Reply

Disabling external ports on HG659

Highlighted
Starter Poster
Posts: 7
Registered: ‎01-03-2013
Accepted Solution

Disabling external ports on HG659

by rosco Starter Poster
Message 1 of 11 (4,207 Views)

 

I ran an external port scan on my Huawei HG659 and was surprised to find that ports 80 and 443 were open.

My configuration is pretty much default, I do not have any port forwarding set up.

Remote Administration is enabled but this appears to be an outgoing connection?

 

Connecting from an external system to port 80 on my WAN address with Chrome browser, I get redirected to 443

and then get the standard web login page. If I try to login I get a message "Login from invalid IP" - presumably this

requires an ACL entry somewhere which permits WAN access. Nothing gets logged in syslog regarding

this failed login attempt.

 

In terms of "security by obscurity" it seems undesirable to be advertising the make & model of the gateway

to all comers. I would prefer the gateway to be completely stealth to the outside and not respond on any external port.

Is there any way to close off external access to ports 80 and 443? I see iptables is running but its configuration file

doesn't seem to be exposed in busybox.

 

Thanks, Ross

 


Accepted Solutions
Retired Staff
Posts: 207
Registered: ‎30-10-2009

Re: Disabling external ports on HG659

by Retired Staff Nigelhu Retired Staff
Message 2 of 11 (6,520 Views)

Hi Rosco

 

The purpose of this is to allow our technical support team to remotely access your device should you need assistance.

 

It is completely secure.

 

Cheers,

 

Nigel

View solution in original post

Solution
Accepted by Lon (Staff)
‎03-10-2015 04:33 AM

All Replies
Retired Staff
Posts: 207
Registered: ‎30-10-2009

Re: Disabling external ports on HG659

by Retired Staff Nigelhu Retired Staff
Message 2 of 11 (6,521 Views)

Hi Rosco

 

The purpose of this is to allow our technical support team to remotely access your device should you need assistance.

 

It is completely secure.

 

Cheers,

 

Nigel

Solution
Accepted by Lon (Staff)
‎03-10-2015 04:33 AM
New Poster
Posts: 1
Registered: ‎10-10-2014

Re: Disabling external ports on HG659

by jcage New Poster
Message 3 of 11 (4,049 Views)

New VDSL customer, with HG659...

 

Frankly, I'll be a little more blunt than Ross was... I am disgusted that remote web admin port is open, and the name of my WIFI, up time etc is publicly viewable. Why this is on by default baffles me, but the fact there does not seem to be an EASY way to disable it is quite unnacceptable.

 

Nigel - you have offered an explanation, not a solution...

 

Can you someone from Vodafone provide information on how to DISABLE HTTP WAN admin of this router.

 

 

Tim

 

Retired Staff
Posts: 3,381
Registered: ‎21-08-2010

Re: Disabling external ports on HG659

by Retired Staff Dylan Retired Staff
Message 4 of 11 (4,005 Views)

Hi @jcage 

 

Thank you for the feedback. We've passed it on to the team who look after our modems and firmware updates for them to consider.

 

Cheers


Dylan

Starter Poster
Posts: 7
Registered: ‎19-09-2014

Re: Disabling external ports on HG659

by DrewBateman Starter Poster
Message 5 of 11 (3,936 Views)

Dylan wrote:

Hi @jcage 

 

Thank you for the feedback. We've passed it on to the team who look after our modems and firmware updates for them to consider.

 

Cheers


Dylan


@Dylan - Add my name to the list of people wanting this ability.
VERY dissatisfied with the crippled version of the 

HG659

Starter Poster
Posts: 2
Registered: ‎02-06-2015

Re: Disabling external ports on HG659

by bagpussnz Starter Poster
Message 6 of 11 (3,276 Views)

Did anyone get a response from Vodafone on this. Not acceptable!

Starter Poster
Posts: 7
Registered: ‎01-03-2013

Re: Disabling external ports on HG659

by rosco Starter Poster
Message 7 of 11 (3,261 Views)

I never received anything other than the non-solution offered by VF above. Given VF are in denial about the issue I doubt they will take any action to fix it.

 

In the meantime I implemented my own workaround. External access to the two ports can be blocked from the HG659 CLI with an iptables rule:

 

$ su -c "iptables -I INPUT_SERVICE_ACL 2 -i nas_p1_1.10  -p tcp -m multiport --dports 80,443 -j DROP"

 

(nas_p1_1.10 is the name of the WAN interface on my modem - yours will probably be different.)

 

This rule change needs to be reapplied after every restart of the HG659. I use a cron job which checks the HG659 every hour to see if the rule is present in its iptables and if not reapplies it.

 

 

Retired Staff
Posts: 3,381
Registered: ‎21-08-2010

Re: Disabling external ports on HG659

by Retired Staff Dylan Retired Staff
Message 8 of 11 (3,238 Views)

I've passed your new messages to the people who look after the modem and the firmware updates. I don't have any further information at this stage sorry.

Starter Poster
Posts: 2
Registered: ‎02-06-2015

Re: Disabling external ports on HG659

by bagpussnz Starter Poster
Message 9 of 11 (3,206 Views)

Thanks - that worked.

Cheers,

Ian

 

Starter Poster
Posts: 2
Registered: ‎25-08-2015

Re: Disabling external ports on HG659

by dvkwong Starter Poster
Message 10 of 11 (2,628 Views)
I am absolutely livid after I found out about port 80 and 443 open! This is a complete and utter joke in terms of security. Everyone knows what the default administration password for the router is.

I just found out today someone has accessed my router and enabled remote access. I cannot believe this.
Posted from Google Nexus 5
Stats
  • 10 Replies
  • 3y ago
  • 4,208 Views
  • 1 Kudo
  • 7 Contributors
Kudos 101- Don't be shy, hand it out today