Jeffrey Reimer

Q: port blocking 5900

My system administrator has told me to take down my Apple Airport Extreme because of a vulnerability. The administrator says,

"The remote host is an Apple Airport Wireless Access Point which

can be administrated on top of TCP port 5009.

 

There is a design flaw in the administrative protocol which makes

the clients which connect to this port send the password

in cleartext (although slightly obsfuscated).

 

An attacker who has the ability to sniff the data going to this

device may use this flaw to gain its administrative password and

gain its control. Since the airport base station does not keep any

log, it will be difficult to determine that administrative access

has been stolen.

 

Solution:

Block incoming traffic to this port, and only administer

this base station when connected to it using a cross-over ethernet

cable."

 

I am led to believe that Airport Extreme does not allow port blocking, and that one must forward port 5900 to a non-existent IP address.

 

Can someone comment on this, and perhaps provide clear instructions as to how to forward a port to a non-existent IP address?

MacBook (Retina, 12-inch, Early 2015), OS X El Capitan (10.11)

Posted on Aug 12, 2016 10:09 AM

Close

Q: port blocking 5900

  • All replies
  • Helpful answers

  • by Tesserax,

    Tesserax Tesserax Aug 12, 2016 10:19 AM in response to Jeffrey Reimer
    Level 9 (53,940 points)
    Wireless
    Aug 12, 2016 10:19 AM in response to Jeffrey Reimer

    By default, as a NAT router, all inbound ports on the AirPort base stations are blocked. There is no way to specifically block ports (inbound or outbound) through the limited AirPort Utility.

     

    Your suggestion of forwarding a port to a non-existent IP address should work.

     

    For port mapping/forwarding, check out this AirPort User tip for details. As to which IP address to use, I would suggest that you pick one from outside of the default DHCP scope of the base station ... which is 10.0.1.2-10.0.1.200. So, 10.0.1.201 should do.

  • by Jeffrey Reimer,

    Jeffrey Reimer Jeffrey Reimer Aug 12, 2016 10:29 AM in response to Tesserax
    Level 1 (17 points)
    Wireless
    Aug 12, 2016 10:29 AM in response to Tesserax

    Thank you Tesserax. I have looked into the Airport User tip site, and have found a few confusing (to me) items. For example,

     

    "MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>"

    refers to the MAC address of the Extreme?

     

    "IP Address: <enter the desired Private (LAN-side) IP address that you want to reserve from the DHCP pool of addresses>"

    refers to 10.0.1.201 ???

     

    And finally

    • Public UDP Ports: <enter the appropriate UDP port value(s)>
    • Public TCP Ports: <enter the appropriate TCP port value(s)>
    • Private IP Address: <enter the reserved IP address of the host device (from step 1)>
    • Private UDP Ports: <enter the same Public UDP Ports or your choice>
    • Private TCP Ports: <enter the same Public TCP Ports or your choice>
    • Click "Save"

     

    is a bit cryptic and I don't understand this.

     

    I appreciate your help

  • by Tesserax,Solvedanswer

    Tesserax Tesserax Aug 12, 2016 10:45 AM in response to Jeffrey Reimer
    Level 9 (53,940 points)
    Wireless
    Aug 12, 2016 10:45 AM in response to Jeffrey Reimer

    Sorry, I tried to write the tip to be easy to understand, but it must be the Engineer in me that keeps tripping up.

    "MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>"

    refers to the MAC address of the Extreme?

    No, this would be the MAC address of your computer that would be connected to the Extreme. Port mapping/forwarding is designed to allow data traffic from the Internet through a specific port on the Extreme to arrive at your computer. In this case, we would be using an IP address that would not exist on the local network.

     

    For what you are trying to do here, you can skip the whole first step of the tip. It's the second step where you will want to make the mapping for the Extreme.

    • Public UDP Ports: <enter the appropriate UDP port value(s)>
    • Public TCP Ports: <enter the appropriate TCP port value(s)>
    • Private IP Address: <enter the reserved IP address of the host device (from step 1)>
    • Private UDP Ports: <enter the same Public UDP Ports or your choice>
    • Private TCP Ports: <enter the same Public TCP Ports or your choice>
    • Click "Save"

     

    is a bit cryptic and I don't understand this.

    Ok, here is a cheat sheet for you:

    • Public UDP Ports: 5900
    • Public TCP Ports: 5900
    • Private IP Address: 10.0.1.201
    • Private UDP Ports: 5900
    • Public TCP Ports: 5900

     

    Scary easy ... only if you are well-versed in networking which means you don't have a life.