Router configuration

Get a hardware VPN router and then allow only authorized users to use the VPN. That will stop all other incoming activity and secure your machine.

How are you handling email in sbs?   If they are using exchange internally then mail will have to come through the firewall. The router you have has been phased out and should probably be replaced.  Before that happens you should update the firmware to the latest version if it’s not already there.  

You should only allow an inbound connection when necessary.  Barracuda and Sophos do a pretty good job with their entry level devices.   I’m a big fan of Sophos (formerly astaro) and have been a user of their devices for almost 2 decades.  Their av/malware for internet, the proxy for mail and virtual web server setup does a goood job with the features in sbs.  With sbs there are a number of services that they may use internally.

Hi thanks for all replies .
I use office 365 for emails not exchange
If I allow only 443 and 25.  I think normal browsing goes through port 80. So if I block 80, am I not stopping web traffic ?
Any tool to check what are the ports open in my external side ??

Web traffic is REQUESTED by systems on your network.  Blocking incoming blocks incoming requests that don't originate on your network.

@John great checklist

The free diagnostic tools on this site would give you a basic idea of the common ports.
https://www.experts-exchange.com/tools/port-scanner.html

I’ve used pentest-tools in the past.  
https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

hi guys/madison, sorry about the long delay. thanks for all replies.
i used port scan. it shows few ports are open. but i want to know. is the ports open from port scanner wanip or ports open for all over he world ?

if You used this.  https://www.experts-exchange.com/tools/port-scanner.html
And saw a result like this
Open      443      https      http protocol over TLS/SSL
It means that port 443 is open from anyone on the internet.

Post the port numbers that were open and the services you need to provide to the outside and we can help you eliminate those you absolutely don’t need.  If they have sbs and moved mail to office 365 you will need to remove some to secure the firewall/router.

it shows port 50390. does it mean its open to everyone from internet. ?
how to identify if  its just open to expert-exchange website/wanip ?
beacuse i thought  am doing port scan from expert exchange website, so it will show ports depending on their wanip

Well you are doing a scan from their web site but that doesn’t mean that it’s not open from other locations on the internet.  Look in the firewall and find a rule that has those numbers and disable it.  Dont delete.  Then Rerun the scan and make sure it’s closed.  I can think of any reason why that port should be open.

Just thought of a reason.  Remote firewall administration. If you are remoteing into their firewall you may want to wait until you are onsite to disable.  

The next thing you need to understand is NAT or network address translation and port forwarding.  

Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes.

https://whatismyipaddress.com/nat

There will be NAT setup in the firewall in conjunction with port forwarding.  You really need to understand the direction of traffic to get these correct.  NAT will have a source and destination.  Port forwarding adds the port to a NAT.

I am not familiar with the dlink interface so the description below may not use the exact terminology.  

For the 50390 traffic you should see something in the firewall that says source (internet ip or wan interface) >>port (50390) >>destination (private server name or address). This is a NAT with port forwarding. Or you could see a NAT rule WAN>>sbs server and a port rule 50390 tcp allow and 50390 udp allow.  This is the rule that the scan found..

Once you find and close the open port in the firewall you are as secure from the outside as you can be with the dlink.

You should also see source(lan network) >>port(any or all) >>destination (internet or any). This is also called  a LAN Masq or lan masquerade.  This is the rule that lets people on the lan access the internet with any application or service. You can restrict the ports (all or any) to just those ports that area needed.  You may not be able to do this effectively on the dlink.  I wouldn’t suggest you restrict the lan by specifying ports unless you can get some specific guidance from someone that is familiar with the dlink or until your feel very comfortable with the concepts of NAT and port forwarding.

No need to over complicate this. All you need to do is purchase an updated SOHO router of your choosing. Configure normal NAT overload to allow internet traffic out. You are set. You internal computers will be hidden behind the public IP. The router's firewall will allow stateful connections. Meaning connections initiated from your interfnal network will be allowed out and the return traffic for those connection allowed back in. If you need to access your network externally, THEN you will visit port forwarding or pinhole settings in your router. From your comments it seems you do not need that.

The question is old and the author has abandoned it.

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Lee W MVP (https:#a42603697)
-- David Johnson CD MVP (https:#a42603686)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer