[TriLUG] open ports on Uverse 2wire gateway -- revisited

Mon Feb 3 23:44:15 EST 2014

Hi JC,

> 49152 and 61001 are the problem ports. I realize that this may be
> ports used by Uverse, but Security Metrics say that a vulnerability
> exists on 61001.

OK, your internet modem has two open ports, and you suspect that
these are ports used by your provider to get into their modem for
support.  But you don't like that because Security Metrics reports
that as a potential security vulnerability?

I would not put much stock in Security Metrics's assessment.

For example, let's say I am writing a new server program for a company
that makes, say, internet-enabled ovens.  I need a port to listen to.  It
does not really matter which port I choose, but it would be wise to avoid
well-known ports like 80 or 443.  So instead, I choose 12345.  I can
remember that.  It's the same as the combination on my luggage.
Honestly, it does not matter which port I choose.  My server will answer
requests made to that port, and it will (if I am any good) do some sort
of handshaking and authentication before just talking to anybody.

So Security Metrics keeps a list of known bad programs.  One time in 1994
some kid wrote a virus/bot that listened for instructions on port 12345.
So Security Metrics will point that out as a potential vulnerability.  I
know
it's not... I wrote that oven program that listens on port 12345.

That does not mean that port 12345 is bad.  It means that *IF* you have
an unknown process listening on that port, and you want a list of all known
programs in the past that have used that port, SM will tell you about that
one bad program in 1994 to try to help you identify what it might be.  They
don't know anything about internet ovens.

In your case, you pretty much know that 49152 and 61001 are AT&T ports.
So you can ignore anything that Security Metrics has to say about them.

Does that make sense?

If you were to insist on these ports being changed, then you're really
asking AT&T to change their entire support infrastructure because of that
hacker kid from the '90s.  You're asking the internet to permanently
retire that port number in honor of that hacker kid.

Now I am not so sure that AT&T *needs* to listen on two ports.  But if
they do, and they guarantee that it's their maintenance system and it
is secure, then I would not question it any further.  It is likely that
their
maintenance program only accepts connections from known subnets
or from holders of a known certificate.

> I suspect that security metrics would pass the account if the two open
> ports were patched to cover the vulnerabilities that Security Metrics
> see.

There is no such thing as "patching the ports".  There is a program
listening on those ports.  Either it is a real AT&T program that speaks
AT&T language, or it is a virus/bot from that kid in 1994 (or whatever).
The fact that these two programs listen on the same port number is just
a coincidence.  If AT&T chose port 12345, that would not make your
router an oven, would it?

You don't patch a port.

I hope this helps you set your expectations better.

Personally, I would do what others on this thread have suggested and
treat the cable coming from the Uverse box as a "hostile network", insert
a firewall in between it and my home network, and concentrate on the
in-home network that I control.  If you needed a suggestion for a firewall,
I would recommend a cheapie WRT54G running Tomato, ddwrt or openwrt.

Alan