Port 443 open, how to close?

eugenr · January 27, 2021, 4:46pm

sudo ss -tunap

Displays all the open ports on the machine and the process that use them.
Flags are:
-t show tcp
-u show udp
-n no dns resolve
-a show all ports both listening and non-listening (edit: use -l only for listening instead)
-p show the process that opened the port (requires sudo/root access)

irvinewade · January 27, 2021, 11:07pm

OK, please confirm whether your ISP supports only IPv4 or is dual stack (IPv4 and IPv6).

Then same question for the router itself.

Maybe grc doesn’t even support IPv6, I don’t know, but it’s one thing to check off.

Perhaps your router has other ideas.

The point is: As the scan from my computer shows, ports 139 and 445 are open on the router despite my preference. There is no attached storage. I most definitely don’t want to offer any Windows shares to the internet but my router has other ideas.

So were you to move the router’s VPN from port 443 to, say, port 45164 and were that to cause grc to show that port 443 is no longer open then that is evidence that the problem is on the router.

ItsTheSmell · January 27, 2021, 11:40pm

OR, how about, I close the port on my pc under pureos and then run the scan, if it still says port 443 is open then i should start looking deeper into things. What is the difficulty in helping do this one thing? Hasnt anybody showed you the 1st rule of problem solving is to try the simplest thing first?

eugenr · January 28, 2021, 12:41am

It doesn’t hurt to try a https://<your-ip> from internet side - like using your phone web browser with mobile data on.

eugenr · January 28, 2021, 1:15am

If you turn on your VPN connection then you are scanning your VPN provider’s IP address not yours. (I didn’t saw an option on GRC to enter an IP to scan; it is autodetected, so it will autodetect the VPN server’s IP. And most likely they have a web server on 443 (https) or the vpn server ).

ItsTheSmell · January 28, 2021, 1:26am

Sorry, I only mentioned the vpn on my phone as a way to show you what changes when i switch the vpn on. It was never on my network. This has nothing to do with my PureOS exposing port 443. Sorry for the confusion.

irvinewade · January 28, 2021, 1:36am

I think grc doesn’t let you do that - for obvious reasons - even though there are times when it would be legitimate and useful.

eugenr · January 28, 2021, 1:38am

If on PureOS a process is listening on 443 you can easily find it with command ss I wrote above.

If that’s the case, then it means that your router is forwarding 443 requests to your machine. And that you can easily see and modify from your web router web interface, under NAT section:

Also you can check there on NAT -> DMZ Host that your PC IP is not set. DMZ means “DeMilitarizedZone” or something, and the router will forward all requests from outside to that PC.

irvinewade · January 28, 2021, 1:41am

Only on IPv4, which is why I asked whether it’s IPv4 or IPv6.

ItsTheSmell · January 28, 2021, 1:54pm

Ipv6 is disabled on my router.
DMZ isn’t set to anything, its highly dangerous to use a DMZ on today’s internet.

Using the ss command the computer that is opening port 443 is pureos, if I’m reading it correctly.

eugenr · January 28, 2021, 3:09pm

Here is an example of what you should see and get from that command. I changed the command to only display port 22 if it’s opened (=listening). And I dropped the -n flag. You can use that to force numeric IP addresses and ports.

In your case change :22 with :443 (or :https) and make sure you keep the spaces around between the parentheses and the text, and also have those apostrophes.

$ sudo ss -p state listening '( sport = :22 )'
Netid               Recv-Q               Send-Q                             Local Address:Port                              Peer Address:Port               
tcp                 0                    128                                  192.168.2.1:ssh                                    0.0.0.0:*                   users:(("sshd",pid=2182,fd=3))

In my example above, you can see that I have on my local address 192.168.2.1 I have the process sshd listening on port :ssh (=22) (scroll til the right end to see the process column). I know that’s a local openssh server and I can stop it if I want and the port will be closed.

In your case, I don’t know if pureos is the process or machine name… or… just the OS?

eugenr · January 28, 2021, 3:32pm

EDIT: It’s not the user afterall.

~~Actually I’m mistaking user names with process names. The correct interpretation of~~ users:(("sshd",pid=2182,fd=3)) is:

~~user running the process is user sshd~~
the process id is 2182

To find the process command I can use the ps command:

$ ps -p 2182 -f
UID        PID  PPID  C STIME TTY          TIME CMD
root      2182     1  0 Jan18 ?        00:00:00 /usr/sbin/sshd -D

So it’s the sshd program.

~~So, in your case the pureos is the user~~. So you need to find the process corresponding to your process id (pid).

ItsTheSmell · January 28, 2021, 11:38pm

sudo ss -tunap -p
[sudo] password for darren:
Netid State udp UNCONN 0 udp UNCONN 0 udp UNCONN 0 udp UNCONN 0 udp UNCONN 0 udp UNCONN 0 udp UNCONN 0 udp UNCONN 0 udp UNCONN 0 udp UNCONN 0 tcp LISTEN 0 tcp ESTAB 0 tcp ESTAB 0 tcp TIME-WAIT 0 tcp ESTAB 0 tcp ESTAB 0 tcp TIME-WAIT 0 tcp ESTAB 0 tcp LISTEN 0 Recv-Q Send-Q Local Address:Port Peer Address:Port
0 192.168.1.101:123 0.0.0.0:* users:((“ntpd”,pid=927,fd=23))
0 127.0.0.1:123 0.0.0.0:* users:((“ntpd”,pid=927,fd=18))
0 0.0.0.0:123 0.0.0.0:* users:((“ntpd”,pid=927,fd=17))
0 0.0.0.0:631 0.0.0.0:* users:((“cups-browsed”,pid=10440,fd=7))
0 0.0.0.0:5353 0.0.0.0:* users:((“avahi-daemon”,pid=860,fd=12))
0 0.0.0.0:54750 0.0.0.0:* users:((“avahi-daemon”,pid=860,fd=14))
0 [::1]:123 [::]:* users:((“ntpd”,pid=927,fd=19))
0 [::]:123 [::]:* users:((“ntpd”,pid=927,fd=16))
0 [::]:37622 [::]:* users:((“avahi-daemon”,pid=860,fd=15))
0 [::]:5353 [::]:* users:((“avahi-daemon”,pid=860,fd=13))
5 127.0.0.1:631 0.0.0.0:* users:((“cupsd”,pid=10439,fd=7))
0 192.168.1.101:59584 35.155.194.246:443 users:((“firefox-esr”,pid=2881,fd=67))
0 192.168.1.101:41552 35.186.227.140:443 users:((“firefox-esr”,pid=2881,fd=264))
0 192.168.1.101:49320 216.58.211.170:443
0 192.168.1.101:58988 209.140.129.55:443 users:((“firefox-esr”,pid=2881,fd=239))
0 192.168.1.101:41896 185.70.41.130:443 users:((“firefox-esr”,pid=2881,fd=204))
0 192.168.1.101:35170 52.34.194.35:443
0 192.168.1.101:34962 138.201.228.33:443 users:((“firefox-esr”,pid=2881,fd=81))
5 [::1]:631 [::]:* users:((“cupsd”,pid=10439,fd=6))

does this help because i dont know how to read it.

OpojOJirYAlG · January 29, 2021, 12:34am

There is nothing on that system listening on 443 so nothing can connect to that system on 443 at the time that command was run. You can connect outbound to other systems listening on 443 which you are doing with firefox for tls encrypted web browsing.

This does not appear to be a pureos issue.

If running the test now currently shows 443 open then something else is listening on 443 on the IP scanned. If that IP is in fact your public IP then it is either your router or a device your router is forwarding 443 connections to.

irvinewade · January 29, 2021, 1:55am

Keeping in mind that with NAT the external port (443) can differ from the the internal port.

However in this case the only port being listened on (with TCP) is port 631 (Internet Printing Protocol) and that is only on localhost (IPv4 and IPv6), hence no use at all for port forwarding.

So it should be the case that no external connection to port 443 can terminate on the above host.

Either

the router itself is listening on port 443
it is validly port forwarding to another host (may be internal port 443 or a different port)
it is invalidly port forwarding (and that does not appear to be the case since grc reports ‘open’)