13 thoughts on - OT: Closing A Port On Home Router

• inbound ports that aren’t forwarded are closed by default on most any/all NAT routers, unless the router itself is listening to said port.

• Isn’t there any sort of portforwarding thing? Such as forward port 2222 (I
  wouldn’t use that one, it’s too common, but as an example) to 192.168.1.5, and then have 192.168.1.5 listen on port 2222? Then have a firewall rule to allow access on that port and edit /etc/ssh/sshd_config to listen on
  2222 instead of 22.

  Looking at http://nextgendigitalhome.com/1829/home-network/scalable-gateway/the-asus-rt-n16-router-firmware-part-4-advanced-wan-settings/
  it seems as if it would allow this and it’s described in the section WAN
  Virtual Server/Port Fowarding.

• I’d suggest that you test it, but that does seem reasonable.

  Note that there is nothing special about port 9. There is a “discard”
  service that you can run on that port to consume data and discard it, but it’s normally not running. In the normal state, with no service listening on port 9, it’s just the same as any other port that isn’t listening.

• yes, there is port forwarding, of course. I’m forwarding a different port to 22 on my desktop, and want to close 22 on the router so it won’t also allow access to 22 on my desktop.

  I know,… “security through obscurity is no security at all”. But I
  figure it doesn’t hurt to try.

  It is as I said above, I don’t want to have to write firewall rules for it because then I need to go to the trouble to make sure my custom rule(s) get reloaded at every reboot.

  Ah, i’ve never seen that resource, thanks! I’ll go peruse it and see what I find.

  thanks!

• If you have not set up forwarding for port 22 on the router, it is already closed. You do not need to do anything.

  If you want to verify this, just try to connect to port 22 from outside your network and see what happens.

• Actually, connecting to port 22 works fine, or did until my last hacking session on the router. Which is why I wanted to make it inaccessible.

  My current “solution” is to forward 22 on the WAN side of the router to
  9 on the LAN side of the router. since 9 on the LAN side has no services attached, the incoming connection fails. which is what I wanted.

• if you’re forwarding WAN port 2222, I do not understand what your router is doing with port 22, unless the router itself is also running a sshd

• well, not 2222, but another port I won’t identify here, and it is forwarded to 22 on my linux box. The idea was to put SSH on an unusual port. but I couldn’t figure out how to close port 22, which was open by default on the router, apparently. I still don’t see any way in its UI to do it, and didn’t especially want to have to write a custom firewall rule. So I just forwarded WAN/22 to port 9 on the LAN side of the router.

• Could an ‘idea’ also be to close permanently port 22 and configure SSH
  to use a completely different port ?

  Inviting hackers by having a functioning, in one way or another, port 22
  is asking for trouble.

• Paul, thanks for the comment. what you suggest is what my original post was asking about.

  Now, the externally visible port is not 22. my original post was asking for advice on tweaking the router to close 22, since I could find no method for that in the router’s UI. not wanting to have to write iptables rules for the router, I found another method that effectively shuts off port 22. 22 IS NOT OPEN to the world any more.

• Hi Fred,

  That is great. When I started on Linux that was one of the very first things I did. Every machine, including servers, has port 22 replaced by a unique alternative port. Port 22 is also blocked in IPtables.

  There is an army of dangerous nutters attempting to break-in to everything. They often mask their attacks using compromised Windoze computers all around the world.

• man sshd_config; this option is perhaps your solution “ListenAddress.”
  So explicitly mention your LAN port(s).

  
  ListenAddress
  Specifies the local addresses sshd(8) should listen on. The following forms may be used:

  ListenAddress host|IPv4_addr|IPv6_addr
  ListenAddress host|IPv4_addr:port
  ListenAddress [host|IPv6_addr]:port

  If port is not specified, sshd will listen on the address and all prior Port options specified. The
  default is to listen on all local addresses. Multiple ListenAddress options are permitted. Addition-
  ally, any Port options must precede this option for non-port qualified addresses.
  

  HTH
  — Arun Khan

• Changing the port that sshd listens on solves nothing from a security perspective. The only people that this action deflects are the script-kiddies. Who are admittedly numerous and who can be dangerous but usually are just low-talent opportunists.

  Moving the port by itself still opens a functioning connection to the internet on a service that is inherently susceptible to brute force and rainbow attacks. The ‘dangerous’ people on the Internet will find this port in a heartbeat and they are far more worrisome than the script-kiddies. Since you absolutely must build a defence against these opponents anyway then you might as well leave the service on the default port to avoid screwing up legitimate users expectations.

  I grant that dealing with an excessive logfile volume can be a consideration. However, this issue is often best dealt with through scripting your own analysis and reporting programs or employing someone else’s. And is often solved with an aggressive set of firewall rules. In fact, the volume of entries should be a good indication of how well your defence is serving you. As you tighten the access rules and dynamically block persistent abusers then the volumes should drop and stay fairly low.

  Moving the port by itself is like rearranging the deck chairs on a sinking ship. It does not address the fundamental issue. Plus assignment to a non-standard port adds to maintenance and support load since it must be separately accounted for each time it is referenced.