notta Posted December 28, 2016 Share Posted December 28, 2016 (edited) So, I've had an Apple Router for some time now and has always met my needs. Well the WIFI has been flaky as of late so I went out and purchased a Linksys 1900ACS router. I installed the new Linksys router. I then went to GRC.com and ran the port scans to see how it looked and it reported everything Stealth except for an open port 80. So I checked on my mobile phone, with WIFI disabled and not yet configured for the new network, and sure enough when I put in my WAN IP I get my security camera login page. I went thoroughly through the software and nothing was in there (remote administration) that I could see that would need port 80. I called Linksys and said WTF? After going off to the manager multiple times the woman told me that Port 80 is open by default and I need it for web traffic. At this point I was getting ###### and said I need it but not for inbound I don't. She proceeded to go back to her manager and finally ended it with there was nothing they could do and that port 80 is open by design. WTF???? Am I missing something here guys? No other router I have ever owned has come back with an open port 80 on GRC. When I wanted to view my cameras in the past I had to setup port forwarding on my router. Looks like I will need to finish my PFSense box. I am blown away right now. I must be missing something because I don't see any posts about this and I know other people would surely have complained about this. Link to comment Share on other sites More sharing options...
Squirrelington Posted December 28, 2016 Share Posted December 28, 2016 Is it possible your camera system uses UPnP or NAT-PMP and requests a port forward for itself? Link to comment Share on other sites More sharing options...
Ravensky Posted December 28, 2016 Share Posted December 28, 2016 is port triggering on? How does it know what ip to forward port 80 to on your internal network unless port triggering is on or you have setup port forwarding? turn off port triggering and try that first. 2 minutes ago, Squirrelington said: Is it possible your camera system uses UPnP or NAT-PMP and requests a port forward for itself? turn off UPNP also... Link to comment Share on other sites More sharing options...
notta Posted December 28, 2016 Author Share Posted December 28, 2016 So I tried some of your suggestions. UPNP was enabled on a few of the cameras so I disabled that feature and disabled the feature on the router but the same issue. I then rebooted the router and now I couldn't connect. I reran the GRC scan and all the ports are now closed (Stealth). That UPNP is a security nightmare IMO. Thanks for the help guys. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted December 28, 2016 MVC Share Posted December 28, 2016 3 minutes ago, notta said: That UPNP is a security nightmare IMO. Thanks for the help guys. Yep, always has been Gerowen 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 28, 2016 MVC Share Posted December 28, 2016 "purchased a Linksys 1900ACS" Your saying that they have UPnP enabled by default? Or you had enabled it? Years ago after all the ###### storm of ###### being opened I thought all the makers changed to default of UPnP disabled out of the box?? http://www.linksys.com/us/support-article?articleNum=135071 QUICK TIP: By default, the UPnP is already enabled on the router. Wow that is a BAD idea!!! As to your support you got - what do you expect to be honest? I agree with them 80 is needed for the internet to work.. So off there script they were reading yes 80 outbound would be open by default Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted December 28, 2016 MVC Share Posted December 28, 2016 1 hour ago, BudMan said: Years ago after all the ###### storm of ###### being opened Wow that is a BAD idea!!! Well on the other send, they would be getting a lot more support calls on why their stuff isn't working and how to configure it on their router. The only people who gave a ###### about them being opened in the first place were people who gave a ######, which compared to the average user where very few. Link to comment Share on other sites More sharing options...
Joe User Posted December 28, 2016 Share Posted December 28, 2016 For the average Joe Windows (8 or 10) User, UPnP should be on and all network settings should be at default. It's not high security, but it's passable. The $100 router will fall back to the Windows firewall and the user will be able to use their programs and play their games with minimal disruption. When you get into power user setups, THEN you need to start disabling stuff. +Warwagon 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 28, 2016 MVC Share Posted December 28, 2016 Un NO, and NO!!! its NO security -- if devices/applications/software can just open unsolicited ports without any say from the user/admin of the network.. Then what you get is millions of iot devices in botnets ddos companies He security camera opened up its web page to the public internet.. What doe you think makes up vast part of the every growing iot botnets?? If user X wants to access something from the public internet, they should understand the implications of that before they allow it.. If that is something as basic as knowing what UPnP does before they click enable its a start!!! xrobwx71, Danielx64, sc302 and 4 others 7 Share Link to comment Share on other sites More sharing options...
BinaryData Posted December 28, 2016 Share Posted December 28, 2016 16 hours ago, Joe User said: For the average Joe Windows (8 or 10) User, UPnP should be on and all network settings should be at default. It's not high security, but it's passable. The $100 router will fall back to the Windows firewall and the user will be able to use their programs and play their games with minimal disruption. When you get into power user setups, THEN you need to start disabling stuff. Nope. Never. Notta. UPNP shouldn't EVER be enabled by Default. I believe I have it setup for a single VLAN, and that's for my XBOX360/One. That was the FIRST thing BudMan told me when I got my RV320, "DO NOT ENABLE UPNP AT ALL". Also, you bought a Linksys, which isn't owned by Cisco anymore. So enjoy the craptastic support, and just an fyi, their WebUI BLOWS. It's owned by Belkin, which ripped out all of the Cisco Firmware and put theirs on it. After going through several routers, I simply upgraded to a Business Class router. If I suggest ANY SOHO router, it'll be TP-Link. norseman 1 Share Link to comment Share on other sites More sharing options...
Eric Veteran Posted December 28, 2016 Veteran Share Posted December 28, 2016 I don't understand why UPnP works outside of a LAN at all. I can't think of a safe use for it as WAN. Link to comment Share on other sites More sharing options...
notta Posted December 28, 2016 Author Share Posted December 28, 2016 I purchased the Linksys router because my Apple router was dropping wireless. For some reason I was happy with Apple because I feel they actually care about security. I then just went to BB and purchased a new router to get my wireless back up and running again. I am not happy with this router at all from everything I have seen. What do you recommend? Also, I have another question. The other day I setup a PFSense box on a Dell 3020 SFF. Uses about 20 watts of electricity so that's not too bad. My goal is to get that setup and use the wireless as an access point so buying another router is not necessary I guess I have been searching for a quad port Intel NIC on Ebay, but everything I see suggests that the cards are fake. How and the hell do you purchase genuine Intel NIC cards? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 28, 2016 MVC Share Posted December 28, 2016 1 hour ago, Eric said: I don't understand why UPnP works outside of a LAN at all In what scenario would it be used on a lan?? It is really designed for port forwarding, not just normal firewall rules. You don't normally nat lan to lan, so would have zero use for port forwarding. xendrome 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 28, 2016 MVC Share Posted December 28, 2016 Why would you be looking on ebay? Amazon, Newegg, Monoprice.. Would all be before I would buy ###### off ebay.. LittleFroggy 1 Share Link to comment Share on other sites More sharing options...
+InsaneNutter MVC Posted December 28, 2016 MVC Share Posted December 28, 2016 (edited) 1 hour ago, notta said: I have been searching for a quad port Intel NIC on Ebay, but everything I see suggests that the cards are fake. How and the hell do you purchase genuine Intel NIC cards? The majority are fake on Ebay, purchase from a reputable computer hardware supplier. If your in the UK Scan carry various Intel NIC's which work fine on ESXi or Pfsense. I purchased this Intel E1G44ET2 Quad Port NIC which is working great on ESXI 6, running a pfSense VM. Link to comment Share on other sites More sharing options...
Eric Veteran Posted December 29, 2016 Veteran Share Posted December 29, 2016 2 hours ago, BudMan said: In what scenario would it be used on a lan?? It is really designed for port forwarding, not just normal firewall rules. You don't normally nat lan to lan, so would have zero use for port forwarding. I normally think of UPnP as looking for and addressing personal LAN devices. I know it's cobbled-together junk but that's what I think it should've been for. Link to comment Share on other sites More sharing options...
Joe User Posted December 29, 2016 Share Posted December 29, 2016 (edited) 16 hours ago, BudMan said: Un NO, and NO!!! its NO security -- if devices/applications/software can just open unsolicited ports without any say from the user/admin of the network.. Then what you get is millions of iot devices in botnets ddos companies He security camera opened up its web page to the public internet.. What doe you think makes up vast part of the every growing iot botnets?? If user X wants to access something from the public internet, they should understand the implications of that before they allow it.. If that is something as basic as knowing what UPnP does before they click enable its a start!!! First off, I don't think the camera (or anything else) should just be randomly opening up ports without telling anyone. However, I do think that the OS and devices need the ability to open up ports without a visit to a firewall page. There are times when it's needed and Windows does a decent job by giving you a firewall warning for incoming connections. To solve the botnet issue, stop buying poorly designed hardware and ask your local AG to start suing the worst offenders. In this case it sounds like the camera had a UPnP on/off option. Without knowing the setup I can't say if it was designed well or not, for all I know someone clicked 'open this port' during setup without paying attention. That's not UPnP's fault, that's the end user not reading what's on the screen. Link to comment Share on other sites More sharing options...
Joe User Posted December 29, 2016 Share Posted December 29, 2016 7 hours ago, BinaryData said: Nope. Never. Notta. UPNP shouldn't EVER be enabled by Default. Why not? Give me a real technical reason. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted December 29, 2016 Veteran Share Posted December 29, 2016 38 minutes ago, Joe User said: Why not? Give me a real technical reason. Some random thing gets loaded on your computer without your knowledge...aka malware, Trojan, or a virus...it opens a random port allowing an attack to come through giving full access to your computer. Upnp is not secure and can leave you open to further attack. If your first line of defense is your firewall what happens when it is taken completely out of the picture without your approval or knowledge? Anibal P and BinaryData 2 Share Link to comment Share on other sites More sharing options...
adrynalyne Posted December 29, 2016 Share Posted December 29, 2016 37 minutes ago, Joe User said: Why not? Give me a real technical reason. Security isn't a technical reason????!! BinaryData 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 29, 2016 MVC Share Posted December 29, 2016 7 hours ago, Joe User said: I do think that the OS and devices need the ability to open up ports without a visit to a firewall page. For what reason? I can see no reason that a device/application should ever be allowed to open up a port in a firewall - ever!! If X port is needed, then it can be requested - but needs to be authed by some method, or explicitly setup by the admin/user.. Sure it makes it easy for grandma to host games on her xbox.. But it is not secure that is for damn sure.. Link to comment Share on other sites More sharing options...
Joe User Posted December 29, 2016 Share Posted December 29, 2016 10 hours ago, sc302 said: Some random thing gets loaded on your computer without your knowledge...aka malware, Trojan, or a virus...it opens a random port allowing an attack to come through giving full access to your computer. Upnp is not secure and can leave you open to further attack. If your first line of defense is your firewall what happens when it is taken completely out of the picture without your approval or knowledge? Some random malware, trojan or virus gets loaded on my computer without my knowledge and it's game over anyway. Open inbound ports or not, if the computer is running whatever it wants, it can be controlled remotely. That's really not a good example. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted December 29, 2016 MVC Share Posted December 29, 2016 3 hours ago, BudMan said: Sure it makes it easy for grandma to host games on her xbox.. 2 Which is why it UPNP will never be disabled by default. The router manufacturers do not want a flood of calls to their support department wondering why they can't host games on their xbox. Link to comment Share on other sites More sharing options...
Joe User Posted December 29, 2016 Share Posted December 29, 2016 (edited) 10 hours ago, adrynalyne said: Security isn't a technical reason????!! Needless complexity isn't security. 3 hours ago, BudMan said: For what reason? I can see no reason that a device/application should ever be allowed to open up a port in a firewall - ever!! If X port is needed, then it can be requested - but needs to be authed by some method, or explicitly setup by the admin/user.. Sure it makes it easy for grandma to host games on her xbox.. But it is not secure that is for damn sure.. In Windows you do get a warning to allow things through the firewall. So in that sense it's authorized, granted, it's not the best solution. UPnP opens up a port to a device that requests the port, usually for NAT traversal. It's not randomly opening up ports to the entire network. Here's a question to everyone, what hardware firewall do you use on your smartphone when it's on the cellular network? Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted December 29, 2016 MVC Share Posted December 29, 2016 Just now, Joe User said: UPnP opens up a port to a device that requests the port, usually for NAT traversal. It's not randomly opening up ports to the entire network. That's if it's playing nice. Malware could request a whole bunch of port Link to comment Share on other sites More sharing options...
Recommended Posts