Grc.com reports port 22 open

ipfireuser1000 · 12 October 2020 13:09

Hi I just recently got IPFire working and still need to learn a lot but this one has me a bit stuck. I have tried searching the the IPFIre fora and have not been able to find anything related to this.
I have a simple home setup with IPFIre on one laptop with its RED zone being wifi and connected to the home wifi router/modem and GREEN zone connected to one other laptop (my work laptop). The 2 laptops are connected with a direct Ethernet cable to each Ethernet port on each laptop.
When I do a Shieldsup scan on grc.com from my work laptop it tells me that all of the first 1056 TCP ports are Stealth except for port 22. It is open.
I am not an IT or networking guy, just a retired engineer and so I dont know much about all this, but I am trying to figure out why this port is showing open.
I am wondering the following and any input/help/additional info that I am missing or not understanding is much appreciated…

Is grc.com a good site to do testing with? Maybe this is not considered good practice by anyone who know more than I do about firewalls and networking?
Is there a better way to test?
I run Linux on my work laptop and when I run “sudo firewall-cmd --list-all” it reports:
drop (active)
target: DROP
icmp-block-inversion: no
interfaces: eno1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

So both services and ports are blank and I believe this means port 22 is not open/active on my work laptop. Would this be correct?

I run grc.com Shieldsup in my browser on my work laptop but could it be that Shieldsup is reporting port 22 open because it is open not on my work laptop but it is open on my IPFire laptop or the wifi router/modem?
I went into my IPFire WUI and tried to find where I could maybe see anyting about open ports or close them - I found SSH Access under System and SSH Access is unchecked so I presume SSH access which I believe is port 22, is not running? Or is this on another port?
If I connect my work laptop directly to the home wifi modem/router and run Shieldsup I get the same result - all ports closed except port 22 is open. If port 22 on my work laptop is open then would/should IPFire not block it, since I believe the default policy is to block all incoming/input connections?

Sorry for the long winded post and possibly misinformed questions…

Thanks ahead of time…

pike_it · 12 October 2020 13:07

Maybe your configuration allows to connect from RED to SSH on IPFire?
If the answer is “yes”, GRC reports correctly.

ipfireuser1000 · 12 October 2020 14:04

Hi Pike,
Thanks for your post.
I am using the default install of IPFire and I dont know if the default is that RED connects to SSH…
I have been searching for this and have read Firewall Default Policy at https://wiki.ipfire.org/configuration/firewall/default-policy and to me it is not clear about port 22. I have searched for eg “IPFIre close port 22” and have not found anything. I dont know how to check in IPFIre if my configuration allows to connect from RED to SSH. Nor how to change it if needed…

pike_it · 12 October 2020 15:46

I can blatantly assume that GRC.COM is wrong (sometime happens) but usually it’s right. So in a way or another, something is “allowing” connection on port 22.
https://wiki.ipfire.org/installation/ssh
As default, IPFire use port 222 for avoiding the “hunt” of SSH, so if you didn’t change that setting, that’s not the case.
Next: does your setup use a public ip address on his RED interface or there’s a NAT layer made by another device?
Next: are in place any port forwarding rules from port 22 on RED interface to any other host into your network.

IMVHO these are quite simple questions that any network wanna-be admin (like me, i’m not good enough to be a network admin) should ask him/herself and to the equipment for understanding why in the world GRC is saying something like that.
Moreover: did you try to connect to port 22 in one way or another (using the pubblic ip address provided to GRC?

ipfireuser1000 · 12 October 2020 16:02

Hi Pike, thanks again for the support. I will try the things you suggest and report back.

hvacguy · 12 October 2020 22:01

Your scan is probably hitting your home router. Not your IPFire Router.
This is not uncommon on a ISP provided router.
Often port are used by them for remote access.
And so customers can log in remotely and turn of access to children etc.
Massive hole in your network sold as a feature.
If your ISP router is in bridge mode than it should be hitting your Ipfire Router/Firewall.

ipfireuser1000 · 15 October 2020 16:44

Hi Shaun HVAC,
Thanks for your post. It makes sense because we recenlty had some trouble with our Internet connection - a tech came to our house, etc and so I would not be surprised that they opened port 22 for remote access.
I need to learn how to do testing to figure this all out though and I will report back once I’m done…

ipfireuser1000 · 20 December 2020 18:04

I just wanted to say that after having figured out how to do some testing, the problem was definitely in the wifi router. The ISP had set port 22 to Open or Closed (not stealth) to do testing.
Thanks again for people’s help.

rjschilt · 20 December 2020 14:38

One of the reasons I have my IPFire sitting on the border of my network. I understand why ISPs want to remotely support and troubleshoot connectivity issues. But when I looked deeper into this I found out the ISP supplied router would not allow me to close certain ports. The router firmware prevented me from blocking all incoming connections.

It was around this time that I searched for a more secure solution and stumbled across IPFire.

With IPFire installed in my case in a Proteclii appliance I am confident that my local LAN is protected and safe from prying eyes and not to mention any other busy bodies with more overt and bad intentions.

RS