Why it is important to check the ports you have open on your router
Table of Contents
The router is the guardian and gatekeeper of your local network against the vastness of the Internet and all its inhabitants, good and bad. That’s why it’s a good idea to check the ports open on your router.
Open ports in the router allow interaction with the local network from the Internet. If an external source detects any vulnerability in the local network protection, it could gain access to our computers and get hold of sensitive data, install malware, etc.
In this article, we explain in detail how local networks work, what open ports are and why it is important to check the open ports on your router.
How do local networks work?
Internet access from a home or office is provided through a router installed by the connection provider. This router has WiFi to provide wireless Internet and Ethernet cable sockets (RJ45) to connect directly via cable.
All the devices connected to the router, either by cable or by WiFi, are part of a local network. In the local network, each device has a private IP address internal to the network, usually 192.168.1.X, and they all connect and interact with the Internet through the router.
The router has a unique IP address, called public IP, which is provided by the Internet provider. If not additionally contracted, this IP is not fixed, i.e. it can change in the future, for example, if the router is rebooted.
The number of public IP addresses is limited so, in some cases, Internet providers implement a technology called CG-NAT (Carrier-Grade NAT), which allows multiple users to share the same public IP address. This is achieved by assigning private IP addresses to each user’s devices within a network managed by the provider.
Although this technique optimizes the use of public IP addresses, it can cause problems for applications that require a direct connection, such as online video games, surveillance cameras or home servers, as it makes it difficult to open and forward specific ports.
From the local network, all devices are able to access any Internet service. The router uses the local source IP of the communications to know who wants to access a location and sends the requests from the public IP of the Internet. The information returned from the Internet reaches the requestor in the same way, but always with communications initiated from computers on the local network, with their local IP.
If, on the other hand, we would like to access a computer within the local network from the Internet, the problem we encounter is that we only have the public IP of the router. But to access the specific computer, we need the router to know who we want to connect to from the local network devices, in order to transmit the IP data from the Internet to the local IP of that computer.
Now that we know the basics of how communications work from a local network to the Internet and vice versa, it remains for us to understand what a port is.
What are open ports?
When we visit a web page, what actually happens is that a request is made to a server for a specific service. The same computer can have multiple different services, offering them simultaneously. This is possible because each service has a number associated with it. This number is called a port.
For the sake of clarity, a computer can have up to 65531 ports. On each port, there can be one service. And these services, depending on the type they are, have a number associated with them. These numbers are governed by standards, so a given service always has the same number, which is why a given service always has the same number.
In this example, if a computer has a web server, what it has is a service on port 80. Thus, when someone wants to see the web of that server, they connect to port 80 and that is where they access the web.
Ports make it easy to connect to devices within a local network
However, remember the limitation of the router: from the outside, you cannot directly access a computer inside the network. To do this, we must open a port and redirect connections from the Internet that way to a particular service that is running on a device that has a specific IP on the local network.
In the above example, we can have the router open port 80 and tell it to redirect all connections from the Internet to that port to the internal network computer with the IP 192.168.1.123, which is where the web server is running.
It is important to clarify that, nowadays, an average user does not need to open ports on the router. Technology has advanced enough that there are alternatives to perform certain tasks that historically did require open ports.
An uncontrolled open port is a security risk
Having an open port, in and of itself, does not pose a security problem. The problem arises from what is behind that port. That is, which application or service is responding to communications through that open port.
Having an open port exposes services or applications running on your computer or any of the devices connected to your local network to the Internet. This means that anyone can interact with your computer from the Internet.
Suppose the service we have exposed is misconfigured, has or is discovered to have a security flaw. In that case, anyone from anywhere in the world will be able to access our computers, with all the consequences that this entails.
If a criminal is able to locate a vulnerable service exposed by an open port in your router, he can exploit it, take control of the device, and, from there, take control of the network, carry out attacks from your address, etc.
Finding vulnerabilities is easier than you think. There are exposed application search engines on the Internet, such as Shodan, where you can search for exposed services through open ports. This type of tool is widely used to search for vulnerable services and exploit them.
How to identify and check for open ports on a home router
There are two main ways to identify and check for open ports on your router.
- Router configuration: The first is to 9 and see which ports are open and to which services they are directed.
- Port scan: If it is not possible to look at the router or if you want to double-check, the way to assess what my router has open is to perform a port scan against my internet IP. There are online services that allow this process and indicate if there are any open ports and even additional information about which service is running.
To find out our public IP address, just search for «what is my IP address» in Google, and the search engine itself will tell us what our IP address is.
If you have another internet connection, you can do the same with tools like Nmap, which allows you to scan the entire port range and will give you a lot of information.
By default, a router installed by a telephone provider does not have any open ports. Even so, it is a good idea to periodically check if this configuration has changed.
Why you should have proper control of open ports
The golden rule is: if you don’t need it, don’t open a port on your router.
By not exposing services to the Internet, our router will act as a firewall, and all attack attempts will come to nothing since the attack surface is nil as no application is exposed to the Internet that could be susceptible to attack. It should be noted that excuses such as «I don’t have anything important on my computer» or «I only use it to play games» do not exempt you from problems.
Don’t let your guard down: even if you don’t have anything to steal, your computer can serve as a launching pad for cyberattacks
Even if there is no sensitive information on your device that can be stolen, cybercriminals can use it to carry out attacks in which you appear as the sender. From that moment on, even if you are innocent, you will have to explain yourself and you will be immersed in a not very pleasant process.