Port 443 open, how to close?

sudo ss -tunap

Displays all the open ports on the machine and the process that use them.
Flags are:
-t show tcp
-u show udp
-n no dns resolve
-a show all ports both listening and non-listening (edit: use -l only for listening instead)
-p show the process that opened the port (requires sudo/root access)

3 Likes

OK, please confirm whether your ISP supports only IPv4 or is dual stack (IPv4 and IPv6).

Then same question for the router itself.

Maybe grc doesn’t even support IPv6, I don’t know, but it’s one thing to check off.

Perhaps your router has other ideas.

The point is: As the scan from my computer shows, ports 139 and 445 are open on the router despite my preference. There is no attached storage. I most definitely don’t want to offer any Windows shares to the internet but my router has other ideas.

So were you to move the router’s VPN from port 443 to, say, port 45164 and were that to cause grc to show that port 443 is no longer open then that is evidence that the problem is on the router.

OR, how about, I close the port on my pc under pureos and then run the scan, if it still says port 443 is open then i should start looking deeper into things. What is the difficulty in helping do this one thing? Hasnt anybody showed you the 1st rule of problem solving is to try the simplest thing first?

It doesn’t hurt to try a https://<your-ip> from internet side - like using your phone web browser with mobile data on.

If you turn on your VPN connection then you are scanning your VPN provider’s IP address not yours. (I didn’t saw an option on GRC to enter an IP to scan; it is autodetected, so it will autodetect the VPN server’s IP. And most likely they have a web server on 443 (https) or the vpn server ).

1 Like

Sorry, I only mentioned the vpn on my phone as a way to show you what changes when i switch the vpn on. It was never on my network. This has nothing to do with my PureOS exposing port 443. Sorry for the confusion.

I think grc doesn’t let you do that - for obvious reasons - even though there are times when it would be legitimate and useful.

1 Like

If on PureOS a process is listening on 443 you can easily find it with command ss I wrote above.

If that’s the case, then it means that your router is forwarding 443 requests to your machine. And that you can easily see and modify from your web router web interface, under NAT section:

Also you can check there on NAT -> DMZ Host that your PC IP is not set. DMZ means “DeMilitarizedZone” or something, and the router will forward all requests from outside to that PC.

1 Like

Only on IPv4, which is why I asked whether it’s IPv4 or IPv6.

1 Like

Ipv6 is disabled on my router.
DMZ isn’t set to anything, its highly dangerous to use a DMZ on today’s internet.

Using the ss command the computer that is opening port 443 is pureos, if I’m reading it correctly.

Here is an example of what you should see and get from that command. I changed the command to only display port 22 if it’s opened (=listening). And I dropped the -n flag. You can use that to force numeric IP addresses and ports.

In your case change :22 with :443 (or :https) and make sure you keep the spaces around between the parentheses and the text, and also have those apostrophes.

$ sudo ss -p state listening '( sport = :22 )'
Netid               Recv-Q               Send-Q                             Local Address:Port                              Peer Address:Port               
tcp                 0                    128                                  192.168.2.1:ssh                                    0.0.0.0:*                   users:(("sshd",pid=2182,fd=3))

In my example above, you can see that I have on my local address 192.168.2.1 I have the process sshd listening on port :ssh (=22) (scroll til the right end to see the process column). I know that’s a local openssh server and I can stop it if I want and the port will be closed.

In your case, I don’t know if pureos is the process or machine name… or… just the OS?

EDIT: It’s not the user afterall.

Actually I’m mistaking user names with process names. The correct interpretation of users:(("sshd",pid=2182,fd=3)) is:

  • user running the process is user sshd
  • the process id is 2182

To find the process command I can use the ps command:

$ ps -p 2182 -f
UID        PID  PPID  C STIME TTY          TIME CMD
root      2182     1  0 Jan18 ?        00:00:00 /usr/sbin/sshd -D

So it’s the sshd program.

So, in your case the pureos is the user. So you need to find the process corresponding to your process id (pid).

sudo ss -tunap -p
[sudo] password for darren:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 192.168.1.101:123 0.0.0.0:* users:((“ntpd”,pid=927,fd=23))
udp UNCONN 0 0 127.0.0.1:123 0.0.0.0:* users:((“ntpd”,pid=927,fd=18))
udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:* users:((“ntpd”,pid=927,fd=17))
udp UNCONN 0 0 0.0.0.0:631 0.0.0.0:* users:((“cups-browsed”,pid=10440,fd=7))
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* users:((“avahi-daemon”,pid=860,fd=12))
udp UNCONN 0 0 0.0.0.0:54750 0.0.0.0:* users:((“avahi-daemon”,pid=860,fd=14))
udp UNCONN 0 0 [::1]:123 [::]:* users:((“ntpd”,pid=927,fd=19))
udp UNCONN 0 0 [::]:123 [::]:* users:((“ntpd”,pid=927,fd=16))
udp UNCONN 0 0 [::]:37622 [::]:* users:((“avahi-daemon”,pid=860,fd=15))
udp UNCONN 0 0 [::]:5353 [::]:* users:((“avahi-daemon”,pid=860,fd=13))
tcp LISTEN 0 5 127.0.0.1:631 0.0.0.0:* users:((“cupsd”,pid=10439,fd=7))
tcp ESTAB 0 0 192.168.1.101:59584 35.155.194.246:443 users:((“firefox-esr”,pid=2881,fd=67))
tcp ESTAB 0 0 192.168.1.101:41552 35.186.227.140:443 users:((“firefox-esr”,pid=2881,fd=264))
tcp TIME-WAIT 0 0 192.168.1.101:49320 216.58.211.170:443
tcp ESTAB 0 0 192.168.1.101:58988 209.140.129.55:443 users:((“firefox-esr”,pid=2881,fd=239))
tcp ESTAB 0 0 192.168.1.101:41896 185.70.41.130:443 users:((“firefox-esr”,pid=2881,fd=204))
tcp TIME-WAIT 0 0 192.168.1.101:35170 52.34.194.35:443
tcp ESTAB 0 0 192.168.1.101:34962 138.201.228.33:443 users:((“firefox-esr”,pid=2881,fd=81))
tcp LISTEN 0 5 [::1]:631 [::]:* users:((“cupsd”,pid=10439,fd=6))

does this help because i dont know how to read it.

There is nothing on that system listening on 443 so nothing can connect to that system on 443 at the time that command was run. You can connect outbound to other systems listening on 443 which you are doing with firefox for tls encrypted web browsing.

This does not appear to be a pureos issue.

If running the test now currently shows 443 open then something else is listening on 443 on the IP scanned. If that IP is in fact your public IP then it is either your router or a device your router is forwarding 443 connections to.

1 Like

Keeping in mind that with NAT the external port (443) can differ from the the internal port.

However in this case the only port being listened on (with TCP) is port 631 (Internet Printing Protocol) and that is only on localhost (IPv4 and IPv6), hence no use at all for port forwarding.

So it should be the case that no external connection to port 443 can terminate on the above host.

Either

  • the router itself is listening on port 443
  • it is validly port forwarding to another host (may be internal port 443 or a different port)
  • it is invalidly port forwarding (and that does not appear to be the case since grc reports ‘open’)
2 Likes