Question

Port 2052 is open even without firewall rule

Posted June 8, 2021 322 views
Firewall

A recently conducted security scan highlighted that several ports were open and therefore presented a security vulnerability:
2052
2053
2082
2083
2086
2087

I ran sudo nmap -sS -Pn -p 2052 -T4 -vv --reason xxx.xxx.xxx.xxx and found that 2052 was open.

Why is port 2052 (and presumably the other ports listed) open even though they should presumably be blocked by the firewall?

1 comment
  • My results may be something to do with using a VPN, which has a firewall rule, when using the VPN the port is open (although not 100% of the time it is inconsistent).

    Would using a VPN produce different results?

    A VPN wouldn’t explain why an external company would find the ports to be open when there is no firewall rule for them.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

Hi there,

Looking at the ports it seems like a cPanel/WHM server. Are you using CSF as the firewall?

If so you need to explicitly close the ports via CSF by removing them from the Allowed hosts list in the /etc/csf/csf.conf file and then restarting CSF with this command:

csf -r

Also if the ports are already closed, any IP addresses that have been allowed via CSF would have access to all ports even though the ports are closed. So you need to remove the IP address of the penetration testing company from the CSF allow list in order to have valid results.

Regards,
Bobby

  • Hi,

    Many thanks for taking the time to reply.

    The server isn’t using csf, it’s using the Cloud Firewall

    I’ve now installed doctl and listed the rules: only ports 22, 443, 80 have inbound rules

    • Hi there @ecell100,

      It can be achieved with a Cloud Firewall as well. You can close the incoming traffic for all ports and add allow rules for only your IP addresses.

      You can take a look at the documentation here on how to add and remove rules:

      https://docs.digitalocean.com/products/networking/firewalls/quickstart/

      Hope that this helps!
      Regards,
      Bobby

      • ‘Cloud firewalls block all traffic that isn’t expressly permitted by a rule.’

        that doesn’t appear to be happening though, I thought firewalls denied all traffic by default

        I created an inbound rule for port 2052 and removed all Sources, but the port remains open

        • Hi,

          Yes, by closing all incoming traffic I meant that you need to remove the allow from all rules and then add allow rules only for the IP addresses that you want to have access to those ports.

          If you remove the rule for port 2052 the port will be closed. Then if you add a rule to allow the incoming traffic to that port, the port will be accessible.

          Is the Droplet that you are testing, attached to the firewall?

          Regards,
          Bobby

          • Hi,

            it was because I was using a VPN! it seems that our VPN has port forwarding set up.

            The ports appear to be ‘filtered’ to the outside world, which is correct.

            Many thanks for your help, every day is a school day.

          • Hi there @ecell100,

            No problem at all! Happy to hear that you’ve got it all sorted out.

            Regards,
            Bobby