Ubiquiti Edgerouter Leaves Open Ports
-
I originally posted over here: http://community.spiceworks.com/topic/518864-ubiquiti-edgerouter-external-management however it's been nothing but crickets.
Pasted: Due to its low cost and glowing praises in the community, I put in a Ubiquiti Edgerouter at a small client site. It seems that the management interface (web and SSH) were available externally. The only external inbound rules are to allow stateful and drop all.
While I was able to force the management interface to listen on the internal interface only via the "set service gui listen address" command, a port scan reveals that the ports are still open. How do I close all external ports?
Update: Rebooting the device after the config closed up some of the ports. Remaining open on the external interface are:
21
554
22
7070
843How do I get these ports closed?
-
Do you have a firewall rule for the WAN_IN and WAN_LOCAL? Post on the. Ubiquiti forums. There will be the best responses. http://community.ubnt.com
Also how are you doing you security test by the way?
-
@JaredBusch said:
Do you have a firewall rule for the WAN_IN and WAN_LOCAL? Post on the. Ubiquiti forums. There will be the best responses. http://community.ubnt.com
Also how are you doing you security test by the way?
In this device's case, it's Internet_In:
name Internet_In { default-action drop description "Inbound traffic to firewall from outside" enable-default-log rule 1 { action accept description "Stateful traffic" log disable protocol all state { established enable invalid disable new disable related enable } } rule 2 { action drop log disable protocol all state { established disable invalid enable new disable related disable } }I don't see anything local. A third-party PCI assessment picked it up first, and I'm not privy to their methods. I'm using Nmap.
-
@alexntg
The WAN_LOCAL handles traffic from the internet to the router itself.name WAN_LOCAL { default-action drop description "WAN to Router" rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 5 { action accept description "ICMP 50/m" limit { burst 1 rate 50/minute } log enable protocol icmp } rule 6 { action accept description "Accept VPN" ipsec { match-ipsec } log disable protocol all source { address 10.202.253.0/24 } state { established enable invalid disable new enable related enable } } rule 7 { action accept description "Allow OpenVPN" destination { address 12.XXX.239.42/32 port 1193-1194 } log disable protocol udp state { established enable invalid disable new enable related enable } } } -
@alexntg
And it is applied on the interface like so:ethernet eth2 { address 12.XXX.239.42/29 address 12.XXX.239.43/29 address 12.XXX.239.44/29 description WAN duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto traffic-policy { out VoIP } } -
I'll give it a go this weekend when I have hands-on with the device, just in case something should go wrong.
-
Definitely looking to see a follow up on this one.
-
-
@alexntg said:
@StrongBad said:
Definitely looking to see a follow up on this one.
It's not the weekend yet.
Did you ever apply the correct firewall rules to the unit?
-
It got backburnered, but I just worked on it this morning. It worked like a charm!
-
@alexntg said:
It got backburnered, but I just worked on it this morning. It worked like a charm!
Good to hear. This line of equipment is just really really hard to beat for the price and feature set. It still has a way to go to be really user friendly, but it is a solid piece of gear in my opinion.
-
We are about to put one in at home.
-
For home use, check out the Sophos UTM Home Edition. It's a full=featured UTM for home.
-
@JaredBusch said:
@alexntg said:
It got backburnered, but I just worked on it this morning. It worked like a charm!
Good to hear. This line of equipment is just really really hard to beat for the price and feature set. It still has a way to go to be really user friendly, but it is a solid piece of gear in my opinion.
I picked it up for a small 15-person company that has minimal requirements other than PCI (they process card payments online). While they're tiny, there was a gap between the home-edition devices and business-class devices in regard to filtering outbound traffic. Ubiquiti seems to fill that niche.
-
@alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.
-
@scottalanmiller said:
@alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.
The pricing for the home edition is publicly posted:
http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspxAs far as "business" pricing, most of the major equipment vendors operate that way (Cisco, Palo Alto, Sonicwall). They're all either "Contact Sales" or "Find a Reseller". It's a traditional channel business model. Would I like to see a flat price? Certainly, but it doesn't happen.
-
@scottalanmiller said:
@alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.
There's no comparison in feature set. Aside for niche uses, the Ubiquiti is missing most of the features of a modern business-grade network security appliance. You're getting more than 600% of the features.
-
@alexntg said:
There's no comparison in feature set. Aside for niche uses, the Ubiquiti is missing most of the features of a modern business-grade network security appliance. You're getting more than 600% of the features.
The EdgeMax Router line is not a Network Security Appliance. It is a router. Do not mix up the device's purpose.
-
@alexntg said:
@scottalanmiller said:
@alexntg I much prefer using stuff that is more applicable for business. Sophos pulls that "no prices" stuff. From what I can see it is about 600% the price of the Ubiquiti.
The pricing for the home edition is publicly posted:
http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspxAs far as "business" pricing, most of the major equipment vendors operate that way (Cisco, Palo Alto, Sonicwall). They're all either "Contact Sales" or "Find a Reseller". It's a traditional channel business model. Would I like to see a flat price? Certainly, but it doesn't happen.
It's free for software, but not the appliance. VyOS is free too.
