Open Ports 914 and 915 and 943

[AsherTop]

I am evaluating Access Server version 2.7.5. I am trying to figure out why ports 914 and 915 are open and have services listening on them. It just seems to look like another port to access the web portion of the Access Server.

Same question with Port 943

The bottom line is that I would like to close all open ports to my server except 1194 for VPN access

I see no reason to allow access to the config GUI from the pubic internet

If I need to access these pages -- I would rather VPN into the network and then access the GUI / Webpages securely

Can I close these ports in iptables -- If yes how do I turn it off?

thanks,

[novaflash]

Those are the actual services yeah. They should just be listening to a 127.0.0.1 address, so maybe your config somehow tells Access Server to run it on the public IP instead.

[AsherTop]

Where do i change that in the GUI?

What I basically want is to close all external facing open ports on my server except for 443 and 1194

I am not using an external firewall -- this is a Debian 10 hosted VM

If i need SSH or OPEN VPN AS access or anything else on the server etc... I want to be able to connect with VPN Connect to the server over port 1194 -- then connect to say 172.27.232.1:943/admin or ssh to 172.27.232.1 etc... thereby limiting my potential attack vectors on the server

thanks,

[novaflash]

Tricky when you don't have an external firewall and don't have an internal network interface to bind services too. Consider adding a dummy network adapter with an internal IP and configuring the web services you want hidden on that internal network adapter.

[AsherTop]

Done -- got an internal ip setup with my VM

Next I went to configuration -- network settings -- Admin Webserver and said yes to the following interface and IP eth0:1: 192.168.160.19

That appears to have closed off access to 943 both regular and admin -- but 914 and 915 both regular and admin remain open?

Under client websever the following is selected as YES -- Use the same address and port as the Admin Web Server

[novaflash]

I'm sorry, I don't know what's going in your setup. Maybe if you describe details which version you're using, what operating system, and database configuration dump, we might be able to see what's going on where the services are not binding to 127.0.0.1 - but I would recommend that you do not do that on a public forum but only on the official support ticket system at https://openvpn.net/support

The services should bind to 127.0.0.1 and apparently they're not doing so in your case and I don't know why. Sorry.

[AsherTop]

ok -- i will submit a ticket

thanks,

[AsherTop]

So it seems like the root problem here is that when you install OPENVPN AS it decides to open a bunch of ports on IPTAbles -- without prompt -- and without telling you about that -- it appears to do this on all installs not just mine --

I get the idea of trying to make sure the install works off the bat for everyone -- but they should at least let people know they are doing this and how to disable the install from doing that

If you are a more advanced user and just want to open 1194 for access and nothing -- like outside access to the WebSite GUI -- instructions should be provided on how to do that

I have been messing around with the config files as per this article but have not found the exact combination required to lock down the install with just 1194 open

http://capnjosh.com/blog/prevent-openvp ... min-ports/

hopefully an admin from OpenVPN will respond here -- otherwise -- i still have my open ticket

[AsherTop]

More research reveals that others have asked about this before as well:

viewtopic.php?t=21767

Bottom line is even though i use strong password and brute force prevention appears to be built in -- i see no reason to open myself necessarily -- I want to lock up both the ADMIN and USER GUI behind the VPN and not have either accessible from the public internet --

[marie-dk]

OAS = OpenVPN Access Server
UFW = Uncomplicated FireWall

I am using UFW and just realized that I can access OAS admin GUI from everywhere. This puzzled me because I added a rule in UFW to make sure that port 943 is only accessible from the local network.

Just like you, I have realized that OAS is tampering with iptables, and these rules are overriding my UFW rules.

And if you think it helps changing the ports in Admin Web GUI, you will notice that OAS will also add these new ports to iptables, leaving them open to the outside world.

My purpose is the following:

• Do not reveal Web GUI to the world at the servers public ip or the domain.
• Be able to access Web GUI through domain name via VPN or my home ip

I am not familiar with iptables, so messing with the config is not an option.
Reading this faq didn't make it clear how to accomplish what I want: How do I prevent Access Server from modifying iptables rules on my Linux host?

What I ended up doing:

• Change the listening interface of the Web GUI to the local network. This prevents the ports from being open to the public and respond to the public IP in the browser.
• Set up a proxy in Apache to the local address on port 943 and add Require IP to restrict access. That way I can access the admin via vpn.domain.com even though the service is only listening on the local network interface, and restrict access the way I want.
• Removed all rules in UFW related to OAS, since they have no effect