ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Ubiquiti Edgerouter Leaves Open Ports

    IT Discussion
    4
    19
    6952
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • alexntg
      alexntg last edited by alexntg

      I originally posted over here: http://community.spiceworks.com/topic/518864-ubiquiti-edgerouter-external-management however it's been nothing but crickets.

      Pasted: Due to its low cost and glowing praises in the community, I put in a Ubiquiti Edgerouter at a small client site. It seems that the management interface (web and SSH) were available externally. The only external inbound rules are to allow stateful and drop all.

      While I was able to force the management interface to listen on the internal interface only via the "set service gui listen address" command, a port scan reveals that the ports are still open. How do I close all external ports?

      Update: Rebooting the device after the config closed up some of the ports. Remaining open on the external interface are:

      21
      554
      22
      7070
      843

      How do I get these ports closed?

      1 Reply Last reply Reply Quote 1
      • JaredBusch
        JaredBusch last edited by JaredBusch

        Do you have a firewall rule for the WAN_IN and WAN_LOCAL? Post on the. Ubiquiti forums. There will be the best responses. http://community.ubnt.com

        Also how are you doing you security test by the way?

        alexntg 1 Reply Last reply Reply Quote 1
        • alexntg
          alexntg @JaredBusch last edited by

          @JaredBusch said:

          Do you have a firewall rule for the WAN_IN and WAN_LOCAL? Post on the. Ubiquiti forums. There will be the best responses. http://community.ubnt.com

          Also how are you doing you security test by the way?

          In this device's case, it's Internet_In:

          name Internet_In {
              default-action drop
              description "Inbound traffic to firewall from outside"
              enable-default-log
              rule 1 {
                  action accept
                  description "Stateful traffic"
                  log disable
                  protocol all
                  state {
                      established enable
                      invalid disable
                      new disable
                      related enable
                  }
              }
              rule 2 {
                  action drop
                  log disable
                  protocol all
                  state {
                      established disable
                      invalid enable
                      new disable
                      related disable
                  }
              }
          

          I don't see anything local. A third-party PCI assessment picked it up first, and I'm not privy to their methods. I'm using Nmap.

          JaredBusch 1 Reply Last reply Reply Quote 0
          • JaredBusch
            JaredBusch @alexntg last edited by JaredBusch

            @alexntg
            The WAN_LOCAL handles traffic from the internet to the router itself.

            name WAN_LOCAL {
                default-action drop
                description "WAN to Router"
                rule 1 {
                    action accept
                    state {
                        established enable
                        related enable
                    }
                }
                rule 2 {
                    action drop
                    log enable
                    state {
                        invalid enable
                    }
                }
                rule 5 {
                    action accept
                    description "ICMP 50/m"
                    limit {
                        burst 1
                        rate 50/minute
                    }
                    log enable
                    protocol icmp
                }
                rule 6 {
                    action accept
                    description "Accept VPN"
                    ipsec {
                        match-ipsec
                    }
                    log disable
                    protocol all
                    source {
                        address 10.202.253.0/24
                    }
                    state {
                        established enable
                        invalid disable
                        new enable
                        related enable
                    }
                }
                rule 7 {
                    action accept
                    description "Allow OpenVPN"
                    destination {
                        address 12.XXX.239.42/32
                        port 1193-1194
                    }
                    log disable
                    protocol udp
                    state {
                        established enable
                        invalid disable
                        new enable
                        related enable
                    }
                }
            }
            
            1 Reply Last reply Reply Quote 0
            • JaredBusch
              JaredBusch last edited by JaredBusch

              @alexntg
              And it is applied on the interface like so:

              ethernet eth2 {
                  address 12.XXX.239.42/29
                  address 12.XXX.239.43/29
                  address 12.XXX.239.44/29
                  description WAN
                  duplex auto
                  firewall {
                      in {
                          name WAN_IN
                      }
                      local {
                          name WAN_LOCAL
                      }
                  }
                  speed auto
                  traffic-policy {
                      out VoIP
                  }
              }
              
              1 Reply Last reply Reply Quote 2
              • alexntg
                alexntg last edited by

                I'll give it a go this weekend when I have hands-on with the device, just in case something should go wrong.

                1 Reply Last reply Reply Quote 0
                • StrongBad
                  StrongBad last edited by

                  Definitely looking to see a follow up on this one.

                  alexntg 1 Reply Last reply Reply Quote 0
                  • alexntg
                    alexntg @StrongBad last edited by

                    @StrongBad said:

                    Definitely looking to see a follow up on this one.

                    It's not the weekend yet.

                    JaredBusch 1 Reply Last reply Reply Quote 0
                    • JaredBusch
                      JaredBusch @alexntg last edited by

                      @alexntg said:

                      @StrongBad said:

                      Definitely looking to see a follow up on this one.

                      It's not the weekend yet.

                      Did you ever apply the correct firewall rules to the unit?

                      1 Reply Last reply Reply Quote 0
                      • alexntg
                        alexntg last edited by

                        It got backburnered, but I just worked on it this morning. It worked like a charm!

                        JaredBusch 1 Reply Last reply Reply Quote 2
                        • JaredBusch
                          JaredBusch @alexntg last edited by

                          @alexntg said:

                          It got backburnered, but I just worked on it this morning. It worked like a charm!

                          Good to hear. This line of equipment is just really really hard to beat for the price and feature set. It still has a way to go to be really user friendly, but it is a solid piece of gear in my opinion.

                          alexntg 1 Reply Last reply Reply Quote 1
                          • scottalanmiller
                            scottalanmiller last edited by

                            We are about to put one in at home.

                            1 Reply Last reply Reply Quote 0
                            • alexntg
                              alexntg last edited by

                              For home use, check out the Sophos UTM Home Edition. It's a full=featured UTM for home.

                              scottalanmiller 1 Reply Last reply Reply Quote 0
                              • alexntg
                                alexntg @JaredBusch last edited by

                                @JaredBusch said:

                                @alexntg said:

                                It got backburnered, but I just worked on it this morning. It worked like a charm!

                                Good to hear. This line of equipment is just really really hard to beat for the price and feature set. It still has a way to go to be really user friendly, but it is a solid piece of gear in my opinion.

                                I picked it up for a small 15-person company that has minimal requirements other than PCI (they process card payments online). While they're tiny, there was a gap between the home-edition devices and business-class devices in regard to filtering outbound traffic. Ubiquiti seems to fill that niche.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmiller
                                  scottalanmiller @alexntg last edited by

                                  @alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.

                                  alexntg 2 Replies Last reply Reply Quote 0
                                  • alexntg
                                    alexntg @scottalanmiller last edited by

                                    @scottalanmiller said:

                                    @alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.

                                    The pricing for the home edition is publicly posted:
                                    http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

                                    As far as "business" pricing, most of the major equipment vendors operate that way (Cisco, Palo Alto, Sonicwall). They're all either "Contact Sales" or "Find a Reseller". It's a traditional channel business model. Would I like to see a flat price? Certainly, but it doesn't happen.

                                    scottalanmiller 1 Reply Last reply Reply Quote 0
                                    • alexntg
                                      alexntg @scottalanmiller last edited by alexntg

                                      @scottalanmiller said:

                                      @alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.

                                      There's no comparison in feature set. Aside for niche uses, the Ubiquiti is missing most of the features of a modern business-grade network security appliance. You're getting more than 600% of the features.

                                      JaredBusch 1 Reply Last reply Reply Quote 0
                                      • JaredBusch
                                        JaredBusch @alexntg last edited by

                                        @alexntg said:

                                        There's no comparison in feature set. Aside for niche uses, the Ubiquiti is missing most of the features of a modern business-grade network security appliance. You're getting more than 600% of the features.

                                        The EdgeMax Router line is not a Network Security Appliance. It is a router. Do not mix up the device's purpose.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmiller
                                          scottalanmiller @alexntg last edited by

                                          @alexntg said:

                                          @scottalanmiller said:

                                          @alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.

                                          The pricing for the home edition is publicly posted:
                                          http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

                                          As far as "business" pricing, most of the major equipment vendors operate that way (Cisco, Palo Alto, Sonicwall). They're all either "Contact Sales" or "Find a Reseller". It's a traditional channel business model. Would I like to see a flat price? Certainly, but it doesn't happen.

                                          It's free for software, but not the appliance. VyOS is free too.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post