Increase Port 443 Security in RV082
I recently installed a RV082 so that a branch office could have an always-on connection with the main office. That branch, among others, processes credit cards for payment. A security company, Security Metrics, scans their network and looks for any security vulnerabilities. If the company fails the test they are charged a monthly fee to be able to continue processing credit cards.
The branch office that had the router installed failed due to several security issues involving port 443. Is there a way to secure the port in the router? I have attached the Securites Vulnerabilities report that gives the details.
The branch office does not have a server, only about 5 XP Pro workstations (one does the credit card transactions). The other 3 branches have the same setup but they use PIX routers and they do not have any security issues.
Thanks
I am running an old version 1.3.2. I am going to do the update after hours and then run another security test tomorrow and report back.
Thanks
Similar Messages
-
Ichat is not working. tried using port 443 and still does not work
ichat not working. tried using port 443 and i stay on for about 45 seconds then it disconnects. Can you help?
HI,
Can you tell me the make and model of your routing device.
The 10 Second error message is caused by a break in the connection.
This could be the Wifi being dropped (if you are using WiFi) due to interference from other nearby routers.
It can be dues to setting or features of the router and if the experience has changed that could be due to a speed increase in your internet service.
If you are using Ethernet and having this issue it is much more likely to be a setting/feature issue.
Examples.
Netgears. These have a separate WAN set up page that lists either DoS or SPI as one of the things that can be Enabled or Disabled.
Linksys. If your model has a Security tab and this has Firewall then DoS and SPI are port of this.
Netopia devices Tend to have a 4 level Firewall which DoS and SPI are part of the two highest settings.
DoS = Denial Of Service and is a Threshold based "Protection" Feature.
it judges whether too much data is being sent to you (it was designed originally to stop people overloading Web Servers (many people, many refreshes).
iChat can outstrip the setting with most Internet Connections in most part of the world. (In fact iChat can send more data than most Video Streaming sites)
One thing you can do that may get around this is to reduce the Bandwidth used in iChat (iChat Menu > Preferences > Video Section > Bandwidth Limit drop down)
Try 500kbps
10:07 PM Wednesday; November 23, 2011
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
iMac 2.5Ghz 5i 2011 (Lion 10.7.2)
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb (Snow Leopard 10.6.8)
Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images." No, Seriously -
The attempt to connect to the server (IP address) on port 443 failed - OLT
Hi all
I am facing one problem, if i run load to any application for 100 users for 1 iteration then it is not showing any error. Lets say i ran the load of 100 users for one hour then for some users there are errors like
Line: (script.java:84)][ScriptException]: The attempt to connect to the server (IP address) on port 443 failed.
And my understanding is the user's which are facing failures is not able to get response or page loaded at their end. As failures are occuring for some particular steps not the entire scenario. Pls confirm.
ThanksI believe that's an indication that there is an error receiving mail, but if you have any drafts or email in your outgoing mailbox, try deleting them. Apple's troubleshooting steps for this are (from http://support.apple.com/kb/TS4002):
Cannot receive mail in OS X Mail
If you use OS X Mail, look at the name of your iCloud account on the left side of the main Mail window. If your iCloud account name is dim and has a lightning bolt next to it, your account is offline. To resolve this, make sure your computer is connected to the Internet. Then choose Go Online from the Mailbox menu.
If taking your iCloud account online doesn't resolve the issue, follow these steps:
From the Mail menu, choose Preferences.
In the Preferences window, click the Accounts tab if it is not already selected.
In the Accounts list, select your iCloud email address.
Click the Account Information tab.
Verify your SMTP server settings with the following information:
Incoming Mail Server: imap.mail.me.com
User Name: Your iCloud email address
Password: Your iCloud password
Click the Advanced tab and verify the following additional settings:
Port: 993
Use Secure Sockets Layer (SSL): Should be enabled
Authentication: Password -
Hi, I have a non-SSL website running on port 443. When I access this website using Chrome or IE it works just fine, but Firefox can't seem to accept what I have done. All browsers on the same machine and using the same web proxy.
I access the website as http://xyz:443.
Just a bit of background info as to why I need this. Where I work I can only access ports 443 and 80 via the web proxy. I have two distinct websites running on a couple of devices at home behind a very config-wise limited router which has ports 80 and 443 redirected to these hosts. There is no way for me to setup two port forward rules on port 80 to two different devices. I cannot setup SSL on either of the websites.
Regardless of options that could exist to overcome my particular issue, I would like to check if you guys know how to make Firefox work with a website running on port 443 whilst not having a certificate assigned to it.
Firefox 32.0.3
Error message:
The connection was reset
The connection to the server was reset while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.What type of ssl are you running? [https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/]
You can somehow remove the Strict-Transport-Security header or if there is a feature that forced encryption but by default https uses 443 for encryption. I do not know if this is possible. -
Is it possible to run iSQL*Plus only using Port 443/SSL? I receive the following
error whenever I do not listen for port 80 connections:
[Mon Sep 16 13:29:58 2002] [emerg] OPM: Could not find a valid non-ssl LISTEN ip
and port. The whole process exits.
[Mon Sep 16 13:29:58 2002] [alert] (2)No such file or directory: FastCGI: read()
from pipe failed (0)
[Mon Sep 16 13:29:58 2002] [alert] (2)No such file or directory: FastCGI: the PM
is shutting down, Apache seems to have disappeared - byeAlison,
Thanks for the reply. I think that the httpd.conf file is saying if you want both
types of connections (http and https) you have to listen for both types of connections.
We have other Apache web servers here that only allow https/port 443 connections and
only listen for those type of connections.
Maybe I should have asked my question a different way, is it possible configure
iSQL*Plus via the httpd.conf file (and other .conf files) so that FastCGI will
work with SSL connections? If not, is there a way to configure everything so that
the only non-SSL connections are between FastCGI and iSQL*Plus (i.e., no users can
connect to the web server without using and SSL connection)?
Again, thanks for your help.
Cecil,
After reading the httpd.conf (web server config file), I found this:
# Port: The port to which the standalone server listens. Certain firewall
# products must be configured before Apache can listen to a specific port.
# Other running httpd servers will also interfere with this port. Disable
# all firewall, security, and other services if you encounter problems.
# To help diagnose problems use the Windows NT command NETSTAT -a
Port 7778
## SSL Support
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
Listen 7778
Listen 4443
It looks like you have to listen on a default port, as well as on an https port. iSQL*Plus doesn't actually care which port it is being called from as it is one step removed and has it's own (different) port connection to the web server.
Perhaps this is a question to research from the web server (essentially Apache) point of view? You could try the usenet newsgroups, the Metalink web site, or you could call Oracle Support.
Alison -
Help!!!!!!!!!!!!! Port 443 Issue
Can any one tell me how to open port 443 on my wireless router model WRT54G3G-AT? For a secure business connection. Plese don't give me a link to follow, I've tried that one.
Thanks,
AHi! Are you trying to access your router remotely via HTTPS? You just need to enable it thru the router's setup page > Administration > Access Sever > HTTPS (check the box to enable it).
-
Linksys WRT300N Open port 443, Lease Time
Hello. Definite Newbie here.
I have my router's IP address up on my browser and I was wondering how to open port 443 and to make my "Lease time" at its maximum. Can someone help me?
Thanks in advance.
Erikpen an Internet Explorer browser page on a computer hard wired to the router...In the address bar type - 192.168.1.1...Leave the Username blank & in Password use admin in lower case...
Once you login to the setup page of your Router, under the setup tab below change the DHCP Client lease time from to 0 to any number to increase the lease time.
Then click on the "Application and Gaming" tab and below click on the sub tab "Port Forwarding" and below in the Application name type any name and then in the Start Port and End Port type the Port number and select the Protocol and input the IP address on which you want to Forward the Port and check the box and click on save settings..
You can follow this link and it will help you in forwarding the port on your router. -
How do i temporarily disable TLS/SSL port 443 going to server on CSS
We are having issues with truncating packets that go through the CSS
I did a capture after the CSS and there is truncation............however i cant read it before the since everything is encrypted.
They hit vip address 172.20.120.16. on the CSS and get redirected to 2 servers depening on what the url says
They server team would like to turn it off just to test..i tried removing
"add service ARR-public-ssl" from the contetn below and we lost http and https to the server
so in essence i want to try and turn the 443 connection to a port 80---than it goes to port 7777 backend to 172.20.212.6
content BYE-WEB-SSL
vip address 172.20.120.16
protocol tcp
port 443
advanced-balance ssl
application ssl
add service ARR-public-ssl
active
ssl-server 40
ssl-server 40 rsacert byetest
ssl-server 40 vip address 172.20.120.16
ssl-server 40 cipher rsa-with-rc4-128-sha 172.20.120.17 80
ssl-server 40 cipher rsa-with-rc4-128-md5 172.20.120.17 80
ssl-server 40 urlrewrite 1 *
ssl-server 40 cipher rsa-with-3des-ede-cbc-sha 172.20.120.17 80
ssl-server 40 rsakey byekey
backend-server 50
backend-server 50 type initiation
backend-server 50 server-ip 69.xxx.xxx.xxx
backend-server 50 ip address 69.xxx.181.xxx
backend-server 50 rsacert byetest
backend-server 50 rsakey byekey
active
!************************** SERVICE **************************
service TIE-SSLINIT
protocol tcp
ip address 69.xxx.xxx.xxx
keepalive type tcp
keepalive port 443
slot 2
type ssl-init
add ssl-proxy-list HR-SSL
active
owner PublicBYE
content BYE-WEB-ARRR
vip address 172.20.120.17
protocol tcp
port 80
url "/arr*"
advanced-balance arrowpoint-cookie
balance aca
arpt-lct http-100-reinsert
add service BYE-ods-web1
active
content BY-WEB-TIX
protocol tcp
port 80
url "/tix*"
advanced-balance arrowpoint-cookie
balance aca
arpt-lct http-100-reinsert
add service BYE-ods-web2
vip address 172.20.120.17
active
content BYE-WEB-TIX-CLEARTEXT
add service TIX-SSLINIT
vip address 172.20.120.19
protocol tcp
port 80
active
content BYE-WEB-Nav
vip address 172.20.120.17
protocol tcp
port 80
url "/na*"
balance aca
arpt-lct http-100-reinsert
add service BYE-ods-web1
active
content BYE-WEB-SSL
vip address 172.20.120.16
protocol tcp
port 443
advanced-balance ssl
application ssl
add service ARR-public-ssl
active
service BYE-ds-web1-ssl
ip address 172.20.212.5
port 443
keepalive type ssl
active
service BYE-ds-web2
ip address 172.20.212.6
port 7777
keepalive port 7777
keepalive type tcp
active
service BYE-ds-web2
ip address 172.20.212.6
port 7777
keepalive port 7777
keepalive type tcp
active
service BYEos-web2-ssl
ip address 172.20.212.6
port 443
keepalive type ssl
activeCSS11506# sh ver
Version: sg0810205 (08.10.2.05)
Flash (Locked): 08.10.1.06
Flash (Operational): 08.10.2.05
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
Secure Management
Yeah..if done a packet trace before it hits the CSS and after......the only issue is that everything is engrypted before it hits the LB so i cant really read anythign....i did a pacet trace after the LB and on the Server itself its seems we get this
I thought i saw some bug info from cisco but i cant tell if its related
CSCsx05640—When you configure the CSS for a Layer 5 (L5) content rule and it receives an HTTP method POST with the HTTP header in one packet that is quickly followed by many packets of POST data or payload, it could fail to deliver all the data to the back-end server. The CSS Flow Manager (FM) application could incorrectly handle the POST and the data packet as a spanned content request and could cause the data to be mishandled. Workaround: Use less than 1-Gb connections in the network; a 100-Mb link does not exhibit this issue.
As you can see after the content-length..........nothing comes across........sometimes addtional stuff will come in ...but usually nothing
Is there a bug related to this on the CSS?
POST /TIXX/DocumentRepository_Service HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="urn:ihe:iti:2007:ProvideAndRegisterDocumentSet-b"
User-Agent: Jakarta Commons-HttpClient/3.1
Host: www.xxxxxxxxxxxx.net
Content-Length: 9044 -
Hi,
I just purchased WRVS4400N and tested, port 443 is not secure and I was wondering is there any way of blocking that **bleep**?
Tryed everything (port forwarding etc.) nothing helps!!
Please help!
Elf
The Elf ClericWhen you say it is not secure, what exactly do you mean? If you have the firewall enabled it should only allow packets in that are in response to a legitimate request from your computer (i.e. when you access a secure web site). To block any incoming traffic for that port (or any other for that matter), click on the firewall link, click on IP based ACL and create a firewall rule that blocks any 443 (or whatever port you want to block) traffic from the WAN. Be advised that if you block 443 you will not be able to access web sites using ssl. (https:// sites). Port forwarding actually opens the port to inbound traffic, so you'll want to remove the port from port forwarding.
-
IPS 4260-70 Events to Saalt - RSA using PORT 443
I have a request to send all IPS 4260-70 on os vs 7.0.4(e4) Events to Saalt - RSA using PORT 443. I created an admin account, how do you configure the port 443?
Edwin;
Cisco's IPS sensors do not send events by default; they make use of the Security Device Event Exchange (SDEE) protocol in a client-server implementation (the IPS being the server and the remote application being the client). By default, the IPS will listen on TCP port 443 for SDEE connections requesting events or opening a SDEE subscription. The remote application (Saalt?) should require configuring the IP address of the IPS and a username/password for logging into the IPS. The IPS will need an access list entry for the remote application host to allow successful communication.
Scott -
When I run Shields Up port scan test from Gibson Research (www.grc.com) it shows port 443 as being open. I haven't opened port 443. Why is it open on my WRT54G?
First of all, please state the make and exact model number of your modem. If you are using a "modem-router", rather than a true modem, Gibson's "Shields UP!" will scan the ports on your modem-router, not the ports on your WRT54G.
An "open" port is one that is listening to the Internet, waiting for another computer to try to communicate with it. Ordinary home users don't need this, so ports are generally left closed (stealth).
Port 443 is generally used for secure transmissions. It would normally only need to be "open" if you wanted another computer on the Internet to be able to securely call your router (or computer). This is typically used by businesses that want to establish a secure VPN (virtual private network) connection, to connect two branches of their business together, router to router.
Note that port 443 does not need to be left "open" for ordinary Internet connections, including connections to a secured server (https: connection).
By default, all ports on your WRT54G should be closed (i.e. stealth). However, if you have UPnP set to "enabled", then any computer program running on your computer can open a port on your router. This is often the cause for "open ports" on the router. Several types of programs like to open ports on the router. These include Internet games, video conferencing software, peer-to-peer (P2P) software, and computer viruses.
If you don't know of any programs on your computer that need to open ports, in the router, set UPnP to "disabled", and see if that corrects your problem.
One other possible cause for this port 443 problem, is a firmware bug. Some early versions of the RVS4000 firmware had this bug, but the bug was later fixed. I have not heard of this bug appearing in WRT54G firmware. What version of the router do you have? Also, are you running a server (web site or game site) ?
Message Edited by toomanydonuts on 08-02-2008 05:21 AM -
Problems with Port 5190 to Port 443
After switching to Port 443 since getting the error message, I can't send or receive any files without getting an error message, any ideas?
Hi,
Is this an AIM valid Logion (AIM or Apple ID) ?
Does you routing device allow port 5190 ON UDP (Still) ?
iChat uses port 5190 on TCP to Login, which can be changed (to 443)
It also uses port 5190 on UDP to Send files so it needs to be still allowed/opened in the modem or router.
If you happen to be using 10.5.x then the Firewall (System Preferences > Security) should not have the UDP Block on in the Advanced Button.
Nor should any routing device.
8:23 PM Tuesday; April 13, 2010
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat" -
I just bought and setup a RV110W. I noticed while scanning it from the WAN side that it always has port 443 open, even when remote management and VPN access are disabled. Why is this port still open, and how do I close it? Or is this a bug in the firmware? I am using firmware version 1.1.0.9, which is the most up-to-date for this unit. Having open ports allowing unsolicited contact from the WAN side, especially inadvertant ones, is a major security hole.
I should be able to lock this down with no open ports on the WAN side. Any idea why this unit is doing this? Should I return this device, or is this fixable?I've upgraded to 1.2.0.9. The Cisco support site search top link that points to what it claims is the latest the firmware, displayed 1.1.0.9 as the most up-to-date. You have to notice the left hand column has a higher version number listed. See here.
Once I did that firmware upgrade, the 443 port appearing open on the WAN side for unsolicited connections went away. The tool I used for probing was just Shields Up!. It's a pretty basic port scanner that probes for acceptance of unsolicited connections from external IP address 4.79.142.202 over a range of ports, typically ports 0-1055.
I don't buy the "blame it on the modem" explanation, if for no other reason than in this router replacement, the modem wasn't changed and the previous router always showed no ports open for unsolicited connections in the port ranges I probed except when port forwarding was activated. I've not turned on any port forwarding (nor remote WAN-side admin access nor VPN access) on this RV110W for these tests.
Anyway, for whatever reason, the issue seems to have gone away with this firmware version.
BTW, the one complaint I have with the RV110W design (or any of its Cisco cousins) is the lack of SMA connectors for the antennas, so one is stuck using the antennas on the unit. My old router had vastly better coverage because I was able to replace it's antennas with external antennas which I could use to tailor the shape of the coverage area to the local. (e.g. D-Link ANT24-0700 omnidirectional antenna, Hawking HAI15SC corner antenna, etc) I hope I don't find I need to put this unit on eBay in a month and replace it with one with detachable antennas just to get adiquate coverage in the shape I need. -
Opening port 443 in MacOSx 10.6.5
I am running a JBoss server in my Mac OSx 10.6.5. I am changing my iPhone App to access the Web Server thru HTTPS. Earlier the HTTP was working on port 8080. I can see from NETSTAT that the port is listening. But port 443 is not. How do I add this port?
CopyCatX - CNet Downloads or MacUpdate.
I don't think there is anything else that will do a bit-copy of the entire hard drive. Otherwise you have to clone OS X separately. The switch to Windows and use a utility that will clone the Windows volume. -
Cannot open socket connection on port 443
Hi!
Our server is running on Port 443.
When I try to Connect from the BlackBerry 9300, an exception is thrown "cannot open socket connection on port 443"
Can any one please help me in finding the solution to enable the port 443.
Thank you in advance!
Regards,
VinayI assume that you have verified that you can login to the ftp site using a regular ftp client (e.g. Fetch) on the Mac?
Maybe you are looking for
-
BI Publisher report giving FX ERROR on server
Hi, I am getting FX error on server when i am modifying the RTF file and add a new xml field to it. A blank RTF works fine, but the moment i add any filed in the RTF from xml, it goes in error. On my local machine the RTF file is working absolutely f
-
Problems with XML import to PDF form esp. checkboxes
I am posting this here because it was suggested to me to do so when I posted it here: http://forums.adobe.com/message/5613723 Hi, I work with a certain PDF form created by the US government. They recently "upgraded" the form. (N600K) With the old for
-
I just installed Readdledocs on my ipod, and now when I launch the app, I get a screen which says "downloading message" and the app freezes and won't do anything else. How can I get the app to function again? This happened after I tried to get Readd
-
Hello please help to solve my problem (Z10) when i receive a email with an attached file, if a reply to it it will automatickly resend this attached file with any possibility for me to see (and so delete it) i want to be able to reply to a mail with
-
Hi all, here's my simple situation... i have an Entity Bean (EJB 1.1) in my application which return a Collection through a findByPrimaryKey method (another method return also a Collection through a findByCOLUMN_NAME method). Is it possible to order