Announcement

Collapse
No announcement yet.

Ports Question

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Ports Question

    When I use an Android app called Fing it shows four ports open for my z-net
    22 ssh
    80 http
    2001 dc pr nfr20 web queries
    2002 globe

    I have no idea what any of this means but since I had an unknown user show in the list of users, I wonder if somehow someone got in. Of course everything you read about ports shows how various ports are susceptible to attacks but should I be concerned?

    #2
    I have no idea what any of this means but since I had an unknown user show in the list of users, I wonder if somehow someone got in. Of course everything you read about ports shows how various ports are susceptible to attacks but should I be concerned?
    Port 22- is used to connect with a program such as TeraTerm or Putty directly into the Linux console.

    Port 80 - is used for HTTP access from find.homeseer.com

    Port 2001 - is the port used by HS3 to establish communications with the Znet

    Port 2002 - Not sure on this one.

    Having these ports respond to a ping on the ZNet does not present any risks on your LAN. If the ports were open on your firewall from the WAN you would have a different issue.

    Bob

    Comment


      #3
      I would also add to what Bob said that a Z-Net doesn't have anything to do with users. There are no usernames stored in the Z-Net asd user cannot be created in a Z-Net or through a Z-Net.
      HS4 Pro, 4.2.19.0 Windows 10 pro, Supermicro LP Xeon

      Comment


        #4
        Ports Question

        Ports being open for traffic is what allows computer systems and applications to communicate with each other over the Internet. These ports being open and the risk associated with that is situational. The first question should be, what are they used for and how is the communication secured. For example, as Bob pointed out, port 80 is used for web (Http) access. Port 80 is unsecured web traffic, this means that the data is not encrypted between the server hosting the site and the client accessing the site. Your home router protects that traffic from prying eyes on the Internet. The risk in this case is for people inside your network to see the traffic clear text.
        We would be having a different conversation if you opened up port 80 on your home router and forwarded it to you HS3 server. Then attacks from the public Internet would matter more. That would be a much higher risk.


        Sent from my iPhone using Tapatalk

        Comment


          #5
          Racerfern,

          Wondering if you have the Fingbox for the Fing app. It is great for keeping tabs on your network.

          Stuart

          Comment


            #6
            Here I have seen port 22 being comprised in less than a few minutes with bots figuring out root access with Homeseer users I have been helping.

            Typically here proxy the SSH port to be able to see rest of the devices on a Homeseer users network. IE: proxying the HTML port I do speed tests to see how fast their internet connection is.

            The SSH port compromise only deals with root access. It is not recommended to use root rather it is recommended to use sudo for Linux in general these days.

            Once that root access is established the bot installs a program to replicate itself right away in the form of cron job using typical commonly utilize Linux commands. The fix for this is using longer passwords and limiting the number of times you can error out on log in and increasing the time between login errors done in the ssh configuration file. In recap the compromise is mostly utilized in replication more than anything else. I did notice that the service pushed the CPU utilization to over 100% on the computer compromised.

            vulnerabilities related to Secure Shell (SSH) keys

            Note once in a network via the use of an SSH tunnel all devices on the network can be seen.
            Last edited by Pete; September 5, 2017, 07:34 AM.
            - Pete

            Auto mator
            Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
            Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
            HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

            HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
            HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

            X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

            Comment


              #7
              You can tell what services / programs are using each port by sshing to your z-net and run the following command....

              Code:
              sudo ss -tlpn | less
              You should get back something as follows...

              Code:
              State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port
              LISTEN     0      128                       *:37932                    *:*      users:(("rpc.statd",pid=786,fd=9))
              LISTEN     0      128                       *:111                      *:*      users:(("rpcbind",pid=766,fd=8))
              LISTEN     0      128                       *:80                       *:*      users:(("lighttpd",pid=646,fd=4))
              LISTEN     0      1                         *:10001                    *:*      users:(("ser2net",pid=713,fd=6))
              LISTEN     0      1                         *:2001                     *:*      users:(("ser2net",pid=713,fd=5))
              LISTEN     0      128                       *:22                       *:*      users:(("sshd",pid=588,fd=3))
              LISTEN     0      128               127.0.0.1:6010                     *:*      users:(("sshd",pid=7083,fd=9))
              LISTEN     0      128                      :::47459                   :::*      users:(("rpc.statd",pid=786,fd=11))
              LISTEN     0      128                      :::111                     :::*      users:(("rpcbind",pid=766,fd=11))
              LISTEN     0      128                      :::80                      :::*      users:(("lighttpd",pid=646,fd=5))
              LISTEN     0      128                      :::22                      :::*      users:(("sshd",pid=588,fd=4))
              LISTEN     0      128                     ::1:6010                    :::*      users:(("sshd",pid=7083,fd=8))
              The top half of that list is IPv4 (*.*), the bottom half is IPv6 (:::*).

              The far right column is the service and process that is listening on that port. You should then investigate the unknown ports and processes.

              Secondly, all ports from the internet to your home should be blocked on your firewall / router. There is no reason for this unless you want to allow remote access to your systems. If you want remote access open up specific ports, secure and monitor those connections. Better yet, set up a VPN or use SSH tunnels via a jump server.

              If you use SSH tunnels, ensure you disable root logins, disable passwords, allow only your account to ssh, and use ssh keys with passphrases only - again monitor these connections/logs.
              Len


              HomeSeer Version: HS3 Pro Edition 3.0.0.435
              Linux version: Linux homeseer Ubuntu 16.04 x86_64
              Number of Devices: 633
              Number of Events: 773

              Enabled Plug-Ins
              2.0.54.0: BLBackup
              2.0.40.0: BLLAN
              3.0.0.48: EasyTrigger
              30.0.0.36: RFXCOM
              3.0.6.2: SDJ-Health
              3.0.0.87: weatherXML
              3.0.1.190: Z-Wave

              Comment


                #8
                Hello,
                Is it possible to change the default 2001 port ?
                By modifying the file ser2net.conf ?
                I'll tried, but via de homer user, right are not enough.
                Thanks

                Comment


                  #9
                  You can only modify /etc/ser2net.conf via root user.

                  via ssh:
                  Code:
                  sudo vi /etc/ser2net.conf
                  Then enter root's password.

                  **EDIT**
                  Use your password not root's password for sudo.
                  Last edited by lveatch; September 9, 2017, 11:22 AM.
                  Len


                  HomeSeer Version: HS3 Pro Edition 3.0.0.435
                  Linux version: Linux homeseer Ubuntu 16.04 x86_64
                  Number of Devices: 633
                  Number of Events: 773

                  Enabled Plug-Ins
                  2.0.54.0: BLBackup
                  2.0.40.0: BLLAN
                  3.0.0.48: EasyTrigger
                  30.0.0.36: RFXCOM
                  3.0.6.2: SDJ-Health
                  3.0.0.87: weatherXML
                  3.0.1.190: Z-Wave

                  Comment


                    #10
                    Originally posted by lveatch View Post
                    You can only modify /etc/ser2net.conf via root user.

                    via ssh:
                    Code:
                    sudo vi /etc/ser2net.conf
                    Then enter root's password.
                    Actually the root account is disabled, you will have to use the homeseer users password. It will be one of three, depending on the date of manufacture.

                    user = homeseer

                    PW1 = hsthsths3
                    PW2 = zneths15
                    PW3 = zneths16

                    You will still use sudo to give the homeseer user root access.
                    HS4 Pro, 4.2.19.0 Windows 10 pro, Supermicro LP Xeon

                    Comment


                      #11
                      Originally posted by rprade View Post
                      Actually the root account is disabled, you will have to use the homeseer users password. It will be one of three, depending on the date of manufacture.

                      user = homeseer

                      PW1 = hsthsths3
                      PW2 = zneths15
                      PW3 = zneths16

                      You will still use sudo to give the homeseer user root access.
                      Opps, your right on not using root's password.

                      For my znet, I log in as pi. IIRC, default password for pi is raspberry.
                      Len


                      HomeSeer Version: HS3 Pro Edition 3.0.0.435
                      Linux version: Linux homeseer Ubuntu 16.04 x86_64
                      Number of Devices: 633
                      Number of Events: 773

                      Enabled Plug-Ins
                      2.0.54.0: BLBackup
                      2.0.40.0: BLLAN
                      3.0.0.48: EasyTrigger
                      30.0.0.36: RFXCOM
                      3.0.6.2: SDJ-Health
                      3.0.0.87: weatherXML
                      3.0.1.190: Z-Wave

                      Comment


                        #12
                        Originally posted by lveatch View Post
                        Opps, your right on not using root's password.

                        For my znet, I log in as pi. IIRC, default password for pi is raspberry.
                        The login user on a Z-Net should be homeseer with one of the three passwords I listed above. It does appear that they left pi/raspberry in place as well.
                        HS4 Pro, 4.2.19.0 Windows 10 pro, Supermicro LP Xeon

                        Comment

                        Working...
                        X