Leaving port 443 open on a router

What serious risks are involved in leaving port 443 open on my home dsl router, just to enable router's remote web interface?

- LAN behind the router are basically home pcs with no risky/valuable data.
- No port forwording
- Computers stand behind NAT

 

do you need remote access enabled on the router? To do what, as there might be safer approaches

 

Administrate wlan access on the fly, enable /disable access

 

No computer on the LAN "always on", so no opportunity to plan a VPN approach....

 

I guess all you can do is update the firmware to the latest and hope there are no vulnerabilities in the way remote access is implemented (which probably there are not)

 

I did, but I was told that router's firmwares, mostly linux based, are highly exposed to vulnerabilities

 

Hi,
I have exactly the same problem. I noticed after doing a scan with GRC shields up that Port 443 is wide open on the Router presumably for Admin purposes (every other port is closed or stealthed).
I have double checked the Router's settings (Gigaset SE572) and remote administration is switched off, firewall is on (the routers firewall setting is either on or off no other configuration available).
Having extensively Googled the problem I did come across one chap who said he solved the problem by forwarding port 443 to a non-existent IP address, effectively closing the port, but I hadn't even heard of Port Forwarding until yesterday ! ( I have since seen the port forwarding page in the router).
I don't like having this port open like it is but feel there is little I can do about it. Given I have remote admin switched off should I be overly worried about it ?
Thanks

(Win 7 64 bit PC with win firewall blocking all incoming connections.)

 

The OP wanted to remotely administer his router and chose to open port 443 on the Internet side.

Where the user has full control over the router and it supports custom firewall rules they could look into creating blocking rules to reduce access to that port 443. Blocking based on source IP Address range for example. Hopefully they will know what they are doing and won't inadvertently lock them self out [on the LAN side too, if it allows that].

It sounds like you, ghodgson, do not need/want remote admin capability. Question is, do you own this device or is it ISP provided? If the device is ISP provided then they are going to want to, and may guarantee in some obvious or non-obvious way, that they can remotely administer it. It may be running custom firmware. ISP tech support people, and possibly automated systems, may expect unfettered access and a trick like that mentioned could theoretically present some kind of problem. Even though it is meant to eliminate another. ISP specific forums would probably be the best place to discuss such ISP specific issues.

Assuming this is an ISP provided device...

You might try a reboot just for fun, especially if you changed the remote administration setting from enabled to disabled and haven't subsequently rebooted.

I would suggest you or someone else try to remotely access your router on port 443 to see how things behave. Use whatismyipaddress.com or some other site to confirm your public IP Address. Lets pretend it is X.X.X.X. Then, from *outside* of your home network... from another customer's connection and possibly also from a non-customer's connection... try to load [noparse]https://X.X.X.X/[/noparse] via browser. If you know the full name/path to admin pages you could also try those. Do you actually get a login page? Can you login via a well-known/default username and password? Can you login via an admin username and password you set up? Note: The ISP might have its own "secret" username/password. The answers to those questions (which you might not want to share with us) will help you assess the seriousness of the situation.

 

There should be no risk at all, and if you really want to be sure, just enable the inbuilt firewall on the local pc's.

 

Hi Guys,
TheWindBringeth

Thanks for your input. It is a router given as a 'freeby' from the ISP and obviously the firmware is theirs. First thing I did was change the password to one more secure. I think you are quite right about the port forwarding I mentioned, I wouldn't want to go doing something I am not familiar with and end up with no internet connectivity. I will check the ISP's website to see if anyone else has mentioned the open port 443.

wat0114

Thanks for your reply and reassurance. My PC's software firewall is enabled to block all incoming connections.

Gordon

(Win 7 64 bit PC with win firewall blocking all incoming connections.)

 

The absoluteness of that concerns me and I'd like to provide some food for thought. If not for the OPs then at least others who may come across this thread.

Generally speaking, stealthed (unresponse to probes) is better than closed is better than open is better than open with a vanilla login server listening on the port. If a router is going to be kept open to remote connections/login/management, restricting what machines can establish connections is better than not restricting that. Tolerating a closed port rather than stealthed port is one thing. Tolerating an open port with a vanilla login server listening and allowing login attempts is another. Especially where it is open to the world.

What usernames/passwords are valid? How strong are they? Who knows them? Do you really know? What if any lockout policies are in place to impede automated attempts to try usernames/passwords? Is logging enabled? Is someone routinely checking the logs? Are there alerts to forcefully make someone aware of activity of interest?

If someone manages to login to your router there are a number of bad things they could do. Depending on the router and the exact firmware it is running, things like:

- Flash new firmware with various nasty features
- Change DNS server settings and redirect your traffic
- Grab your admin username/password (which should be unique to the router but many people still insist on using the same ones for different purposes)
- Grab your wireless keys (which again, should be unique) and use them to access your WiFi for legal and/or illegal purposes.
- Change those to lock you out
- Enable the guest account and/or generally open your WiFi to others
- Disable separation features
- If one has a device with cloud features <gulp>, possibly gain access to a cloud account and whatever it stores or enables
- Modify NAT/firewall features to explore your internal network and devices (which may not be just computers) for weaknesses. Possibly exploiting something that is found.
- Enable UPnP
- Enable logs to capture information about your Internet activity
- Restore some more obvious settings and/or reset logs in order to hide their tracks

So although there is temptation to put faith in the idea that "no one will guess my username/password or have some other that I don't know of and which will work", I would say it is wise to keep remote administration features as closed off as possible. The potential consequences of being wrong are just too severe.

 

Thanks again for your input.
I did contact my ISP about this, who has not yet responded ( no surprise there) however, there has been a development. While milling through the routers various settings I came across a quite hidden setting, separate from the firewall. This was 'Attack detection' which was set to it's default 'medium' level. I changed this to 'high' to see what would happen and then went back to a couple of online port scanners and now happily all my ports are stealthed including 443.
Problem solved.

Thanks again,
Gordon

 

@Wind,

opening port 443 on the router for legitimate administrative purposes, in this case, does not exactly create a gaping security hole to say the least.

 

I've had servers open to remote login for ages. I wouldn't do that without additional layers of notification/protection and more knowledgeable than I friends in the datacenter, but that should tell you where I stand. Like I said, the previous reply was food for thought.

Regarding the bumping up of that attack detection setting, I'm unfamiliar with how that actually works but were it me I'd want to try to answer that. Could it be "masking" the openness of 443 by blocking source IP Addresses after they've probed N other ports? While some potential threats target multiple ports, others just hit the specific one they are interested in.

 

Hi,
As well as checking all service ports, I have checked 443 on it's own which showed it to be stealthed.

Thanks