Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10713
Views
0
Helpful
5
Replies

WRVS4400N V2 - Questions / Issues

DominikAu
Level 1
Level 1

‎03-28-2010 04:24 AM

Hi Guys :)

I've done a portscan and discovered that there are at least three ports open, where i don't think that they shouldn't.

  • 8118 -> Privoxy, but delivers the WRVS admin page. So the web-content filtering on the WRVS is done by privoxy, but someone forgot to close this port?
  • 30443 -> Delivers a secure WRVS admin page, but there is a different certificate (the initial one?) used than for the 443 and 60443 (IPsec config pages) ports.
  • 32764 -> This one annoys me most. It returns just a string, ScMM, and closes the connection afterwards.


This ports are just on the LAN side open, so this shouldn't be a security issue.

UPNP, Remote administration, SNMP, SIP Application Gateway Layer, ... are disabled

Angryziber IP Scanner reaches also port 21, on LAN and WAN page, but its not serving FTP request.


Further i discovered a VPN problem when you set the WAN MTU to manual (for example 1472), vpn connections work as expected.

i weren't able to access web pages (via ipsec - qvpn) which were too large and found logs like

klips_error:ipsec_xmit_send: ip_send() failed, err=
klips_error:ipsec_xmit_send: ip_send() failed, err=1



sending pkt_too_big (len[1500] pmtu[1472]) to self


Since i've changed mtu back to auto it works like a charm.

So, for what purpose are this three ports?

Edit:

i also get occassionaly logs where the router tells me that he "

eth0: received packet with  own address as source address".

interface is up to now eth0 and eth2, but that doesn't help much ;), so is there a chance, that in a upcoming
firmware this log message is extended and includes also the mac addresses of the involved devices, so i woudn't have to
guess which device on which port of the router is misbehaving?

Edit2:

the router is also complaining about old IPS signatures, is there already a date when we can expect updated ones?

cheers,

Dominik

Labels:
0 Helpful
5 Replies 5

DominikAu
Level 1
Level 1

‎04-14-2010 10:23 AM

would be great if a cisco guy could give me a hint why this ports are open and when we could expect a more recent ips signature file.

cheers

0 Helpful

nsa000001
Level 1
Level 1
In response to DominikAu

‎01-03-2014 05:12 PM

no worries about that, we work on it.

0 Helpful

ciscodrossy
Level 1
Level 1
In response to nsa000001

‎01-14-2014 08:08 AM

Hi Ed, how is the weather with you in ....eeeeeehhhh....

0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to ciscodrossy

‎01-14-2014 08:17 AM

Hi, this product has open security bulliten and it's being addressed.

I don't know if you can open this link..

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Undocumented%20Test%20Interface%20in%20Cisco%20Small%20Business%20Devices&vs_k...

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

ciscodrossy
Level 1
Level 1
In response to Tom Watts

‎01-14-2014 08:27 AM

try this link

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd

Whooooow, only 4 years for a reply!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents