Ive just done a common ports scan on ShieldsUP! at www.grc.com and its returned port 443 is wide open, how do I close this port to the internet?
May I assume that between your PureOS installation (a laptop?) and “the Internet” there is a router?
In that case, you scanned the ports of your router.
Likely, your router can serve webpages on this port. Either your own web page, or a configuration interface. You can easily test that by surfing to the public IP of your router.
Then, check whether your router allows you to disable the remote configuration, so that you can only configure it from within your local network.
Its a desktop PC, yes im behind a router and port 443 is closed on Win10 on the same PC. All the other ports are either in STEALTH mode ie does not respond or they respond as closed but port 443 is open. Can you help me close it?
Your query is a bit unusual, so let’s try to elaborate a bit what it is you’re after. 443 usually isn’t a problem as it’s used for secure web traffic (HTTPS). If you are behind a router (as most are, since modems usually route), the router probably has that open and answers knock on that door and can either forward it directly (default) or via port forwarding send it to any other port. I’m not sure, but inability to have that secure traffic reach your web browser via 443 isn’t automatically re-routed and you’d need to set up an alternative. Or face that you wouldn’t browse, since many sites use HTTPS (an alternative, if you have your desktop for other things only).
And just to be clear, a closed port needs to be clarified as well: the port is closed, when an app/service is not listening to it. Disabling a port on the other hand is usually done at firewall (with various filters of what kind of traffic and to which direction). If it’s not answering anything to packets, it’s directing things to /dev/null (“the void”, deny traffic as there is no reply, it’s the so called “stealth mode”- marketing speak for W users).
So, please provide more info and perhaps rephrase what your looking for. It may be relevant to understand why you’d want to cease secure HTTPS. For straight up firewall commands to set up dropping incoming to a port, search for ufw (or its graphical user interface gufw) and how to set up rules.
Some previous PureOs firewall threads:
Limiting Internet access in an app-by-app basis on PureOS?,
How to setup GUFW firewall?,
How do I get ufw firewall to enable by default?.
You log in on the router.
You look for either port forwarding or remote management.
(If your router has attached storage then it is also possible, as @Caliga suggests, that you are serving content web pages on that port. That would be bad since you apparently didn’t know you are doing it - until now.)
It is not usually a good idea to have remote management enabled at all, on any port, unless you need it and you know what you are doing. If both of those apply then move it to a random port in the appropriate range.
If it’s port forwarding somewhere then you need to understand where it is port forwarding to (i.e. to what device or computer on your local network) and why. You would delete or disable the port forwarding rule if it is not needed.
It has been a while since I used grc but the three cases here are that a TCP connect is
- accepted
- rejected
- ignored
The difference between the second and third case is the difference between a response that is a rejection and a no response of any kind (packet dropped by firewall).
I don’t remember how grc is using those terms.
1 Like
Are you certain there’s a router between the modem and the computer? Switching the OS on the computer should not change the results of an external scan.
One scenario where this might happen would be if you are running a webserver and upnp is enabled on the router and the desktop is sending upnp requests to open port 443 on the firewall. If the latter scenario is the case disabling upnp on the router should resolve the issue you’re describing.
For their context “stealthed” is “ignored/dropped”
1 Like
I take it means dropped, but that’s “stealth” in marketing speak. But either way, as far as I understood the intention, the need may be (for some reason not yet explained) to do this to the desktop pc. If this was about shutting down router remote connection (from internet side), the yes, that too is important to do, but it’s not the same as killing 443 on router. 443 is the default to use with HTTPS in normal internet browsing. And local connection to management is via https/https often to that from the local net side. Remote (depending on how that is defined, ssh or … telnet (probably not anymore though)) is usually 21 or 22.
Alternatively, what router is in use?
1 Like
Hi guys, thanks for the replies.
I have upnp disabled on the router, nothing is connected to the routers USB. No web management is running because that’s bad! I’m MCDST and still fix computers occasionally so I know my way around. Although I’m not a network expert I know the basics.
On my android the same scan returns a passed result but if I turn one of my vpns on it returns a failed because of such ports as 443 being left open.
If windows is returning a pass and all I do is restart into pureos and I get different results is 443 is open then that is the issue, pureos. Or am I wrong somehow?
Router is Draytek Vigor 2860n.
Plot thickens, doesn’t clear. I can’t say much to the Windows side and the vpns are an additional thing (depending how they are set up and how they behave, I wouldn’t count them out as affecting this either).
First, let’s see if we have the whole thing right here. Your setup is such that you have…
- a router that is directly connected to the net (ADSL, cable or similar) and no additional modem or such in front of that
- you only have one desktop computer connected to the router via ethernet cable
- you also have a wifi network on the router that you use with your phone (expecting that it’s the same network that the desktop is and not separated somehow)
Then the assumptions, the scan:
- What do you use as a scanner? (phone app, w program, linux command, website?)
- Where did it scan from? From outside the network or inside?
- Can you provide the data (copypaste or screengrab image or both)? Remember to check for personal details and edit those.
- Is this annoying 443 seen only on linux side but is it in normal use or only when vpn is active or both? Is there difference? You may need to sketch a matrix to paper to make sure you’ve checked every scenario combination to be sure.
This is because I’m still not definite where your seeing the open 443 and if this is normal behavior that should be as is. If the problem is with desktop, keeping that phone to see everything, from a separate perspective if you will, is good, as it doesn’t change while you test the other combinations.
There is a short cut also. If this is something only when in your desktop’s linux, and you think it’s the culprit, use gufw to drop (deny, make “stealth”) anything to 443 and see what happens. Install it if you don’t have it yet. If this is on the router, the same should be easy enough to do in the management tools. Should be easy enough to do and undo.
Here then: https://www.draytek.co.uk/support/guides/kb-forwarding-tcp443 ?
Rather than following the suggestion in that guide, I would recommend a) first preference option, disable SSL VPN if you don’t need it, or b) second option, move the SSL VPN to a higher-numbered (>1024) random port if you do need it.
“grc” https://www.grc.com
Outside.
Here’s what a scan looks like.
and illustrates why right after Purism finishes shipping the Librem 5, they should start developing a router. 
1 Like
Ok, this clears up several things. We are talking about the router specifically and what that shows to outside. That link should have plenty of info for now.
Ay, an open HW router would be nice, but already there is the option of Openfirmware towards a better alternative at home.
1 Like
I’d buy that.
1 Like
The two related models listed there look to be, on the one hand, quite limited for my purposes but, on the other hand, include WiFi, which I don’t want on a router (although I recognise that many people will).
My router is too mature to run openwrt. Update: might have got that wrong.
Anyway, router is definitely due for an upgrade so if I had a “pure” option …
Umm, so can someone help me close this port?
Well, since apparently your problem seems to be with the router and its firewall settings, instead of PureOS, and none here seems to use that device, you’ll get better help from the manufacturer’s site or from the device manual (for “older firmware” - remember to update that too, while you’re at it), I would guess.
That doesn’t change anything, I’m not using remote management and I’m not using a VPN service. Its clearly an issue with pureOS.
Would it be the same if i were to close a port in debian?