SR516ac
 

Hi Folks,

I have a Smart SR516ac modem-router software version: 2.6.2.7. When I nmap my public IP there are some ports open beside the ones I manually open.
I read the manual but I can't find how to close these ports. Also I contacted the ISP provider technician and they said that issue is beyond they support.
There are some settings in Management/Access Control/Services that are disabled for the WAN (which is OK) and enable and greyed out for the LAN (also OK). I can not find any other settings. Nevertheless the ports are still open and I have no control over. I am thinking maybe some of you has this model and can share the experience.

If you are running a scan from inside your LAN then even though your using your public IP address it may not be actually looping back. Try testing from outside your LAN or using grc.com via shields up.

Thank you michaelk, I was testing from outside too and got the same results. In fact the question was for those who are familiar with this model and know where the settings are for closing listening ports.

I understand but with no replies thought I would pop in with a suggestion. If I believe the attached screenshot all services on the unit are disabled from the WAN side. So theoretically they should not be detected from the outside. The only information I found related to your model was maybe port forwarding is called port triggering. Are you forwarding anything?

Ports 139 and 445 are used by Windows SMB/CIFS (aka samba). Many ISPs block SMB/CIFS traffic by default now days.
Is the router configured for sharing?

The outside ssh port is 2222 but since nmap only automatically scans for the first 1000 or so it isn't going to be shown in the list nor is it enabled but 22 is shown. Do you have port forwarding configured for 22? Have you tried logging in to see what happens?

Port 53 is DNS and while it typically is open on the LAN side it should not be on the WAN. It isn't something you would necessarily forward either.

tftp is UDP based but would assume the nmap command ran only checked TCP.

yes, as per screenshot it looks like the WAN side ports are disabled. Here's where newbies like me get confused :).
yes, port triggering or even "virtual servers".
yes, I am only forwarding p:22.

I do not know, AFAIK I don't think so.

I can ssh, if this is what you've asked me.

Thanks!

When you login via ssh your connecting to your server and not the router?
I believe your router has a USB port? I am guessing if you do not know if it is configured then nothing is connected.

If you try to access the router via a web browser from outside the LAN what happens?

yes

yes

on those open ports it looks like it connects to the router. From there only ssh is forwarded to my ssh server. These (open) ports, I believe, the ISP left them open on the WAN side (the thing is I do not see where in the router's settings are these open ports) of the router for 'troubleshooting'.

I get the login prompt but when I enter my credentials (I use for local access) fails.


Thanks!

Sorry for the confusion I was asking about USB ports.

I would expect the page posted in your 1st post to be the setting and not enabled would not be accessible from the outside. It is a bit strange. Just out of curiosity have you tried connecting using ftp or telnet to see what happens.

It is strange and confused enough, if would not be I would not had asking for help :).
Yes, I connected to ftp and telnet and got into the router. From there I am not familiar with router commands but I remember I can get modelname, swversion etc.

Thanks!

From outside your LAN?

You should disable telnet and ftp from the LAN.

Yes, from WAN.

If you mean telnet/ftp services, they are disabled on ubuntu.

Both ftp and telnet are not encrypted and passwords are sent in plain text. That is not a good thing.

That's why I wanted to close these ports. We are on square one :)

Disable them from the LAN side and as shown in your attached screenshot and see if you can still connect.

I would have done that in the first place (just for testing...) but I can't: they are greyed out ...