AP Port Security Check

TL;DR

This guide shows you how to check which ports are open on your Access Point (AP) and how to secure them, reducing the risk of unwanted access. We’ll cover basic scanning and common security measures.

Checking Open Ports

1. Find Your AP’s IP Address: This is usually found in your router settings or via a network scanner app on your phone (e.g., Fing). Note it down – you’ll need this.
2. Use Nmap for Port Scanning: Nmap is a free tool to discover open ports. You can install it from the official website. It’s available for Windows, macOS and Linux.
   • Basic Scan (all ports): Open your command prompt or terminal and run:

     nmap -p 1-65535 <AP_IP_Address>

     Replace <AP_IP_Address> with the actual IP address of your AP.

   • Scan Common Ports: For a quicker scan, focus on well-known ports:

     nmap -p 21,22,23,80,443,554,8080 <AP_IP_Address>

3. Interpret the Results: Nmap will list open ports. Look for anything unexpected or that you don’t recognise.
   • Open: The port is actively listening for connections. This *could* be a security risk if it’s not needed.
   • Closed: The port isn’t accepting connections, but the AP acknowledges the request. Generally less of a concern than open ports.
   • Filtered: Nmap couldn’t determine whether the port is open or closed (often due to a firewall). Investigate further if you see many filtered ports.

Securing Your AP Ports

1. Change Default Credentials: This is *crucial*. Attackers often try default usernames and passwords. Change them in your AP’s web interface.
2. Disable Unnecessary Services: Many APs have services you don’t need (e.g., FTP, Telnet). Disable these through the AP’s settings.
   • Telnet (Port 23): *Always* disable Telnet and use SSH (port 22) instead if remote access is required. Telnet sends data in plain text.
   • FTP (Port 21): Disable FTP unless you specifically need it. Use SFTP or SCP for secure file transfer.
3. Enable Firewall: Most APs have a built-in firewall. Enable it and configure rules to only allow necessary traffic.
4. MAC Address Filtering (Use with Caution): Allow only known devices to connect based on their MAC address. This is more complex to manage but adds an extra layer of security.
   • Be careful – if you add the wrong MAC address, legitimate devices will be blocked!
5. Update Firmware: Regularly update your AP’s firmware. Updates often include cyber security patches and bug fixes.
6. Consider a Guest Network: Use a separate guest network for visitors to isolate them from your main network.

Further Checks

If you’re concerned about more advanced attacks, consider these:

• UPnP (Universal Plug and Play): Disable UPnP unless absolutely necessary. It can automatically open ports without your knowledge.
• WPS (Wi-Fi Protected Setup): Disable WPS if possible. It has known vulnerabilities.