Router port 23 open, security risk?

[tarmiricmi]

Hello,
using this router test page, I've found out following:



Does this present a security risk?
Note: this page tests only router. I've disabled that port in my PC's firewall.

 

[Samwell9854]

If that port is opened on the WAN side (Internet), that can indeed represent a security risk. Telnet is used in order to connect remotely to a device and manage or control it. It's generally protected by a username and/or password. I don't know what router this is, so by staying general, this port would preferably be disabled. Managing a router from the internet by using a non secured protocol (Telnet is not secured) is like screaming the router's password and its configuration to your neighbours, knowing that the right person also heard it.
Point is not to be scary, knowing for example which router we're talking about might help understanding the scenario.

On Windows machines, by default, the port 23 isn't used, thus would be irrelevant to block (except to complicate the troubleshooting once it might be needed).

 

[tarmiricmi]

Thanks, it is a TP-Link TL-WR740N.
What should I do, to somehow disable/close port (but I don't find such an option in router's config page)?
I don't access router from the internet (disabled that option).

 

[Samwell9854]

Thanks, it is a TP-Link TL-WR740N.
What should I do, to somehow disable/close port (but I don't find such an option in router's config page)?
I don't access router from the internet (disabled that option).

After having a look at an emulator of your router, I would recommend to check (on the left) under "Forwarding", in the 3 first options: Virtual Servers, Port Triggering and DMZ. Make sure you don't see an entry with the service port "23". (Actually, they should all be empty and disabled, EXCEPT UPnP.)

You may also try out something, but there's a small missing detail which they don't talk about: Windows doesn't have a telnet client enabled natively.
It's easy to enable, go in Start > Control Panel > Programs and Features > (On the left) Turn Windows features on or off, then scroll down until you find "Telnet Client". Check it (if it isn't already), then click "OK". It should do everything on its own and you'll then be able to go through this link:
http://www.tp-link.com/en/faq-343.html
It's a How-To in order to disable the Telnet Server on the router.

 

[tarmiricmi]

Thanks for the assistance. I've enabled Telnet but can't connect to the router:



Maybe it's a good sign?
However the procedure described in the linked article is only temporary, so after resetting the router, it wouldn't have an effect.

Regarding router settings, Virtual Servers, DMZ and Port Triggering are all disabled (as well as UPnP, according to many articles it should be disabled as well).

 

[Samwell9854]

In this case, just to make sure, try accessing your router on the telnet port again, but by using its WAN IP, which you may find here: https://www.whatismyip.com

If it still fails, like you said, it is a good sign.
Although, here's a powerful tool which can help you see what is actually going on: Nmap

UPnP can enable some Port Forwardings automatically if you have a software which supports the technology and requires to redirect ports which needs to be accessed from the Internet. Can be disabled if not needed.

 

[jsmithepa]

Anything that you don't use should be closed.

 

[tarmiricmi]

I've tried connecting directly through WAN IP, and it is possible. However I can't login for some reason, my router access username/password isn't working (it is not usual admin/admin).



I'll try running suggested nmap.

Update: nmap is too complicated for me to use it.

 

[Samwell9854]

You may try this simple command:
nmap -T4 -A ip
Where you can replace "ip" with your WAN ip.
It will give detailed information concerning which ports are opened, and a bit more.
But prior to running it, you might need to install WinPCap & MS Visual C++ 2013 (both already inside the compressed file for Nmap)

 

[tarmiricmi]

Actually I think it is not the problem with my router, but with my provider, info from this similar thread:

Well, there’s the problem. You're not connected directly to the public IP space! Instead, you're connected to another local network upstream (192.168.88.x) and being assigned the IP address 192.168.88.5 by the wireless ISP, who in turn is connected to some ISP. Somewhere up that chain of ISPs lies a router w/ the public IP (124.157.108.126). And that's the router Shields Up is testing, NOT your personal router. Shield Up only knows about and tests the router directly connected to the public IP space. That’s just one of the limitations of an ISP who places you behind his own private network (e.g., 192.168.x.x).

So in all likelihood, your router is probably completed closed and stealthy. What’s not is the router directly exposed to the public IP space. Ironically, this is NOT a good thing if you need remote access, into gaming, etc., since you typically need various ports OPEN, so now that ISP is an impediment to those activities since you don’t control his router’s firewall.

I've disabled ALG on my router. Only remaining issue I see here is that telneting my IP address succeeds (albeit even I can't login because of unknown problem with Mikrotik login - neither my current nor factory router login works).