SG Broadband Community

Hi, I am having dlink 2730 U router. Now every router is not fully safeguarded from attacks. A check at grc.com, sheilds up revealed that my router ports 513 and 514 are closed but not stealth. Port No.113 details are given in the same page at details.
How to make those ports stealth. if i stealth those ports, would there be any internet access problem? Now i am more concerned with the router because it is the point of gateway attacks that attackers try without leaving a trace to find .
Are there any issues, if those are open. I also cannot find which applications are using the port. For your information, i am using google dns server in the router settings. I do not know how to attach a screen shot in this forum

port 113 is for IDENT, you can usually close it from the router's admin interface. Just look for a setting in the WAN/Admin menu to that effect, it is sometimes labeled as follows:
"Respond to IDENT requests from WAN"
"Respond to Echo (ping) Request from WAN"
It is not necessarily that bad to leave this open, some apps may take longer to connect if your end is not pingable.


Ports 513/514 TCP or UDP? They could be used by some VoIP apps, but also by remote logging, rsh/rcp. I would investigate that.. There is some more info here:
https://www.speedguide.net/port.php?port=513
https://www.speedguide.net/port.php?port=514

I would try to disable any type of system logging and remote administration on the router and test again. We also have a portscan on SG, btw:
https://www.speedguide.net/scan.php

I checked with your scan link. All the three ports are shown as filtered green. Do i need to bother? Then why Grc.com confuse with their results, i do not know. Should i check.
How to enclose a file? in your forum?
Is there any type of router scan available in this , like shields up. I am more concerned about router security. I have taken all precautions to change the admin password. Portforwarding, i did not try for those ports . Are those necessary? (in filter green)
Does forwarding to non existing port means changing the last 3 octates of the ip? Does that number denotes the no of devices connected for a connection? I mean the no of devices , so the change of octate to higher numbers, knowingly would change the port to stealth?
I will try to read as much posts in the forum on router security . Thanks and expecting. Kind of you to immediately send reply. The ports TCP connections .

I don't know why there is difference between GRC and SG, I can only vouch for our scan. You may have to make sure they are scanning your correct IP address, especially if you are going through some type of proxy from your ISP.

Forwarding a port to a non-existing IP address on a LAN means changing the last octet of an IPv4 addresses... as in 192.168.1.5 vs. 192.168.1.222. The last octet does not necessarily signify the number of devices. NAT routers often use the first available IP in the subnet, most often .1 .. Then it assigns IPs depending on how its' "DHCP server range" is set, it could be, for example from .50 to .150, etc. (it can be changed). Using a non existing IP would be setting that last octet to a number not assigned to your router, outside of its DHCP range, and between 1-254. So, yes, higher numbers are usually safer, but not necessarily.

Hi, Thanks Philips.
The reply is superb. But the problem is , i have tried to pf those three ports , 113,513 and 514 to a same Ip say, xxx.xxx.xxx.250, the scan does not stealth the ports. I also found default port forwarding there for some ports, which include the port no.113. I think, that port 113 is much important port for connectivity and computer network actions.
If the pool range is 1 to 255, using 250 supposed to be a higher outside my range of devices. I mean, i use only devices less than 10. Is there anything wrong in . But, would a port forwarding consist of any default entries?
If you give me idea how to attach a jpg file, i will be able to give the screen shot .Please, am a learner and not i t expert.

Hi, I checked with FAQ on posts. But selecting Reply from the thread and going to advanced option does not give me chance to manage attachments. is there any stipulated condition, that one could attach , only if the number of posts exceeds some numbers? Or the attachment is not permitted
The default page set up
service protocol wanp lanp
auth tcp 113 113
dns udp 53 53
ftp tcp 21 21
ipsec udp 500 500
pop3 tcp 110 110
ppt3 tcp 1723 1723
smtp tcp 25 25
ssh tcp 22 22
telnet tcp 23 23
tftp udp 69 69
web tcp 80 80

Yeah, there are some limits on newer members not being able to post attachments.

Like I said before, port 113 is ident, and I wouldn't worry about it being closed instead of stealth.
As to ports 513/514, you will have to go through all your router "Advanced/Diagnostics/Management" menu settings, and make sure they do not enable some type of remote logging, or remote admin access on those ports. some VoIP phones may be using the port as well. Just see what service may be using it on your router first.

Also, if the SG scan shows them stealth already I am not sure what is with the GRC scan.

Hi, Could you say alternative way to enclose screenshots of the problem.
Thanks. I did find a tr069 configuration page, having default url and admin pw, but not in enabled stage. This is using the port No. 7547,and i do not see that it is enabled . The box is left unchecked.
There are some tick found in the NAT alg. Can i remove those, i do not know. The settings by default enabled with the following
IPSec Pass-Through Enable
L2TP Pass-Through Enable
PPTP Pass-Through Enable
FTP Enable
H.323 Enable
SIP Enable
RTSP Enable
ICQ Enable
MSN Enable
Can i uncheck those ?
The trs 069 configuration page default settings It is not enabled
Other than that there is no settings is enabled. I enabled DOS denial of service attacks for security.Did not touch DMZ.
Where is remote administration menu? I could not find anywhere in the router settings easily.If i know, i will disable it

Leave the IPSec/L2TP/PPTP pass-throughs enabled.

The H.323/SIP Enable settings -- those may be opening ports 513/514, not sure. Are you using some type of VoIP behind this router? Disabling may cause issues with telephone service.

RTSP - usually uses port 554, streaming video, you can uncheck it.
ISQ/MSN enable -- those can probably be unchecked.

Hi, I disabled all the things and checked and same result in GRC. You have touched upon all the things except, ftp, should it be enabled? I get the alarm that solicited tcp pockets received /failed. The GRC check all ports show, 113 in Green , ie., stealth. But , showing the 513 and 514 ports as closed. But , in scan on ordinary ports scan, (not all ports scan in GRC), 113 is shown as closed. The problematic port is listed as 113 and some suggestions are given.
May i ask you , can i capture which applications are using the closed ports in netstat or in other commands.? Since, netstat -ano list all the listening and open ports, i do not seem to find the applications that are using the closed ports say my 513 and 514 .
Elsewhere in some threads , i see that 113 auth, port is set as default start port in the router, by router makers to get proper connections over ports. If i see that again, i will enclose that.
Regarding tr069 port, the url if deleted does not allow me to save the settings with different , error messages. I disaabled auto execution during start , but still i do not know, why the url is there. It is default set by dlink router, the admin user and pw shown as rtk, i do not know, why those entries are present there.
I asked for alternative ways of enclosing the images to this forum, as that would easily help you to give the exact solutions and the exact problems i am facing... Sorry for delayed response, as i was otherwise engaged. Thanks Philips and still expect.
I do not use any Voip services. I heard that using some satelite services. No.

The ports could be open by your router. Commands like "netstat -ano" and others on your PC would only show ports on that particular client PC, not other clients or the router. That is why I said to look over the settings on the router more carefully, those "H.323" and "SIP" settings could be setting ports 513/514 to closed instead of stealth.

Getting a result for a port as "closed" still does not allow connections to it. It only shows that you exist, they can only be used to potentially identify that your IP is online, and running certain OS... But they are still not accepting connections, so it may be a mute point. Like I said before, I wouldn't worry about the IDENT port 113 showing as closed, that may actually be a good thing.

Hi, thanks for reply. You mean, it is by default by dlink router for their routers. I just left ftp enabled and still the same results.
i checked every settings . I will try still to probe the router https://ibb.co/iXROD6
[IMG]

While i probed the router further, with different software and settings, i was shown a server, that i have not configured as dns server. I have selected google dns for both servers list. 8.8.8.8 and 8.8.4.4 , but on checking with routercheck software, the actual dns server was shown different from the selected. Does that mean, there is something in that.I am enclosing the image https://ibb.co/iYkGi6

The configured DNS servers on your end just forward the requests to others near you that do the actual lookups. I wouldn't be too concerned with the different IPs, unless they show up as owned by a different company than the one you configured (then it may indicate some type of DNS hijacking/proxy intervention from your ISP)

I sometimes use different DNS services than Google with less data collection and filtering of results. We have a list of alternate DNS here: https://www.speedguide.net/faq/what-alt ... -i-use-128

The convenience of Google DNS is their low latency results, they consistently perform well at peak times. There is a "DNS Benchmark" test tool over at GRC that can aid in deciding on DNS servers based on latency for your location, there is also a Google code tool called "namebench".

The configured DNS servers on your end just forward the requests to others near you that do the actual lookups. I wouldn't be too concerned with the different IPs, unless they show up as owned by a different company than the one you configured (then it may indicate some type of DNS hijacking/proxy intervention from your ISP)
Since the dns shows as different owners name, i asked that query. Did you see the screen shot uploaded. One is given as google. correct. But see the other, it is not conifugured by me, but different one, a site in malaysia. Normally i get google dns server of google from singapore google. But i did not visit the shinjiru .
I changed my dns as opendns and scanned with routercheck, but the same results. Avast did not catch up with any dns hijack.
I fail to mention, that while scanning, the routercheck asked me to connect to their server, as in any other scan site and then the result shown thus.
In opendns also one server shown as opendns, but the other as shinjiru. Please give valuable advice as always, https://ibb.co/d9cvBR

i wrote to the Routercheck also , why different dns server is shown. Expecting reply.
meanwhile, i again checked the same now, and it shows only one server that is google, which i configured in my router.But this time , there was only one dns server ip showed. What would have been the cause? Did the other site, which was doing something in my system network connection has checked and just cleared out.
Or does the scan orgn has found that some other server is interacting with their program and just cleared that out? https://ibb.co/dH15BR
Should there be shown two or one dns?

Fist, in your PC, drop to command prompt and type: ipconfig /all

Look for the line that lists your DNS servers, for example:
DNS Servers . . . . . . . . . . . : 129.250.35.250
129.250.35.251

(this shows your configured DNS servers)

Then, try to ping, and nslookup a non-existent domain to see if your ISP is hijacking DNS results, type:
ping nonexistent.domain (should not respond to pings)

nslookup nonexistent.domain (should get a result from your configured nameserver, stating the domain does not exist)

Those should tell you if non-existent domains are being redirected/hijacked.

Lastly, you can try a local third-party DNS tool, like the two I suggested above.

Hi, I checked and got the desired result that it is non existent domain. I have just typed as nslookup nonexistent.domain and then enter. My DNS server is shown correctly. Yes. You are correct. The google dns server, also pops up the adv of the unknown malaysian dns in any port test page, i go.
To be safer, i just changed the google dns to dhcp , my ISP's dns in my router ( set it to obtain dns address automatically, instead of manually).Now see the avast scan ressults, listing the vulnerability. How to fix this. https://ibb.co/jtSJi6

Hi, I changedd the settings in the parent control tab of the router advance settings, and enabled the protection and created url block of shown hijacked domain, by including them in the block url list. But still the avast finds and alerts as dns hijacked. how is it possible if you block a url in the router for some website and it still shows to be vulnerble. please provide some tips so that so many users of your forum, who may have this kind of problem would be safe from those malicious attacks.
I will enclose, in the url keywords i typed vk.com and yandex.ru and applied the changes.I made the reboot to save option to boot the router freshly. still i am having the dns hijack alert.[
how to find it as false positive. I also saw the results of the log, where in so mcuh sites ,known sites have been included in the avast scanner and the entries against those com , nodata and some alphanumbers, where as for all other sitess , ip is given, or scanned .
expecting reply

DNS check is different than visiting the site. URL blocks/forwards will only block you from visit that website. It will not affect DNS name resolution.

DNS hijacks just return different results other than the expected ones for a certain domain.. If your DNS servers hijack certain results, your remedy would be to simply use a different one. Blocking some domains will not change your DNS server behavior.

Hi, Philips thanks for the reply. But the exceptions are given in the settings of the avast program. I also accept the remedy by you, But change to google dns , pose a new problem of giving access to the router by the google dns to unknown servers. Changing to open dns also has the same problem. since those servers are having filters , they could just hide the server hijacks.
As one come to this site to improve my knowledge about the routers, i am continuing this thread.
Your words
If your DNS servers hijack certain results, Please say something more, on why?

There are multiple reasons that some DNS servers change results, it could be any of the following:
- to protect you from sites that are deemed malicious (like Google, for example)
- to show you ads for non-existing domains (some ISPs do that, they show you their own results instead of the browser error page)
- to track your browsing (by your ISP) for their internal reasons, to improve transparent proxies cache, to sell your data, whatever.

In addition, there is a type of DNS hijacking by malicious software that has infected your computer and redirects some of your browsing.