A few open ports

Hi Jesse,

Try this, take SSH to XG and go to option 4. Device console.

For H323, execute the command : console> system system_modules H323 unload

For HTTP: Navigate through system > administration > device access and see if the HTTP is ticked. Uncheck device access on WAN zone but, note that it will refuse any connection on port 80.

Try these steps and update us.

Thanks

Sachin -

For the first one, that command doesn't appear to be valid?  After poking around some, I finally found the proper syntax - system->system_modules

Sophos Firmware Version SFOS 15.01.0 MR-3

console> cyberoam system_modules H323 unload
% Error: Unknown Parameter 'cyberoam'
console> system system_modules show
pptp    loaded      
h323    loaded      
tftp    loaded      
irc    loaded      
sip    loaded      

console> system system_modules h323 unload
console> system system_modules show
pptp    loaded      
tftp    loaded      
irc    loaded      
sip    loaded      
h323    not loaded

console>

Should I also unload the IRC module?  Is this something related to the Internet Relay Chat?  How about the TFTP module?  Is that why port 21 is open, even though I don't seem to be able to do anything with it as I've tested a bit externally?

I do have an IP phone that I have yet to turn back on and enable.  I presume that SIP module is a SIP helper?  Presuming so, will it help with both SIP ports 5060 and 5061?  I saw there was a default service for SIP port 5060.  I duplicated it and created a similar one for SIP line two port 5061.  The device I have (Cisco ATA) has two lines enabled from two different service providers.

For the second item, HTTP is not enabled in any of the zones.

I think I'm going to modify my default network rule from drop to accept.  I think that will make my life a bit easier on allowing my LAN traffic outbound.

Unloading that H323 helper should close that port I presume? 

Thanks for all the help!

Jesse

Sachin -

For the first one, that command doesn't appear to be valid?  After poking around some, I finally found the proper syntax - system->system_modules

Sophos Firmware Version SFOS 15.01.0 MR-3

console> cyberoam system_modules H323 unload
% Error: Unknown Parameter 'cyberoam'
console> system system_modules show
pptp    loaded      
h323    loaded      
tftp    loaded      
irc    loaded      
sip    loaded      

console> system system_modules h323 unload
console> system system_modules show
pptp    loaded      
tftp    loaded      
irc    loaded      
sip    loaded      
h323    not loaded

console>

Should I also unload the IRC module?  Is this something related to the Internet Relay Chat?  How about the TFTP module?  Is that why port 21 is open, even though I don't seem to be able to do anything with it as I've tested a bit externally?

I do have an IP phone that I have yet to turn back on and enable.  I presume that SIP module is a SIP helper?  Presuming so, will it help with both SIP ports 5060 and 5061?  I saw there was a default service for SIP port 5060.  I duplicated it and created a similar one for SIP line two port 5061.  The device I have (Cisco ATA) has two lines enabled from two different service providers.

For the second item, HTTP is not enabled in any of the zones.

I think I'm going to modify my default network rule from drop to accept.  I think that will make my life a bit easier on allowing my LAN traffic outbound.

Unloading that H323 helper should close that port I presume? 

Thanks for all the help!

Jesse

Bumping this thread again.

After unloading the H323 module that seems to have closed the open TCP port 1720.

However, port 80 and 21 (TCP) are still open on the firewall.

I'll ask the question again - WHY are these ports open?  Why does a firewall product, in any shape or form, virtual or physical have these ports open when there is not the first policy to allow them to be open and there is nothing on my LAN that would require them to be open.

Poking around both ports externally, they seem to be "open but no body is home".  They don't seem to be responsive in any way.

Is there someone else running XG on either a physical unit or the home package (I'm running mine on a Zotac ZBOX) that can confirm same on their setup?

A simple NMAP scan is all I've done, boom, port 21 and 80 wide open.  Regardless or not, if these ports open don't respond in any way, they are open and therefore going to get banged on by every 12 year old Russian wannabe hacker sitting in his moms garage.

Thanks in advance for any feedback.

Jesse

Hi Jesse

Was this resolved? I have the exact same issue in having ports 21,25 80, 110, 143, 465, 993 and 995 open. Have no Wan to Lan rule to open these. I have tried creatring one and implicitly deny them but still no joy. Under device access only have user portal ticked for WAN. Even though these show as open with nmap I can see it denies the connection within the logs. I also wonder why these will show open though as it will give someone a reason to put the network under strain if he see these open.

Regards
MJ

Hey MJ -

No, it was never fully resolved.  I did unload one of the helper modules like I had posted in a previous reply to this thread, and that closed that port, but the other two I have never been able to get closed.  That said, the ports don't appear to be listening or doing anything, they are just open.  Light's on buy nobody's home.

There is a new version of code available, and I've not upgraded yet to see how that impacts anything.

I do agree, I wish these ports were not even open.  All it does is give an attack surface for some hacker somewhere to bang on.

You have far more ports open than I did/do.  Strange.

Let me know if you figure anything else out.

Thanks,

Jesse

Hi

I have this problem too...

My Open Ports are:

21 - FTP

5060 - SIP