Review of my home broadband router logs (suspicious activity?)

WARNING, WARNING, Will Robinson ;+)

You misread that article. It is not saying Transmission can only use port 51413.

It is saying that if you choose 51413 (a random port number within the allowed range (1024-65535) not used by anything else) you have to use that same port number in the Transmission configuration and on the router port forwarding rule for external port and internal port.

Because the whole site is oriented to Windoze and really wants to sell you their Windoze based software for setting up rules for the Windoze firewall and Windoze router administration software.

Nooooooooooo.

You have to use the host's NIC MAC address NOT the router's WAN NIC MAC address.

On your host just do

ifconfig

and probably your NIC is assigned to eth0 and from there you can see the MAC address

eth0 Link encap:Ethernet HWaddr NN:NN:NN:NN:NN:NN

where NN are hexadecimal "digits" (0 through 9, or A through F).

If you try the command

arp

you will see the MAC addresses (under the HWaddress column) of neighboring hosts as well.

If you want to check that your NIC is "genuine" or at least has been counterfeited with an appropriate MAC address for that manufacturer, you can go to

and lookup who the manufacturer should be for a particular MAC address.

That is the standard mode of operation for consumer SOHO routers.

If you were manually setting up a firewall on your Ubuntu system using IPTABLES (the basic kernel level tool for creating firewall rules) you would have to have a rule

iptables -t filter -A INPUT -p all -m conntrack --ctstate ESTABLISHED,RELATED -i ${IFACE} -j ACCEPT

As you can see the key words there to allow this functionality to be allowed are for all ports (-p all) on the interface (usually eth0)

ESTABLISHED,RELATED and ACCEPT

Reply to
J G Miller
Loading thread data ...

Yes, except Mr Banks has more than one phone so the patch has to go not just to his office (IP address) but to the appropriate phone (port number).

And I forgot to mention that if you asked if it was Xi Jinping when Vladimir Putin was calling, that would be a "protocol error". ;+)

Reply to
J G Miller

The administration interface should never be open on the WAN (Internet) side by default. It should only every be opened on the WAN (Internet) site if the administrator account is provided with a very strong password and preferably access is only allowed to a specific or specific range of external IP addresses.

Yes "social" (as in what traditional con-merchants have always used) deception is so much easier.

Now what did you say you had set the password to?

[See what I did there ............]
Reply to
J G Miller

Also, Transmission can be set to use a random port each time the program is started. For the benefit of the OP, Port 51413 is only the default port and can easily be changed.

Reply to
Wildman

Interesting!

So, given the nature of what Transmission does, you don't actually want a well-defined service for whatever port would be assigned to it, 'cuz they (the powers that be) would just block it out of hand.

Now it begins to make sense!

Reply to
Paul M. Cook

OMG. User Agent String = (essentially) Backdoor by Joel!

Reply to
Paul M. Cook

It's enough effort for me to just start understanding the ports in my router firewall, let alone then implementing a software firewall.

I'll leave *that* to later!

Reply to
Paul M. Cook

This explanation makes sense, but is actually confusing.

I guess the only thing that matters is what ports I have to open up in the router and what ports to set in Transmission, and, as long as I make them the same (and if they're not system ports or otherwise used), it should work.

What is confusing is that the web page you provided is fantastically done, but it says clearly that Transmission only uses 1 port: 51413

formatting link

Yet the Transmission GUI implies that you can set any port, and any number of ports.

So, that's confusing because the information doesn't match.

Anyway, I've already set up the router to UDP/TCP port forward 51413 exactly as your well written article above suggested, as shown below:

formatting link

Likewise, I set Transmission to use the same port 51413:

formatting link

Unfortunately, Transmission test results said the "Port is closed", so, I have to debug why Transmission thinks the port is closed:

formatting link

Reply to
Paul M. Cook

Please disregard this statement above because you explained that I had interpreted the article wrong in a subsequent post that I hadn't read at the time I wrote that above.

Reply to
Paul M. Cook

Ooops. It sure *sounded* like it said that, but since it was confusing, I like it better than your explanation matches what Transmission is allowing me to set.

Reply to
Paul M. Cook

Thanks for the MAC address hints.

While I had never understood nor ever messed with router port forwarding & UPnP before, I am pretty familiar with MAC addresses, so, I'm comfortable with what I need to do on the router to set up a static IP address for the laptop based on the current (spoofed) wlan0 MAC address of the laptop.

Setting a static IP address for the laptop will be a bit more confusing for me than it would be for most people though, because, while my laptop is always wireless (so I will have to match the MAC address on wlan0 and not on eth0), I purposefully spoof my wlan0 MAC address frequently on my laptop using a script by a guy named Marek Novotny (see script below).

So, while this changing of the MAC address will make static IP assignment by the router harder for me than for most people, I know exactly what to do in order to make that static IP assignment work.

Given that I change (spoof) my wlan0 MAC address frequently, I probably should explore how to make the laptop IP address static using the Ubuntu OS itself, but, that may be something for a later date to learn how to do.

BTW, if you're interested in Marek's script for changing the MAC address, here is my copy of it (he may have a later version) that I pulled off the alt.os.unix newsgroup a few months ago.

$ cat $(which changemac.sh) #!/bin/bash ################################################# # Script: changemac.sh # written by: Marek Novotny (modified slightly) # version: 0.4 # date: 2015-10-17 # notes: MAC Address Changing Ubuntu # See also:

formatting link
for valid MAC OUIs #
formatting link
# In the future, change the MAC address in /etc/network/interfaces. # That way, the interface starts up safer, with the fake mac # When the interface goes down it gets re-configured. # You can put the hide_me script in /etc/if-pre-up.d # and the change would go in before the interface comes up. # use sudo if you're not root (otherwise add ifconfig to sudoers.d)

if [ $(id -u) != 0 ] ; then priv="sudo" else priv="" fi

# grab the NIC interface (e.g., devID=wlan0) # WIP: Add a check if device ID is "tun?" or "ppp?", don't change it devID=$(ip route get 8.8.8.8 | awk 'NR==1 {print $5}') # Get the device MAC address MACaddr=$(ifconfig $devID | grep HWaddr | awk '{print $5}') echo "old MAC: $MACaddr"

# Set up a list of organizationally unique identifiers OUI #

formatting link
OUIArray=( 00:01:2a # telematica sistems inteligente 00:02:b3 # intel corporation 00:03:47 # intel corporation ... list truncated for Usenet post ... f0:4d:a2 # dell inc. f4:06:69 # intel corporate fc:8f:c4 # intelligent technology inc. )

# if [ $# -eq 0 ] # then # echo -n "Enter new MAC: " # read $newMAC # else RANGE=$((${#OUIArray[@]} + 1)) i=$RANDOM let "i %= $RANGE" OUI=${OUIArray[$i]}

# generate a new NIC specific identifier NIC=$(date | md5sum | sed 's/../&:/g' | cut -b 9-17) newMAC="$OUI$NIC" # fi

echo "new MAC: $newMAC"

# Offer to replace old mac addr with the new echo "Do you wish to assign $newMAC to $devID?" echo "Press 1 to assign $newMAC to $devID? (otherwise press 2)" select yn in "Yes" "No" ; do case $yn in Yes ) $priv ifconfig $devID down sleep 2 # allow interface to go down $priv ifconfig $devID hw ether $newMAC sleep 2 # allow time to assign MAC to interface $priv ifconfig $devID up && $priv ifconfig $devID | grep HWaddr break ;; No ) exit 0 ;; esac done

## END ##

Reply to
Paul M. Cook

What I should have explained further was that it in reality, it is more likely that the ISP would not block that port (unless compelled to do so by a court order or possibly just a request from the City of London [England] Police) but that they would slow down traffic assigned to that port number (traffic shaping).

If you read the HOWTOs/FAQs for some other p2p client software, the authors recommend not using well known the well known p2p port numbers for exactly that reason (traffic shaping slowdown) but to use some random (usually higher number) port.

Reply to
J G Miller

Thank you for pointing out the "random" port option.

I had seen that, and wondered how that fits in the picture of assigning ports, since the random port doesn't have a range.

So, I "guessed" that you can't really both set Transmission to a random port and set a range in your router to port forward.

It seems, to me, only logical that the random port setting in Transmission can only be used if you turn UPnP on in the router.

Otherwise, it seems to me, if you have UPnP turned off, then you have to set a range of ports in the router.

The problem is that Transmission doesn't seem to have a range option to limit the random ports to the same range that you set in the router.

So, it seems, to me, logical that:

(A) If you set the router to UPnP, then you can also set Transmission to use random ports, but, (B) If you set the router to a range of static ports, the problem is that you can't limit Transmission to use those static ports only. Given that: (C) Effectively, you can only set Transmission to a single port if you also have UPnP turned off in the router since that's the only way you can guarrantee that Transmission will use the same port as you have opened up in the router.

So, I think *that* is why the article on how to set up Transmission may have promulgated using only *one* port.

DISCLAIMER: I am only starting to understand this stuff, so take everything I assume with a large bag of salt.

Reply to
Paul M. Cook

I don't think my SOHO router will allow a range of IP addresses, nor, can the password be all that secure since it seems to be limited to

8 characters.

You can put in more than 8 characters, and it won't complain, but, it seems to look at only the first 8 characters.

Worse, my router doesn't seem to let you change the admin username, so, the admin account is always "admin".

So, if that's how all SOHO routers work, that's not all that secure.

Reply to
Paul M. Cook

At this point, I understand a *lot* more than I did before. I'll try to write up a summary for others to benefit.

At the moment though, I "think" I did everything right, but, still, Transmission is saying the port is "closed" when I test it.

formatting link

Wondering if this setting makes any difference, I had to look it up: [ ]Use UPnP or NAT-PMP port forwarding from my router

While I know we're not using UPnP now, I don't know if we discussed whatever "NAT-PMP" is yet. Googling, I see NAT-PMP stands for Network Address Translation Port Mapping Protocol.

formatting link

It seems to be "similar" to UPnP, so, I don't think it's a good idea to check that box.

Do you concur?

Reply to
Paul M. Cook

Correct. That is why uPnP is convenient, but as we all should now know, perhaps not very safe.

Not in the GUI because the developers have never bothered to add it in, but it can be manually set in the configuration file.

See "Peer Port" at

(I have a vague feeling that this may have been broken in some old versions of Transmission, but if you are using 2.84 it should work as expected.)

And if you do use it, do not use too wide a range of numbers: no more than 250 perhaps at the very most, but 50 should be more than adequate.

Also if you want to review your understanding of implementing port forwarding with respect to transmission, take a look at

Reply to
J G Miller

There's a Transmission configuration file?

Looking about, I see there are config files here: $HOME/.config/transmission/settings.json

$ grep port settings.json "peer-port": 51413, "peer-port-random-high": 65535, "peer-port-random-low": 49152, "peer-port-random-on-start": false, "port-forwarding-enabled": true, "rpc-port": 9091,

My version is 2.82 (14160).

Reply to
Paul M. Cook

Thanks to everyone here, below is a summary I wrote of my current understanding of just the UPnP versus Port Forwarding issue for setting up the Transmission bittorrent client on Linux (Ubuntu) for optimal speed.

It's written in my words, so, if there are errors in my understanding, I'm fine with you pointing them out!

My summary of what was learned in this thread about UPnP & Port Forwarding

(0) The way things work is that an incoming request to WAN external IP 1.2.3.4 on port 12345 hits the SOHO router. Without port forwarding, the SOHO router will drop that request (or any request to any port).

But, with port forwarding, the router sees the external port WAN request for 1.2.3.4:43101 and it forwards that external port to a static LAN internal port of 192.168.1.10:43101, which the Transmission client is listening on for upload requests (which apparently require both TCP & UDP messages). (Transmission settings are in $HOME/.config/transmission/settings.json)

(1) Since bittorrent maintains two download queues, the first priority going to those who are uploading data and the second going to those who are not uploading data, if I'm not uploading data, then I will only download data when the first queue is empty.

(2) That means two different things if I don't open a port to the world: - For those people with public sockets, I will be in the first queue because they can get data from me even though I don't have a public socket myself. - For those people without public sockets, I will be in the second queue because, to them, I'm not uploading any data because I don't have a public upload socket open.

(3) Overall, not opening a port will probably increase my download times (depending on a combination of how many other people have public sockets open and on how full that first queue is).

(4) The *easiest* way to open a port for those external clients who do not have a public socket is to simply turn on UPnP on both the SOHO router and in Transmission. Optionally, if UPnP is turned on in Transmission, I can set Transmission to use a random port each time the application is started.

(5) The *safest* way to open a port is to turn off UPnP in both the SOHO router and in the Transmission app, and just manually forward a port in the router & set that same port in Transmission. Pick a random port between 49152 & 65535. The default is 51413.

formatting link
However, there are a bunch of things you have to do in order to accomplish that task: (a) You'll need to have your computer on a static IP address on the LAN (e.g., 192.168.1.10). This can be set (based on the computer wlan0 MAC address) by the router, or, this can be set on the Ubuntu computer. (b) You'll need to select an unused external/internal port set to forward UDP & TCP packets to (e.g., port 51413) (This port needs to be between 1025 and 65535.) (c) You'll want to doublecheck your /etc/services files to ensure whatever port you chose is not being otherwise used. In my case, there are no ports in /etc/services between port 27374 & 30865, and only 3 ports higher than 30865 {57000,60177,60179}, so, all other ports are fair game. Application = trans

NOTE: There are other things you can set to improve Transmission speeds!

formatting link

REFERENCES:

formatting link
formatting link
formatting link
formatting link
formatting link

Reply to
Paul M. Cook

Actually, it's exactly the other way around, which you've corrected in later posts, I think, but I wanted to make sure.

Port forwarding, in your NAT/SOHO router, pre-configures your router to accept traffic arriving at its WAN port (i.e., from the Internet, typically), and forward it to a specific IP:port on your LAN. You do this pre-config work on the router, and then some amount of time later, traffic arrives at the router's WAN port and utilizes your work.

The opposite scenario, connecting an internal (LAN) port to an external (WAN) port, happens automatically when you initiate traffic in that direction. The router not only allows traffic to flow in that outbound direction, it also creates a session table entry (sometimes called a connection table) that essentially says traffic arriving in response to that outbound traffic should be allowed. That happens for both TCP and UDP, BTW.

In the absence of neither port forwarding nor prior outbound traffic, inbound traffic arriving at the router's WAN port will be dropped. Put another way, inbound traffic (WAN -> LAN) is checked to see if an entry in the session table matches, or a port forwarding rule exists and matches, and if both conditions are false the traffic is dropped.

Note that port forwarding can be something that you do manually, or something that happens automatically via uPNP, to bring this full circle. If you only allow port forwarding as something that you do manually, at least you have some control over it. If you allow uPNP, port forwarding happens programmatically, behind your back. Sometimes that's more convenient, but I have a hard time thinking it's ever more secure, so I agree with the advice to disable uPNP.

Reply to
Char Jackson

On Friday, January 1st, 2016, at 19:43:59h -0500, Paul M. Cook asked:

Did you not see the text at the top of the page

QUOTE Editing Configuration Files ... For the location of these files, look at the Configuration Files page. UNQUOTE

Yes, peer-port are the ones you are interested in.

Incidentally, for easier searching try

grep --color 'peer-port' settings.json

Should work fine.

Incidentally my recollection about random communication port in a range not working may have been misplaced with respect to transmission and was probably an experience with deluge because when I was trying it out, I recall it was in a GUI setting which of course transmission does not have.

Reply to
J G Miller

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.