Linksys Router Port 80. Are you kidding me?

[notta]

So, I've had an Apple Router for some time now and has always met my needs. Well the WIFI has been flaky as of late so I went out and purchased a Linksys 1900ACS router. I installed the new Linksys router. I then went to GRC.com and ran the port scans to see how it looked and it reported everything Stealth except for an open port 80. So I checked on my mobile phone, with WIFI disabled and not yet configured for the new network, and sure enough when I put in my WAN IP I get my security camera login page. I went thoroughly through the software and nothing was in there (remote administration) that I could see that would need port 80. I called Linksys and said WTF? After going off to the manager multiple times the woman told me that Port 80 is open by default and I need it for web traffic. At this point I was getting ###### and said I need it but not for inbound I don't. She proceeded to go back to her manager and finally ended it with there was nothing they could do and that port 80 is open by design. WTF???? Am I missing something here guys? No other router I have ever owned has come back with an open port 80 on GRC. When I wanted to view my cameras in the past I had to setup port forwarding on my router. Looks like I will need to finish my PFSense box. I am blown away right now. I must be missing something because I don't see any posts about this and I know other people would surely have complained about this.

[Squirrelington]

Is it possible your camera system uses UPnP or NAT-PMP and requests a port forward for itself?

[Ravensky]

is port triggering on?  How does it know what ip to forward port 80 to on your internal network unless port triggering is on or you have setup port forwarding?  turn off port triggering and try that first.

2 minutes ago, Squirrelington said:

Is it possible your camera system uses UPnP or NAT-PMP and requests a port forward for itself?

turn off UPNP also...

[notta]

So I tried some of your suggestions. UPNP was enabled on a few of the cameras so I disabled that feature and disabled the feature on the router but the same issue. I then rebooted the router and now I couldn't connect. I reran the GRC scan and all the ports are now closed (Stealth). That UPNP is a security nightmare IMO. Thanks for the help guys.

[+Warwagon MVC]

3 minutes ago, notta said:

 That UPNP is a security nightmare IMO. Thanks for the help guys.

 

Yep, always has been

[+BudMan MVC]

"purchased a Linksys 1900ACS"

 

Your saying that they have UPnP enabled by default?  Or you had enabled it?  Years ago after all the ###### storm of ###### being opened I thought all the makers changed to default of UPnP disabled out of the box??

 

http://www.linksys.com/us/support-article?articleNum=135071

QUICK TIP:  By default, the UPnP is already enabled on the router.

 

Wow that is a BAD idea!!!

 

As to your support you got - what do you expect to be honest?   I agree with them 80 is needed for the internet to work.. So off there script they were reading yes 80 outbound would be open by default

[+Warwagon MVC]

1 hour ago, BudMan said:

 Years ago after all the ###### storm of ###### being opened

Wow that is a BAD idea!!!

 

 

 

 

Well on the other send, they would be getting a lot more support calls on why their stuff isn't working and how to configure it on their router.

 

The only people who gave a ###### about them being opened in the first place were people who gave a ######, which compared to the average user where very few.

[Joe User]

For the average Joe Windows (8 or 10) User, UPnP should be on and all network settings should be at default.

 

It's not high security, but it's passable. The $100 router will fall back to the Windows firewall and the user will be able to use their programs and play their games with minimal disruption.

 

When you get into power user setups, THEN you need to start disabling stuff.

 

[+BudMan MVC]

Un NO, and NO!!!  its NO security -- if devices/applications/software can just open unsolicited ports without any say from the user/admin of the network.. Then what you get is millions of iot devices in botnets ddos companies

 

He security camera opened up its web page to the public internet.. What doe you think makes up vast part of the every growing iot botnets??

 

If user X wants to access something from the public internet, they should understand the implications of that before they allow it..  If that is something as basic as knowing what UPnP does before they click enable its a start!!!

[BinaryData]

16 hours ago, Joe User said:

For the average Joe Windows (8 or 10) User, UPnP should be on and all network settings should be at default.

 

It's not high security, but it's passable. The $100 router will fall back to the Windows firewall and the user will be able to use their programs and play their games with minimal disruption.

 

When you get into power user setups, THEN you need to start disabling stuff.

 

Nope. Never. Notta. UPNP shouldn't EVER be enabled by Default. I believe I have it setup for a single VLAN, and that's for my XBOX360/One. That was the FIRST thing BudMan told me when I got my RV320, "DO NOT ENABLE UPNP AT ALL". 

 

Also, you bought a Linksys, which isn't owned by Cisco anymore. So enjoy the craptastic support, and just an fyi, their WebUI BLOWS. It's owned by Belkin, which ripped out all of the Cisco Firmware and put theirs on it. After going through several routers, I simply upgraded to a Business Class router. If I suggest ANY SOHO router, it'll be TP-Link.

[Eric Veteran]

I don't understand why UPnP works outside of a LAN at all. I can't think of a safe use for it as WAN.

[notta]

I purchased the Linksys router because my Apple router was dropping wireless. For some reason I was happy with Apple because I feel they actually care about security. I then just went to BB and purchased a new router to get my wireless back up and running again. I am not happy with this router at all from everything I have seen. What do you recommend?

 

Also, I have another question. The other day I setup a PFSense box on a Dell 3020 SFF. Uses about 20 watts of electricity so that's not too bad. My goal is to get that setup and use the wireless as an access point so buying another router is not necessary I guess I have been searching for a quad port Intel NIC on Ebay, but everything I see suggests that the cards are fake. How and the hell do you purchase genuine Intel NIC cards?

[+BudMan MVC]

1 hour ago, Eric said:

I don't understand why UPnP works outside of a LAN at all

In what scenario would it be used on a lan??  It is really designed for port forwarding, not just normal firewall rules.  You don't normally nat lan to lan, so would have zero use for port forwarding.

[+BudMan MVC]

Why would you be looking on ebay?  Amazon, Newegg, Monoprice.. Would all be before I would buy ###### off ebay..

 

 

[+InsaneNutter MVC]

1 hour ago, notta said:

I have been searching for a quad port Intel NIC on Ebay, but everything I see suggests that the cards are fake. How and the hell do you purchase genuine Intel NIC cards?

The majority are fake on Ebay, purchase from a reputable computer hardware supplier. If your in the UK Scan carry various Intel NIC's which work fine on ESXi or Pfsense.

 

I purchased this Intel E1G44ET2 Quad Port NIC which is working great on ESXI 6, running a pfSense VM.

[Eric Veteran]

2 hours ago, BudMan said:

In what scenario would it be used on a lan??  It is really designed for port forwarding, not just normal firewall rules.  You don't normally nat lan to lan, so would have zero use for port forwarding.

I normally think of UPnP as looking for and addressing personal LAN devices. I know it's cobbled-together junk but that's what I think it should've been for.

[Joe User]

16 hours ago, BudMan said:

Un NO, and NO!!!  its NO security -- if devices/applications/software can just open unsolicited ports without any say from the user/admin of the network.. Then what you get is millions of iot devices in botnets ddos companies

 

He security camera opened up its web page to the public internet.. What doe you think makes up vast part of the every growing iot botnets??

 

If user X wants to access something from the public internet, they should understand the implications of that before they allow it..  If that is something as basic as knowing what UPnP does before they click enable its a start!!!

First off, I don't think the camera (or anything else) should just be randomly opening up ports without telling anyone.  However, I do think that the OS and devices need the ability to open up ports without a visit to a firewall page.  There are times when it's needed and Windows does a decent job by giving you a firewall warning for incoming connections.

 

To solve the botnet issue, stop buying poorly designed hardware and ask your local AG to start suing the worst offenders. In this case it sounds like the camera had a UPnP on/off option. Without knowing the setup I can't say if it was designed well or not, for all I know someone clicked 'open this port' during setup without paying attention. That's not UPnP's fault, that's the end user not reading what's on the screen.

[Joe User]

7 hours ago, BinaryData said:

Nope. Never. Notta. UPNP shouldn't EVER be enabled by Default.

 

 

Why not? Give me a real technical reason.

[sc302 Veteran]

38 minutes ago, Joe User said:

 

 

Why not? Give me a real technical reason.

Some random thing gets loaded on your computer without your knowledge...aka malware, Trojan,  or a virus...it opens a random port allowing an attack to come through giving full access to your computer.  Upnp is not secure and can leave you open to further attack.  If your first line of defense is your firewall what happens when it is taken completely out of the picture without your approval or knowledge?

[adrynalyne]

37 minutes ago, Joe User said:

 

 

Why not? Give me a real technical reason.

Security isn't a technical reason????!!

[+BudMan MVC]

7 hours ago, Joe User said:

I do think that the OS and devices need the ability to open up ports without a visit to a firewall page.

For what reason?  I can see no reason that a device/application should ever be allowed to open up a port in a firewall - ever!!  If X port is needed, then it can be requested - but needs to be authed by some method, or explicitly setup by the admin/user..

 

Sure it makes it easy for grandma to host games on her xbox..  But it is not secure that is for damn sure..

[Joe User]

10 hours ago, sc302 said:

Some random thing gets loaded on your computer without your knowledge...aka malware, Trojan,  or a virus...it opens a random port allowing an attack to come through giving full access to your computer.  Upnp is not secure and can leave you open to further attack.  If your first line of defense is your firewall what happens when it is taken completely out of the picture without your approval or knowledge?

Some random malware, trojan or virus gets loaded on my computer without my knowledge and it's game over anyway. Open inbound ports or not, if the computer is running whatever it wants, it can be controlled remotely.

 

That's really not a good example. 

[+Warwagon MVC]

3 hours ago, BudMan said:

Sure it makes it easy for grandma to host games on her xbox.. 

 

 

2

Which is why it UPNP will never be disabled by default. The router manufacturers do not want a flood of calls to their support department wondering why they can't host games on their xbox.

[Joe User]

10 hours ago, adrynalyne said:

Security isn't a technical reason????!!

Needless complexity isn't security.

 

3 hours ago, BudMan said:

For what reason?  I can see no reason that a device/application should ever be allowed to open up a port in a firewall - ever!!  If X port is needed, then it can be requested - but needs to be authed by some method, or explicitly setup by the admin/user..

 

Sure it makes it easy for grandma to host games on her xbox..  But it is not secure that is for damn sure..

In Windows you do get a warning to allow things through the firewall. So in that sense it's authorized, granted, it's not the best solution.

 

UPnP opens up a port to a device that requests the port, usually for NAT traversal. It's not randomly opening up ports to the entire network.

 

Here's a question to everyone, what hardware firewall do you use on your smartphone when it's on the cellular network? 

[+Warwagon MVC]

Just now, Joe User said:

UPnP opens up a port to a device that requests the port, usually for NAT traversal. It's not randomly opening up ports to the entire network.

 

That's if it's playing nice. Malware could request a whole bunch of port