This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
An nmap scan (WAN side) on my R7000 router indicates that there are two ports open on my R7000 router: 80/tcp (http) and 1720/tcp (h323q931). My method to perform a WAN side scan on the router is to access the Internet through a hotspot on my smartphone to place myself on a separate network and run nmap against the public IP address for my router's network (nmap -Pn (public IP address)).
To make matters more interesting, a GRC ShieldsUP scan indicates all ports are closed. UPnP is not enabled (i.e. the box us UNchecked) and I have not enabled port forwarding for any ports. I have rebooted the router and run the scan from separate Windows and MAC computers (connected to the separate network created through my phone's hotspot) with the same results every time i.e. 80 and 1720 are open.
And to add even more to the confusion, the router's logs to not record any attempts to scan the ports i.e. the logs category "Known DoS attacks and Port Scans" shows nothing for either the nmap or GRC scans.
Relevant particulars:
Nighthawk R7000 AC1900 Router
Firmware: V1.0.7.6_1.1.99
I would greatly appreciate any help and insight into whether there is a security vulnerability here i.e. the ports are exposed and open to exploit, or if something else is going on that leads nmap to designate these ports as open. Also, any information on why the logs are not recording these scan attempts would also be appreciated.
I think I have the problem solved (or at least narrowed down substantially), and neither the router (or modem) are the cause of the open ports discovered with nmap. Looks like it has something to do with ISP (Comcast) i.e. I think I am hitting my ISP first, which is showing open ports for 80 and 1720.
I first disconnected every device from the network, rebooted ther router, and then hit my public IP address with nmap (WAN side, from an outside network). Still open ports, so not any of the devices. Then I powered down the router, waited 10 minutes, and tried again. Still open ports, so not the router. And then I powered down the modem, waited 10 mins, tried again, and still got the open ports on my public IP address! I'm not sure how it that all works, but apparantly I am hitting my ISP first with nmap (or something of that nature).
Thanks for all of your efforts to help me trouble shoot! --maap.
Not sure but under ADVANCED, SETUP, WAN SETUP there is a checkbox that might need to be checked to have the router log those events...
============
Respond To Ping On Internet Port
If you want the Router to respond to a 'Ping' from the Internet, click this check box. This can be used as a diagnostic tool. Again, like the DMZ server, this can be a security problem. You shouldn't check this box unless you have a specific reason to do so.
=============
The 2 ports you mentioned could normally be opened, or at least able to receive a ping? 80 is for web servers or you hosting a web site on your PC. The other is for MS Netmeeting it seems. Possible your f/w might allow those in, check its list of allowed ports? Also 1720 is also used by VIOP it seems. If you have that service from your ISP, then that is why you see that more than likely.
I decided to run GNC Shields up too, same router, same F/W, and I have VIOP as well.
Results for me:
================
GRC Port Authority Report created on UTC: 2017-01-07 at 15:35:10
Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000
0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested
ALL PORTS tested were found to be: STEALTH.
TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.
================
As you can see, they are CLOSED for me? Could they be OPEN on your MODEM? Those results are for the COMMON PORTS test.
Did the ALL SERVICE PORTS too:
===========
GRC Port Authority Report created on UTC: 2017-01-07 at 15:41:26
Results from scan of ports: 0-1055
0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested
ALL PORTS tested were found to be: STEALTH.
TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.
I am receiving the same exact response from GRC ShieldsUP, and I have the same on the WAN setup page i.e. only Disable IGMP Proxying is checked. I don't have any ports set up for forwarding and am not running a web server or anything unusual.
Given the ShieldsUP response, I am relatively confident that my network is secure, although I am keen to get to the bottom of this. I ran several more intense nmap scans to try and grab the banner, but the most I could get are "http?" for port 80 and "h323q931?" for port 1720. I also could not get any info with telnet on these ports. This suggests to me that there may not actually be a service responsible for opening these ports in the traditional sense. As you suggest, I wonder if nmap's report on ports 80 and 1720 is related somehow to the cable model (Motorola SB6141). I looked at the modem gui, and could not find any information in the configuation though regarding opening/closing ports.
Welcome any additional thoughs, theories, or ideas. Thanks! -maap
I think I have the problem solved (or at least narrowed down substantially), and neither the router (or modem) are the cause of the open ports discovered with nmap. Looks like it has something to do with ISP (Comcast) i.e. I think I am hitting my ISP first, which is showing open ports for 80 and 1720.
I first disconnected every device from the network, rebooted ther router, and then hit my public IP address with nmap (WAN side, from an outside network). Still open ports, so not any of the devices. Then I powered down the router, waited 10 minutes, and tried again. Still open ports, so not the router. And then I powered down the modem, waited 10 mins, tried again, and still got the open ports on my public IP address! I'm not sure how it that all works, but apparantly I am hitting my ISP first with nmap (or something of that nature).
Thanks for all of your efforts to help me trouble shoot! --maap.
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
