Orbi WiFi 7 RBE973
Reply

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

mariol66
Aspirant

Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

I am running a PCI Compliance vulnerability check on my network, and I am being flagged for having port 23 Telnet open. I have read that this is closed by default so I'm not sure why it is appearing. I have created inbound and outbound rules to always block Telnet. Just as a fail-safe, I created a custom service choosing port 23, as well as the built in service for Telnet on the router. I also have turned off remote management via Telnet on the router. Port scanners and the PCI Scanner are showing I still have it open. What else can I do?

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 1 of 15
train_wreck
Luminary

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

If the PCI scan is reporting telnet listening on the LOCAL LAN interface..... nothing you can do. None of the FVS devices allow you to completely disable telnet on the LAN, only on WAN. (it is honestly insane that I am even using the word "telnet" right now, in 2017..... SSH has been around for over 20 years......)

Message 2 of 15
mariol66
Aspirant

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

Thanks for the response! This is the exact response I got from the PCI Scanner:

 

For additional information please scroll down. We have denied this dispute based upon manual investigation of this finding. Manual investigation appears to show plaintext logins are possible on this system:

$ telnet 50.xxx.xxx.221 23
Trying 50.xxx.xxx.221...
Connected to 50.xxx.xxx.221.
Escape character is '^]'.

(none) login: Anonymous
Password:

 

 

 

Message 3 of 15
train_wreck
Luminary

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

But you were running the scanner on a computer behind the router, correct? Connected to the LAN ports...

Message 4 of 15
mariol66
Aspirant

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

The scanner is run by a company outside our local network. I even run tests from port scanning sites, all telling me Telnet is open as well. 

Message 5 of 15
mariol66
Aspirant

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

The scans are being run from outside the LAN. Showing Port 23 open

Message 6 of 15
JohnC_V
NETGEAR Moderator

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

Hi mariol66,

 

Welcome to the community!

 

Would you mind sending to me via pm your WAN IP and the configuration file of the firewall? You may also try upgrading first the firmware to the latest version and see if that would help.

 

Regards,

Message 7 of 15
mariol66
Aspirant

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

sent you a pm

Message 8 of 15
Retired_Member
Not applicable

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

Hi mariol66,

 

Welcome to Netgear Community. I think, by default 23 port is disable from outside LAN, unless you force to enable it via Web GUI. Can you help check if you enable it by manual?

Message 9 of 15
mariol66
Aspirant

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

Hi, 

 

I don't have it opened up through the firewall. I also disabled managment via telnet, but it is still showing as open from an outside LAN scan. I added it to the ALWAYS BLOCK section of the firewall as well, but that didn't do anything. 

Message 10 of 15
JohnC_V
NETGEAR Moderator

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

Hi mariol66,

 

I checked the port 23 to your network and it is showing that it is online/reachable. For now, you may change the default password of your firewall to avoid security risk. Then please try to login to the firewall via console. We may need to disable the telnet from the CLI of the firewall. Just in case that it is not possible to access it via CLI. Please save/backup a configuration file then reset the firewall to factory default as telnet management is disabled by default.

 

Here is the CLI manual from SRX5308 but it has the same configuration for the device that you have(page 188).

 

Regards,

Message 11 of 15
mariol66
Aspirant

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

I've never used the CLI interface of a Netgear router prior. What commands do I need to run, and what Windows utility do I need to use to achieve this?

Message 12 of 15
JohnC_V
NETGEAR Moderator

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

@mariol66,

 

You may need a serial cable in order to do this. You may turn on the telnet on your windows pc or you may download a putty application. Please try resetting first the firewall to factory default let's see if port 23 will still be open right after that.

 

For putty application, Select Telnet then input the IP Address of the firewall. Just login using your credentials for admin user and please follow the instructions on the CLI manual(page 188).

 

Regards, 

Message 13 of 15
mariol66
Aspirant

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

Hi, 

 

I entered the commands as shows in the manual, but when I enable_ipv4 N and enable_ipv6 N and save and exit, the port still appears open. And I can log right back in from Terminal

Message 14 of 15
JohnC_V
NETGEAR Moderator

Re: Netgear Prosafe FVS336Gv3 Leaving Telnet port 23 open

@mariol66,

 

May I know where the firewall is connected? Is it connected directly straight thru a modem or a modem/router? I may suggest you to remove the firewall to the network just to isolate the case then check if the port 23 is still open. I suspect there is another router on your network that is causing this issue and if not, try resetting the router to factory default. 

 

Regards,

Message 15 of 15
Discussion stats
  • 14 replies
  • 6288 views
  • 0 kudos
  • 4 in conversation
Announcements