Question about open ports from WAN/LAN

After a good Year Using the Omnia i am quite Happy with it!
so thanks for making this awesome piece of open hardware possible!
got some questions about an portscan anyways:
i did an nmap from wan and found port 9 open? what is this for?
an nmap from lan disocovered of course some 53/80/443 ports
but aswell these ones:

2525/tcp open ms-v-worlds
9080/tcp open glrpc

what are they for?
thanks for clearification

Port 2525 is for HaaS (SSH Honeypot).

so why should haas open an honeypot on lan and not on wan?

About port 9, i remembered like 10 years ago i wanted to configure WOW (Wake up On Wan) that used port 9.

What purpose it is being used for the Turris Omnia…no idea.

Maybe because of WOL?

EDIT:

Maybe even when Turris itself don’t react to WOL packets it need to be open to broadcast/forward them?

WOL is local (Wake up On Lan)(local), no need to have this port being forwarded locally. WOW (Wake up On WAN) (internet) i would say only if one wants to turn on their devices at home/office from somewhere else through the internet. However if one wants that, they could configure it by themselves no need to be configured by default as majority i guess don’t use such a functionality over the internet.

Maybe even when Turris itself don’t react to WOL packets it need to be open to broadcast/forward them?

It COULD BE that the Turris team has build this configuration in it to turn on the device to push updates to it. As the Omnia itself is just a Linux machine and if i am not mistaken it can be turned off using “shutdown now” command.

OP should clarify but he is mentioning LAN side

No, he said

i did an nmap from wan and found port 9 open?

So this is on the Internet side.

Ops I did it again. :man_facepalming:

But reasons are maybe the same, if it was closed and you will be away there will be no way to power it on so I take it as some kind of backup. Question is how secure it is.

Well there is 2 types of the Omnia being turned off. Either take out the plug…no port forwarding will help the Omnia to be turned on :joy:

or

what i mentioned before. Using “shutdown now” command in SSH/terminal, will turn off the Omnia but because it is connected to the internet and is connected to a power supply it could be turned on.

Question is how secure it is.

Well so far as i know it can ONLY be used or i ASSUME is being used for WOW (Wake up On WAN) and no other reason to infiltrate the system like SSH (port 22).

BUT, if somebody knows that port 9 is open (WOW), that could give the indication that the owner is using maybe remote desktop or SSH or FTP-server, HTTP-server…or whatever. So the evil-doer could take a interest in doing further research to infiltrate your system. If no other ports are open, they will give up OR…fall in the honeypot as they might think SSH is open if the honeypot is enabled that is.

Just to clarify: if i want a port open on wan-side, for whatever reasons, i would love to do it by myself. Especially on OpenSource Products.
There is no rule in my rule-set that opened that port on my Omnia and thats why i caught curios!
The HAAS is listening on Port 22 and there are so many attacks already on that Port, that i cant see a reason to put another one as bait, especially on WAN side.
and how does the other ones (2525 and 9080) make sense on LAN side?

Well sometimes if we look at Internet Service Providers (ISP) for example, they have a functionality to allow employers of the ISP company to access your router to be able to trouble-shoot when you have called them about a problem. Logically it means that a certain port MUST be open for employers of the ISP to connect to your router, even though if you look at the list of ports that have been forwarded none is visible. But i guess if one would connect through telnet this could be visible. The web interface of the router of the ISP is being made to show you exactly that what is of benefit for the ISP (in the sense of limits), although some ports are open but you cannot see them in the list of being open unless through a portscan.

There is no rule in my rule-set that opened that port on my Omnia and thats why i caught curios!

So this could be similar as to why you also could not see any rule-set to that port. But i could be wrong.

The HAAS is listening on Port 22 and there are so many attacks already on that Port, that i cant see a reason to put another one as bait, especially on WAN side.

If you have not enabled SSH through WAN, i would advice you to just disable HAAS. As it functions as bait to take away attention from the REAL SSH port. If you have SSH open (through other port offcourse), HAAS should be kept on port 22, as often hackers but also admins use port 22 by default for SSH. Just like how majority of the webservers use port 80 for http and port 443 for https.

In the past a classmate of mine mentioned he made a script that was switching his SSH port constantly. I asked him to pass me the script but sadly we found no time to go ahead with it.

how does the other ones (2525 and 9080) make sense on LAN side?

On the LAN side all i can think of is, sometimes certain ports even on LAN are blocked.

On the other side i do somehow agree with you as these days being somehow paranoid is a healthy thing to have with whole governments being able to look through our stuff without our knowledge.

But i bought an turris omnia because i want to went away from ISP restrictions and such security Flaws that comes with them! especially unknown open Ports on WAN side…

ssh is only accessible with pubkey authentication from lan and my turris omnia sits behind a dmz and i just route port 22 and vpn to it trough…

i dont understand your comment about port 2525 and 9080. They are not Blocked…they are open from LAN side… skippy clarified already that port 2525 is for HaaS. (what service is emulated on this port anyways and should i route it to wan?)
What sense does it make, to put a honeypot port open on lan side and closed on wan side?

if the turris guys are opening ports after i activated the data collection and honeypotting for them/me, a brief description what it exactly on wich port does, would be the least to expect.

But i bought an turris omnia because i want to went away from ISP restrictions and such security Flaws that comes with them! especially unknown open Ports on WAN side…

I was using the ISP as an example that MAYBE CZ.NIC is using same sort of method to push updates to the Omnia. I am not sure, CZ.NIC has to clarify this.

Why not use a different port for VPN? Try to use as much as possible ports that are uncommon for certain applications that are often used. For example for FTP, port 21 is used, but instead use another port that is not known.

This i am also not sure about it. Just wait and see for more clarification from CZ.NIC.

Expected? It rather would be “nice” to have or forgotten to put. Anyways i do agree with all the points you have made and wonder what the real reason is for some of these things. Just wait and see until somebody of the Turris team responds.

I just thought about UPNP. Maybe that is causing some opening of ports. Although even that would be listed which isn’t.

1 Like

good point though, but its turned off…so, we wait for further responses :smiley:

HaaS (SSH Honeypot) forward incoming connections to WAN port 22 to LAN port 2525.
This forwarding based on iptables, so it is visible in Luci not in Network -> Firewall, but in Status -> Firewall (http://<turris_LAN_IP>/cgi-bin/luci/admin/status/iptables) - search for “haas” in “zone_wan_prerouting”.
It is the reason, why HaaS is listening on LAN port only.
And on LAN port 2525 is running python proxy, which forward requests to NIC.CZ (haas.nic.cz).

You can find some details in /etc/init.d/haas_proxy.

It seems, that port LAN 9080 is using for Foris:
root@turris:~# netstat -nltep|grep 9080
tcp 0 0 0.0.0.0:9080 0.0.0.0:* LISTEN 4257/python

root@turris:~# ps -w|grep 4257
4257 root 11244 S python /usr/bin/foris-ws -a ubus --host 0.0.0.0 --port 9080 ubus --path /var/run/ubus.sock

4 Likes