any known exploits that have not been fixed with firmware or software issues.
 
Soul Assassin said:
UPnP lets your services request ports to be open and they get opened dynamically as needed, it's not as secure as blocking everything and opening manually as needed but it's a lot better than just having everything open DMZ style.
Click to expand...

I remember reading about the security horrors associated with UPnP, specifically ways in which malware can use it to redirect local traffic requests to outside IPs.
That, and I don't have fond memories of trying to get UPnP working properly.
 
PandaAttack1 said:
This! ^

If you make sure your passwords are setup properly, then you SHOULD be okay for the average bot passing by. There is obviously a risk, as you are aware. If you have sensitive data, then this is a big nono.

UPnP is a good alternative, it would help with repeated brute force attempts from the same IPs. (Or am I thinking of a different tech? Been quite awhile since I learnt this stuff...)

You could also google your router/other hardware, to check if there are any known exploits that have not been fixed with firmware or software issues.
Click to expand...

Another UPnP suggestion. I'm just nervous about rolling out a new way of accessing media on my network. My current Plex setup works really well...I guess because everything is open...

I'm pretty trusting of Ubiquiti hardware. My router gets patches fairly frequently so I have to assume it's secure at that level.
 
What do you mean by all your ports are open? Typically your router does NAT so routing all your internal traffic out to the internet over your one shared IP address. If someone wants to connect to something inside your network from outside then you'll need that port to be forwarded to the relevant device. If there's no forward your router would just drop the traffic because it's own port wouldn't have anything listening on it.
 
iamgigglz said:
Another UPnP suggestion. I'm just nervous about rolling out a new way of accessing media on my network. My current Plex setup works really well...I guess because everything is open...

I'm pretty trusting of Ubiquiti hardware. My router gets patches fairly frequently so I have to assume it's secure at that level.
Click to expand...
Are you maybe thinking of DLNA?
 
PHalanKS said:
What do you mean by all your ports are open? Typically your router does NAT so routing all your internal traffic out to the internet over your one shared IP address. If someone wants to connect to something inside your network from outside then you'll need that port to be forwarded to the relevant device. If there's no forward your router would just drop the traffic because it's own port wouldn't have anything listening on it.
Click to expand...

So this is closer to the original question. My knowledge of port forwarding etc is basically zero so I don't understand the risks (if any) of my current setup.

Let's put it this way: Starting from my router's default configuration, is there a port-based change I can make that will appreciably improve my security? Are there specific settings I should be checking? Stuff that really should/should not be enabled?

Soul Assassin said:
Are you maybe thinking of DLNA?
Click to expand...

There's a lot of this around the interwebs
 
PHalanKS said:
What do you mean by all your ports are open? Typically your router does NAT so routing all your internal traffic out to the internet over your one shared IP address. If someone wants to connect to something inside your network from outside then you'll need that port to be forwarded to the relevant device. If there's no forward your router would just drop the traffic because it's own port wouldn't have anything listening on it.
Click to expand...

^^^
This...

The only time you need to worry about whats ports you have open, is if they default ports, forwarding to an unsecure device with bad security.
 
Tidy404 said:
The only time you need to worry about whats ports you have open, is if they default ports, forwarding to an unsecure device with bad security.
Click to expand...

Open ports = forwarded ports?

I've got one set of forwarded ports for Plex and another set for Ubiquiti STUN server, but that's it.
 
iamgigglz said:
Open ports = forwarded ports?

I've got one set of forwarded ports for Plex and another set for Ubiquiti STUN server, but that's it.
Click to expand...
Forwarded ports gives devices connecting on those ports access to your devices on your local network. So within your context, yes. When you forward a port, you are opening it to the world.

Whatever traffic comes through that port though, will still require authentication to access the device it is forwarded to. So make sure the device/computer is setup properly, such as firewalls/password protection.

Again, the level of effort you are willing to put into this all relies on how sensitive your data is.

edit: as an example; for most servers the 22 port is open for ssh. Anyone with the IP/address can attempt to connect to the server through port 22, but to access the server you will need the right authentication.
 
Last edited:
Ok so in terms of traffic coming in, it doesn't seem like I have anything to worry about.

My last concern is this:

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: cdn-101.statdynamic.com
IP Address: 173.255.255.22 (not my IP)
Port: [55190]
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

This is one of many. They pop up every few seconds, each with a different port, when I'm on TPB...I know I know.
I started off blocking traffic on the specific ports mentioned but I inevitably started blocking ports that are used for other stuff. Norton and Malwarebytes report nothing dodgy, so what am I looking at?
 
the fact you using Symantec is a bigger concern :ROFLMAO:
 
The USG will allow established connections inbound on your WAN connection by default. No need to open ports for Unifi controller, Plex and so on as you're creating the established connection and receiving back on that, everything else is blocked. Best to disable UPnP as you don't want rogue applications dynamically opening ports. Clear your WAN IN rules to just the default, and only open the ports specifically for what you need external access to (eg. you're hosting a game server, open that port only). If you want to take a step further, create a drop all rule, and specifically open ports for web, ssl etc. You can also enable IPS if you're worried about dodgy traffic on open ports.

Mine are on default (I don't need external access), and Unifi is able to connect remotely without a problem.
58988
 
Astro_ZA said:
The USG will allow established connections inbound on your WAN connection by default. No need to open ports for Unifi controller, Plex and so on as you're creating the established connection and receiving back on that, everything else is blocked. Best to disable UPnP as you don't want rogue applications dynamically opening ports. Clear your WAN IN rules to just the default, and only open the ports specifically for what you need external access to (eg. you're hosting a game server, open that port only). If you want to take a step further, create a drop all rule, and specifically open ports for web, ssl etc. You can also enable IPS if you're worried about dodgy traffic on open ports.
Click to expand...

Nice, thanks very much. Set up the port forwarding for Plex and stun as part of earlier troubleshooting that turned out to be my ISP's fault. I'll switch them off and see how it goes.
The idea of drop all then open where needed occurred to me but identifying all the ports I need to open is a mountain to climb.
 
Why have a USG at all if all it does is stand at the door and wave everything in?

You want a Default DENY ALL in place (which should be the default unless you overrode it) and then allow ports as required.

You should only ever need a handful of ports for things that need to get access from the OUTSIDE > IN...which may even be nothing at all.

Anything on the INSIDE > OUT will open ports as required and therefore the reason you can DENY ALL from the WAN.
 
iamgigglz said:
Nice, thanks very much. Set up the port forwarding for Plex and stun as part of earlier troubleshooting that turned out to be my ISP's fault. I'll switch them off and see how it goes.
The idea of drop all then open where needed occurred to me but identifying all the ports I need to open is a mountain to climb.
Click to expand...

See Plex is a good example.

Because it's on the inside of your network it will open 32400 from the inside out. There shouldn't be a need to actually forward the port at all unless you specifically want to access it remotely through the normal browser interface directly at your WAN IP instead of using Plex.tv website or the Plex app on some external device.
 
SauRoN said:
Why have a USG at all if all it does is stand at the door and wave everything in?
Click to expand...
Right?

SauRoN said:
You want a Default DENY ALL in place (which should be the default unless you overrode it) and then allow ports as required.
Click to expand...
I've had this USG for quite a while but I'm pretty sure that wasn't the default. Meh, could have been 🤷‍♂️

SauRoN said:
You should only ever need a handful of ports for things that need to get access from the OUTSIDE > IN...which may even be nothing at all.
Click to expand...
Don't know why I didn't click about outside > in vs inside > out until now. You're right, there isn't much needing incoming access.

SauRoN said:
Anything on the INSIDE > OUT will open ports as required and therefore the reason you can DENY ALL from the WAN.
Click to expand...
gru-light-bulb-1-6104.png


SauRoN said:
See Plex is a good example.
Because it's on the inside of your network it will open 32400 from the inside out. There shouldn't be a need to actually forward the port at all unless you specifically want to access it remotely through the normal browser interface directly at your WAN IP instead of using Plex.tv website or the Plex app on some external device.
Click to expand...

I do access the plex web interface (not plex.tv) directly from LAN devices but not from WAN so...yeah.
 
He he he, everyone has to learn that stuff at some point which is why it's normally default Deny ALL but I haven't used the USG myself so may be different since it's an enterprise device and assumes an expert will set it up.

But yeah all open ports is basically like putting your PC on a LAN...except the entire Internet can connect to it.
 
does the USG support port knocking?

this will resolve security concerns around open ports but as its been said, if you not accessing any device/app externally then dont open any ports
 
Perhaps look at setting up a PFsense box for pure firewalling? You only need an i3 + 4GB RAM for basic stuff. If its for a small home network, you might even get away with some IPS & IDS on it.

Q -are ports bi-directional @ the same time? I forget the actual term right now, but basically, if a app opens a port from the inside - > out, can a request come out->in on the same port, at the same time?
 
Last edited:
I use a mikrotik on my end, close everything and open up ports for what I need to like games and Rdp etc.

Also changing from default port is also good. Eg instead of using 3389 for RDP then use 3400 or whatever


Sent from my iPhone using Tapatalk
 
souljazk said:
Perhaps look at setting up a PFsense box for pure firewalling? You only need an i3 + 4GB RAM for basic stuff. If its for a small home network, you might even get away with some IPS & IDS on it
Click to expand...

Seems way overkill for me - what would that R2000+ investment do for me that my USG can't do?

souljazk said:
Q -are ports bi-directional @ the same time? I forget the actual term right now, but basically, if a app opens a port from the inside - > out, can a request come out->in on the same port, at the same time?
Click to expand...

Good question.
 
iamgigglz said:
Seems way overkill for me - what would that R2000+ investment do for me that my USG can't do?



Good question.
Click to expand...
@DannyBoyOPC - I was reading how MT left some things open by default & how people got pwn'ed / its bad p[ractise on MT's end.I'm looking at changing my home config, and instead of having modem->router (MT)->Pfsense, having modem->pfsense->router (MT).

@iamgigglz , sorry I'm so used to having handful's of i3's / i5's and board at my disposal that I forgot that for many its something they need to still acquire. I can't give you a concrete answer unfort but I'd go on a limb and say that the USG is built from the ground up as a router, with some firewall stuff added on, Pfsense is built from the ground up as a firewall that can also do routing. One advantage would be less CPU overhead for the USG. If you're in CT, I can lend you a i3 system to play with.

vid I found -
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)

Similar threads

GoukoTenrou
[For Sale] Networking Stuff (Routers, Extenders, Access Points)
  • Location:
    1. Edenvale
Replies
4
Views
404
GoukoTenrou
GoukoTenrou
Altforce
Emby Server Help Needed
Replies
26
Views
605
vinodh
vinodh
eyesuc
In need of a DEV / Work laptop and oh boy are the options confoozing
2
Replies
36
Views
1K
Oj0
Oj0
Hugo_EvtHrz
[For Sale] TP-Link AXE16000 Quad-Band WiFi 6E Router - Dual 10Gb Ports, 1 x 2.5G WAN/LAN, 4 x Gigabit LAN Ports
  • Location:
    1. Midrand
Replies
1
Views
242
Hugo_EvtHrz
Hugo_EvtHrz
mikewazar
Review Starlink_Part1_draft_final_final2.doc
Replies
15
Views
1K
Conack
Conack

Latest posts

Top Donors

IOPS
NI∀ƆOƆ‾⊥ᴚ∩ʞ
eagle2k
Sp3c1al1zed
Confucius
nephilm
Athos
EELeat
Off-The-Chart
McDuncun

Share this page

Back
Top Bottom