port 161 is open for BT use as quoted "remote hub management and network management"and as has been posted in an earlier post by one of the mods post 67
personally i would not worry there are far bigger risks in the world
When I read all this stuff about ports 161 and 4567 being open I was initally alarmed, and thought I would perhaps buy a different router. But, thinking about it carefully, it is, in my view, nothing to worry about. Steve Gibson of GRC is not entriely correct in his analysis of the problem. The problem is not "leaving ports open" it is "running software connected to those ports".
Port 161 is traditionally used for SNMP and IF your PC is (bizarrely) running an SNMP server then, yes, it is possible that it could be hacked by someone who knew how to exploit an SNMP weakness. That is Steve Gibson of GRC's point. But there is no evidence that BT is running SNMP! I suspect that BT is running its own proprietory protocol for their own network management reasons. If we give them some credit for software competance then this protocol will not be easy to hack and wil not allow 'devastating' consequences. Of course, if they are running SNMP then that's a bit naughty but it should be possible to establish this by telnetting to port 161 and have a probe around. (If I understood the SNMP protocol, I would try it)
A separate question is "how much is BT snooping inside my home network". The salient point here is that IF an organisation wished to do that (and Im making no allegation against BT here) there are far more stealthy ways of doing it than leaving a port open on the router! It can be done without leaving any ports open at all (e.g. the router could act as a client and 'phone home' occasionally, opening a connection for all sorts of secret purposes). So, what Im saying is that, in my view, there is no need to worry that port 161 being open actually signifies anything of importance.
I have BT infinity and im thinking of putting a box (computer) with two network cards in it between the FTC modem and the BTH3 and running wireshark and configured as a networkbridge.
anyone done this yet ?
Okay got a box connected via pppoe and the port 161 is now closed 🙂
and no bt home hub connected to my network 🙂 🙂
wireshark is still; and not looking like the matrix 🙂 🙂 🙂
Im going to forget about making a bridge, as I was only going to use it to sniff the traffic on 161 to the bth3
but if you guys want to find out what BT run on 161 I might be interested in helping out.
Now its time to install this PCI WiFi card and turn the box into a access point!
Sounds like a good idea. I will try this out to sniff what is happening on this port. Was setting up pppoe difficult? Will give it a go tonight nevertheless
OK. Tested this out.
A PC with two ethernet NICs (lets call then NIC1 and NIC2) and one wireless NIC . I passed the LAN1 output from the BT openreach (Infinity modem) to NIC1 on desktop and also ran another cat5e from NIC2 on the desktop to BT home hub 3 (Infinity socket). I also bridged the networks on NIC1 and NIC 2 and ran wireshark
This allowed me to sniff all traffic between BT HH3 and the exchange (I think). I captured traffic for some 2 to 5 minutes but there was no activity on port 161. Any thoughts?
Also I checked the setup works by running portscans from the internet specifically on port 161 and I can see some packet activity captured by wireshark when I run those scans, but otherwise there seems to be no traffic on the port 161 albeit I listened only for a few minutes.
have you tried using smoothwall?
it's very easy to use - if you have multiple devices you can get it monitor each device to see which is using the most bandwidth
I captured traffic for some 2 to 5 minutes but there was no activity on port 161. Any thoughts?
Yes. You are probably wasting your time If port 161 is used for maintenance by BT you are only going to see traffic on it once in a blue moon! e.g. perhaps they collect monthly statistics? There is really no point in anyone wasting time looking at this issue unless they look at the specific point I made in my earlier post of checking to see if port 161 is actually running an SNMP server. Then, if the particular SNMP server software in use has known vulnerabilities, it is a problem. However, as I said earlier there is no reason to assume BT is actually running an SNMP server on this port. They could (and probably are - IMHO FWIW) running their own proprietary routines.
The network service listening on 161/tcp and 161/udp of these devices is called btagent. The service is the CPE component of the TR069 framework for remote management. TR069 was developed by a consortium including AT&T and 2Wire (now Pace plc). TR069 allows the telco to push firmware upgrades to the router, monitor the line characteristics, etc. Security of the btagent daemon is ensured through a 2048-bit asymmetric (RSA) cryptographic key. The same key is used in all recent CPE shipped by British Telecom.
BusyBox v1.9.1 (2010-10-15 17:59:06 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # netstat -ltun Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:161 0.0.0.0:* LISTEN .. udp 0 0 0.0.0.0:161 0.0.0.0:* .. #
RE to old post by El-Buzzo
It is hardly a conspiracy to point out we are not happy with this security hole....I never thought or said it...I just want to control my own network. And NO other ISP has done this to me before. And I have been with plenty over the years. It is perhaps a first for BT as well. And they do not care about it from their responses, so we can block it at least. I guess it is fine for Google to hack WiFi networks too huh, well they never were held accountable, now were they. I guess that must be a conspiracy too for pointing that out. No one with any power or money actually gives a F so we have to. And FYI it is not whining!
If the port is not in use it has no use being open! Even for remote management, why can't a login be made when that is necessary instead of broadcasting your open port to any potential port scanners. I used to get port scanned by foreign ISP and web hosts from USA on a regular basis, I emailed their abuse departments and it continued for about a year. I had their IPs blocked so they were blcoked before by software as well. When I was not with BT I once had a DDOS attack from BT research centre and I emailed them to stop it and they did, told me it was routine testing or some other nonsense. I once read that BT are #1 ISP in the world for port scanning others. Whether an attack or port scan comes from the companies themselves or their customers does not matter hugely to me, just as long as I can control my own networks security and having open ports is really by gone times before retail sector had firewalls.
Can anyone confirm that ALL ports are now closed on the hub3, and this problem has at last been fixed, and the ports are only open if UPnP is on, and only if asked to by hardware/software.
From experience i don't want open ports on my router even if bt say its so they can "look after" our lan's (i have no bt devs on my lan and would regard it has hacking if they snooped on it.
i like all my ports closed unless i open them.
If bt sold doors, they would fit it, then keep it open so they could "manage" the contents of my house.