Re: Why are ports 21, 554 and 7070 open on my router?

Ken Wold · ‎10-24-2010

I have a 100 MB ethernet link to AT&T with my Cisco router. I have applied a few ACLs to my inteface that connects to AT&T (fa 0/0). Here are my ACLs:

!
interface FastEthernet0/0
ip address < omited =) >
ip access-group 110 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address < omited =) >
duplex auto
speed auto
!
ip default-gateway < omited =) >
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 < omited =) >
!
!
no ip http server
no ip http secure-server
!
access-list 110 remark DenyPingsFromInternet
access-list 110 deny   icmp any host < omited =) >
access-list 110 deny   icmp any host < omited =) >
access-list 110 deny   icmp any host < omited =) >
access-list 110 remark Deny special-use address sources. Refer to RFC 3330 for additional special use addresses.
access-list 110 deny   ip host 0.0.0.0 any
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any
access-list 110 deny   ip 192.0.2.0 0.0.0.255 any
access-list 110 remark Deny private address space
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any
access-list 110 deny   tcp any eq ftp host < omited =) >
access-list 110 deny   tcp any eq ftp host < omited =) >
access-list 110 deny   tcp any eq ftp host < omited =) >
access-list 110 deny   tcp any eq 554 host < omited =) >
access-list 110 deny   tcp any eq 554 host < omited =) >
access-list 110 deny   tcp any eq 554 host < omited =) >
access-list 110 permit ip any any

As you can see from the ACL above I am denying icmp, ftp and port 554.

However, when I run an NMAP scan on the ip address of int fa 0/0, I get the following:

nadmin@nadmin-laptop:~$ sudo nmap -v < omited =) >

Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-24 10:36 PDT

NSE: Loaded 0 scripts for scanning.

Initiating Ping Scan at 10:36

Scanning < omited =) > [4 ports]

Completed Ping Scan at 10:36, 0.07s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 10:36

Completed Parallel DNS resolution of 1 host. at 10:36, 0.09s elapsed

Initiating SYN Stealth Scan at 10:36

Scanning < omited =) > [1000 ports]

Discovered open port 21/tcp on < omited =) >

Discovered open port 554/tcp on < omited =) >

Discovered open port 7070/tcp on < omited =) >

Completed SYN Stealth Scan at 10:36, 3.80s elapsed (1000 total ports)

Host < omited =) > is up (0.027s latency).

Interesting ports on < omited =) >

Not shown: 994 closed ports

PORT STATE SERVICE

21/tcp open ftp

135/tcp filtered msrpc

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

554/tcp open rtsp

7070/tcp open realserver

Read data files from: /usr/share/nmap

Nmap done: 1 IP address (1 host up) scanned in 4.09 seconds

Raw packets sent: 1024 (45.032KB) | Rcvd: 998 (39.948KB)

I don't understand a couple of things:

1. Why does my router have ports 21,135,139,445,554 and 7070 open?

2. Why does my router respond to ports 21 and 554 when I implictly deny them with an ACL?

Also, is there a way to hide a router from pings completely? I denied icmp to my interfaces, but when I try to ping I get a message saying the icmp echo request was filtered, vs just getting a dest unreachable (which would be more desirable):

PING < omited =) > (< omited =) >) 56(84) bytes of data.
From < omited =) >icmp_seq=2 Packet filtered

Thanks much!

Jon Marshall · ‎10-24-2010

Ken

access-list 110 deny   tcp any eq ftp host < omited =) >
access-list 110 deny   tcp any eq ftp host < omited =) >
access-list 110 deny   tcp any eq ftp host < omited =) >
access-list 110 deny   tcp any eq 554 host < omited =) >
access-list 110 deny   tcp any eq 554 host < omited =) >
access-list 110 deny   tcp any eq 554 host < omited =) >

this acl is wrong. It says, for example using the first line, deny any packets from any host with a source port of 21 and a destination port which will be a random port to the host IP. But NMAP is not doing that. NMAP is sending a packet with a destination port of 21 not a source port so it should read -

access-list 110 deny tcp any host x.x.x.x eq 21

etc..

however that doesn't actually answer the question as to why NMAP reports them open. Unfortunately you have blanked out so much it's difficult to say any more. Why are there 3 host addresses per port, are you testing against other IPs. Do you have any static NAT translations on your router ?

Can you post a "sh tcp brief all" from your router.

135, 139 & 445 are not open they are filtered which means nmap can't tell if it is open or closed because something is blocking the scan.

Hide router from pings - under your interface add this -

int fa0/0

no ip unreachables

Jon

Ken Wold · ‎10-24-2010

Jon,

Thanks for the feedback. Corrected my ACL (thanks for catching that). I was doing some testing and trying to guard both interfaces for some port scans and pings. Hence the multiple hosts in my ALC. I have an ASA5520 behind this router and the ASA is performing NAT for me.

I used the no ip reachables command and that did the trick for ping. However, even after correcting my ACL, ports 21 and 554 still show open for some reason. Here is a bigger look at my config, along with the show tcp brief all command:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname c3745

!

boot-start-marker

boot-end-marker

!

no aaa new-model

clock timezone PST -8

ip cef

!

ip domain name X.com

ip name-server X.X.X.X

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

interface FastEthernet0/0

ip address X.X.X.X 255.255.255.252

ip access-group 110 in

no ip unreachables

duplex auto

speed auto

!

interface FastEthernet0/1

ip address X.X.X.X 255.255.255.0

no ip unreachables

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 X.X.X.X

!

no ip http server

no ip http secure-server

!

access-list 110 remark DenyPingsFromInternet

access-list 110 deny icmp any host X.X.X.X

access-list 110 remark Deny special-use address sources. Refer to RFC 3330 for additional special use addresses.

access-list 110 deny ip host 0.0.0.0 any

access-list 110 deny ip 127.0.0.0 0.255.255.255 any

access-list 110 deny ip 192.0.2.0 0.0.0.255 any

access-list 110 remark Deny private address space

access-list 110 deny ip 10.0.0.0 0.255.255.255 any

access-list 110 deny ip 172.16.0.0 0.15.255.255 any

access-list 110 deny tcp any host X.X.X.X eq 21

access-list 110 deny tcp any host X.X.X.X eq 554

access-list 110 deny tcp any host X.X.X.X eq 7070

access-list 110 permit ip any any

!

snmp-server community X RW

snmp-server location X

snmp-server contact X

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps ds1

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps xgcp

snmp-server enable traps flash insertion removal

snmp-server enable traps ds3

snmp-server enable traps envmon

snmp-server enable traps icsudsu

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps atm subif

snmp-server enable traps bgp

snmp-server enable traps bstun

snmp-server enable traps bulkstat collection transfer

snmp-server enable traps cnpd

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps dial

snmp-server enable traps dlsw

snmp-server enable traps dsp card-status

snmp-server enable traps entity

snmp-server enable traps event-manager

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps ipmobile

snmp-server enable traps ipmulticast

snmp-server enable traps mpls ldp

snmp-server enable traps mpls traffic-eng

snmp-server enable traps mpls vpn

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface-old

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps pppoe

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps rtr

snmp-server enable traps stun

snmp-server enable traps syslog

snmp-server enable traps l2tun session

snmp-server enable traps vsimaster

snmp-server enable traps vtp

snmp-server enable traps director server-up server-down

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps rf

snmp-server enable traps voice poor-qov

snmp-server enable traps voice fallback

snmp-server enable traps dnis

snmp-server host X.X.X.X version 2c X

!

control-plane

!

line con 0

logging synchronous

login local

speed 115200

line aux 0

line vty 0 4

logging synchronous

login local

transport input none

line vty 5 15

login

transport input none

!

ntp logging

ntp source FastEthernet0/1

ntp master

!

end

c3745#show tcp brief all

I am not getting any output from this command.

Jon Marshall · ‎10-24-2010

Ken

Just to confirm, you are running the NMAP from outside the fa0/0 interface ?

Could you post the new NMAP results and also can you post -

sh access-list 110

so i can see the hits if any on the acl entries.

Jon

Ken Wold · ‎10-24-2010

Yes, I am running nmap to my fa 0/0 interface.

Here are the results:

nmap -v 12.90.36.222

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-24 13:27 PDT

Initiating Ping Scan at 13:27

Scanning X.X.X.X [2 ports]

Completed Ping Scan at 13:27, 0.03s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 13:27

Completed Parallel DNS resolution of 1 host. at 13:27, 0.00s elapsed

Initiating Connect Scan at 13:27

Scanning X.X.X.X [1000 ports]

Discovered open port 21/tcp on X.X.X.X

Discovered open port 554/tcp on X.X.X.X

Discovered open port 7070/tcp on X.X.X.X

Completed Connect Scan at 13:28, 4.05s elapsed (1000 total ports)

Nmap scan report for X.X.X.X

Host is up (0.028s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

21/tcp open ftp

135/tcp filtered msrpc

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

554/tcp open rtsp

7070/tcp open realserver

Read data files from: /opt/local/share/nmap

Nmap done: 1 IP address (1 host up) scanned in 4.14 seconds

Extended IP access list 110

10 deny icmp any host X.X.X.X (5 matches)

20 deny icmp any host Y.Y.Y.Y (4 matches)

30 deny icmp any host Z.Z.Z.Z (5 matches)

40 deny ip host 0.0.0.0 any

50 deny ip 127.0.0.0 0.255.255.255 any

60 deny ip 192.0.2.0 0.0.0.255 any

70 deny ip 10.0.0.0 0.255.255.255 any

80 deny ip 172.16.0.0 0.15.255.255 any

90 deny tcp any host X.X.X.X eq ftp

100 deny tcp any host Y.Y.Y.Y eq ftp

110 deny tcp any host X.X.X.X eq 554

120 deny tcp any host Y.Y.Y.Y eq 554

130 deny tcp any host X.X.X.X eq 7070

140 deny tcp any host Y.Y.Y.Y eq 7070

150 permit ip any any (11238 matches)

Strange, eh?

Jon Marshall · ‎10-24-2010

Extended IP access list 110

10 deny icmp any host X.X.X.X (5 matches)

20 deny icmp any host Y.Y.Y.Y (4 matches)

30 deny icmp any host Z.Z.Z.Z (5 matches)

40 deny ip host 0.0.0.0 any

50 deny ip 127.0.0.0 0.255.255.255 any

60 deny ip 192.0.2.0 0.0.0.255 any

70 deny ip 10.0.0.0 0.255.255.255 any

80 deny ip 172.16.0.0 0.15.255.255 any

90 deny tcp any host X.X.X.X eq ftp

100 deny tcp any host Y.Y.Y.Y eq ftp

110 deny tcp any host X.X.X.X eq 554

120 deny tcp any host Y.Y.Y.Y eq 554

130 deny tcp any host X.X.X.X eq 7070

140 deny tcp any host Y.Y.Y.Y eq 7070

150 permit ip any any (11238 matches)

Strange, eh?

Yes very strange, especially as you are getting no hits.

Sorry for the silly question but just to clairfy -

1) the NMAP is running on a device that will will hit the outside interface of the router first ie. it doesn't get to the outside interface via another router interface

2) can't see the IPs as you are blanking them, there definitely isn't a typo with the nmap ?

Can you try something else - can you telnet but telnet on port 21 to the outside interface of your router from the outside and see if you get a hit in acl 110 ?

Jon

Ken Wold · ‎10-24-2010

Jon,

The topology for nmap would look like this:

Linux NMAP<-----> Comcast <----->Internet <------->AT&T <--------> 3745 FA 0/0 ---- 3745 FA 0/1 <----------> ASA 5520 <------>My protected Network

The NMAP machine scans my 3745's FA 0/0 interface.

No, no typo in NMAP. I have run the test multiple times.

I tried to telnet to port 21 on my FA 0/0 interface and sure enough, I hit something. I got no feedback or output:

HarleyAir:~ kwold$ telnet X.X.X.X 21

Trying X.X.X.X...

Connected to X.X.X.X.

Escape character is '^]'.

^[[A

Sure enough, I can see the hit counter increase for the port 21 ACL. It will do the same thing for ports 554 and 7070. When I telnet using any of these port numbers, I get a response like this:

HarleyAir:~ kwold$ telnet X.X.X.X 554

Trying X.X.X.X...

Connected to X.X.X.X.

Escape character is '^]'.

! The term just hangs at this point.

If I try and use any other port number for telnet for FA 0/0, then the connection is denied immeadiately:

HarleyAir:~ kwold$ telnet X.X.X.X 500

Trying X.X.X.X...

telnet: connect to address 1X.X.X.X: Connection refused

telnet: Unable to connect to remote host

Not that it probably matters, but here is the version of IOS I am running:

Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25d), RELEASE SOFTWARE (fc1)

BTW, thanks for taking the time on a Sunday to respond to my posts.

Jon Marshall · ‎10-25-2010

Okay, i'm confused

Just to confirm again, the config you posted last was the full config for the router ?

I am away for the next couple of days but i have a spare router so if i get a chance i'll try and emuate what you are seeing.

Jon

Ken Wold · ‎10-25-2010

Yep, that is the full config. No NAT. =(

qweabab11 · ‎10-25-2010

kennethwold wrote:
I have a 100 MB ethernet link to AT&T with my Cisco router. I have applied a few ACLs to my inteface that connects to AT&T (fa 0/0). Here are my ACLs:
!
interface FastEthernet0/0
 ip address < omited =) >
 ip access-group 110 in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address < omited =) >
 duplex auto
 speed auto
!
ip default-gateway < omited =) >
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 < omited =) >
!         
!
no ip http server
no ip http secure-server
!
access-list 110 remark DenyPingsFromInternet
access-list 110 deny   icmp any host < omited =) >
access-list 110 deny   icmp any host < omited =) >
access-list 110 deny   icmp any host < omited =) >
access-list 110 remark Deny special-use address sources. Refer to RFC 3330 for additional special use addresses. 
access-list 110 deny   ip host 0.0.0.0 any
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any
access-list 110 deny   ip 192.0.2.0 0.0.0.255 any
access-list 110 remark Deny private address space
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any
access-list 110 deny   tcp any eq ftp host < omited =) >
access-list 110 deny   tcp any eq ftp host < omited =) >
access-list 110 deny   tcp any eq ftp host < omited =) >
access-list 110 deny   tcp any eq 554 host < omited =) >
access-list 110 deny   tcp any eq 554 host < omited =) >
access-list 110 deny   tcp any eq 554 host < omited =) >
access-list 110 permit ip any any
As you can see from the ACL above I am denying icmp, ftp and port 554.
However, when I run an NMAP scan on the ip address of int fa 0/0, I get the following:
nadmin@nadmin-laptop:~$ sudo nmap -v < omited =) >
Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-24 10:36 PDT
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 10:36
Scanning < omited =) > [4 ports]
Completed Ping Scan at 10:36, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:36
Completed Parallel DNS resolution of 1 host. at 10:36, 0.09s elapsed
Initiating SYN Stealth Scan at 10:36
Scanning < omited =) > [1000 ports]
Discovered open port 21/tcp on < omited =) >
Discovered open port 554/tcp on < omited =) >
Discovered open port 7070/tcp on < omited =) >
Completed SYN Stealth Scan at 10:36, 3.80s elapsed (1000 total ports)
Host < omited =) > is up (0.027s latency).
Interesting ports on < omited =) >
Not shown: 994 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
554/tcp  open     rtsp
7070/tcp open     realserver
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.09 seconds
           Raw packets sent: 1024 (45.032KB) | Rcvd: 998 (39.948KB)
I don't understand a couple of things:
1. Why does my router have ports 21,135,139,445,554 and 7070 open?
2. Why does my router respond to ports 21 and 554 when I implictly deny them with an ACL?
Also, is there a way to hide a router from pings completely? I denied icmp to my interfaces, but when I try to ping I get a message saying the icmp echo request was filtered, vs just getting a dest unreachable (which would be more desirable):
PING < omited =) > (< omited =) >) 56(84) bytes of data.
From < omited =) >icmp_seq=2 Packet filtered
Thanks much!

i have same problem

noisey_uk · ‎10-01-2017

Something may be intercepting along the traffic path. I just nmapped a router to ensure it was secure from the outside and was surprised to see TCP554 and TCP7070 open. I'm going through a BT HomeHub at this location and have read elsewhere that this intercepts these ports (no idea why). I can telnet to both ports. However, when I attempt to connect via my mobile phone network (i.e. not via the BT HomeHub), the connections to TCP554 and TCP7070 are refused as expected. Weird.