Tcp Port 9100

1 view
Skip to first unread message

Ezilda Newnam

unread,
Aug 3, 2024, 3:27:38 PM8/3/24
to cencringchichar

Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet [3]. As of February 2017, the Shodan search engine reveals 48,213 printing devices Internet-accessible trough port 9100.

Notes:
Port numbers in computer networking represent communication endpoints. Ports are unsigned 16-bit integers (0-65535) that identify a specific process, or network service. IANA is responsible for internet protocol resources, including the registration of commonly used port numbers for well-known internet services.
Well Known Ports: 0 through 1023.
Registered Ports: 1024 through 49151.
Dynamic/Private : 49152 through 65535.

TCP ports use the Transmission Control Protocol, the most commonly used protocol on the Internet and any TCP/IP network. TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and that packets will be delivered in the same order in which they were sent. Guaranteed communication/delivery is the key difference between TCP and UDP.

UDP ports use the Datagram Protocol. Like TCP, UDP is used in combination with IP (the Internet Protocol) and facilitates the transmission of datagrams from one computer to applications on another computer, but unlike TCP, UDP is connectionless and does not guarantee reliable communication; it's up to the application that received the message to process any errors and verify correct delivery. UDP is often used with time-sensitive applications, such as audio/video streaming and realtime gaming, where dropping some packets is preferable to waiting for delayed data.

When troubleshooting unknown open ports, it is useful to find exactly what services/processes are listening to them. This can be accomplished in both Windows command prompt and Linux variants using the "netstat -aon" command. We also recommend runnig multiple anti-virus/anti-malware scans to rule out the possibility of active malicious software. For more detailed and personalized help please use our forums.

no because they are internal addresses. In a typical configuration you internal LAN will use a private IP address range, and the firewall will have one public IP addresses. Incoming traffic to your public ip address reaches your firewall and then an individual port can be forwarded to one internal address only.

If the cloud system needs to print to multiple printers there are a few options:
Use a vpn from hosted service to your firewall - this can then allow access directly to the internal network
Use a print server - so the hosted system sends the print to the print server and then the print server sends to individual internal printers.

Raw TCP/IP is a printing method used to open a TCP socket-level connection over Port 9100, to stream a print-ready file to the input buffer of the printer. Raw TCP/IP then closes the connection after sensing an End-Of-Job character in the PDL or after expiration of a preset time-out value. Port 9100 does not require an LPR request from the computer or the use of an LPD running on the printer. Port 9100 is selected in Windows as the Standard TCP/IP port.

Welcome to HP Support Forums. I came across your post and understand that you have an HP LaserJet Pro M1536dnf Multifunction Printer and would like to know how to disable the 9100 port on your printer. I read that such option is not available in web services and by doing telnet. I appreciate the steps you have performed and have certainly done a good job.

I have created two custom services TCP 9100 and UDP 47808. I created two different policies one policy using each of the custom services. The firewall is blocking both of the services. The only way I can get the traffic through is to change the policy to allow all services. I even tried all allow ALL_UDP but upd/47808 was still being blocked. Currently I do have AV and IPS security profiles assigned to the policies, but I did try disabling all security services and the traffic was still being blocked. I have several other policies that are using custom services. The firmware was upgraded prior to any policies or services being created on this firewall. In other words, a firmware upgrade has not been done between the creation of the policies using custom services that are working and the creation of the policies using custom service that are not working. Any help would be greatly appreciated.

edit 14 set srcintf "Aesynt370" set dstintf "port1" set srcaddr "Aesynt_Devices" set dstaddr "10.69.0.19" set action accept set schedule "always" set service "TCP_9100" set utm-status enable set logtraffic all set comments "Aesynt devices to printer" set av-profile "default" set ips-sensor "protect_client" set profile-protocol-options "default"

I did configure the destination port as 9100 and 47808 and the source ports are configured as 0-65535. The other policies are not conflicting. I confirmed this by moving the new policies to the top of the list (the two policies I'm having problems with are on different firewall interfaces)

I would next try to monitor the policy when you change it to 'all' to see if any other services are required in addition to the one you specified. Something else may be required that's not documented. It's happened before. (ask me how I know...)

I added 9100/udp.I noticed in the logs viewed form the GUI when I allow all ports the log shows the firewall allowed the traffic with Policy ID 14 (which is correct), but if I change the policy to use SNMP, TCP/UDP 9100 it denies the traffic and references Policy ID 0 Below are the results of diag and screen shot of the log.

Regarding policy#14, if the dest or target device "10.69.0.19" is a network printer, you will want to log into it and confirmed it is setup/configured to allow the "Aesynt_Devices" to "talk" to it -- if this is not possible you may want to enable NAT on that policy as a possible work-around.

Policy #13 10.69.119 and 10.69.1.120 are already allowing the 3 IP address to communicate via telnet and ping. I also see communication on 47808/udp when configure the policy to allow all services so I don't think it has anything to do with the devices.

I enabled the count column when I first created the rules. The count is going up but that is because each policy is allowing other services through. However, I will create a separate rule for the services I am having problems with.

The policy using TCP 9100 is only using that port. It's simply windows printing. The policy using UDP 47808 is also using telnet and ICMP. Telnet and ICMP are passing through just fine. The log clearly shows it's blocking only TCP 9100 and UDP 47808. When I changed the policy to allow ALL UDP ports the firewall still blocked UDP 47808

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Within Docker, can't you just re-map the ports within Docker? If you want to change which address the server actually listens on, I believe you'll want to use Alternate Addresses: -and-availability/connectivity.html#assigning-alternate-addresses

The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.

The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.

For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.

One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.

Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.

I have Win 8.1 and trying to connect via WiFi from an Epson WF3540 printer all in one. I can connect to the computer with the Firewall turned off. However when the Firewall is turned on no connection.

Why are you trying to connect from the Printer to the Computer? As well you should not turn on those ports at your cable internet service provider. That would expose your printer to the world and allow anyone to print on it.

c80f0f1006
Reply all
Reply to author
Forward
0 new messages