Hello everyone,
i do use Transmission on my NAS. I like the features much better as the out of the box solution that was already installed, and my impression is also that it is faster.
Aynway there is something odd going on. One of my PCs in the same LAN has Norton Network protection installed and i see within 90 minutes around 10 port scans. Those come from the IP address of my NAS and the port remote port used to do the scans is exactly the one as configured in Transmission .
Does Transmission do Port Scans in the own LAN ? If so what for and how can i turn (or the option responsible for) it off?
Any help is much appreciated.
Thanks .
[Answered] Does Transmission do Port Scans ?
Re: Does Transmission do Port Scans ?
No, it doesn't.
You have to be careful, port scans are usually done by virus, or a hijacked system (could be a program modified to give access to a 3rd party). Make sure your installed Transmission comes from a good source.
Also check what is being reported as "port scan". Is Transmission configured to use LPD? If it is, then it could be doing one of two things (I'm not sure w/o spending some time looking at the code): broadcasting, or probing one port. My guess is that it would broadcast, so other Transmission clients can respond telling the first one which port to use. BTW LPD means Local Peer Discovery.
Anyway, that is not port scanning, Transmission doesn't do any of that.
You have to be careful, port scans are usually done by virus, or a hijacked system (could be a program modified to give access to a 3rd party). Make sure your installed Transmission comes from a good source.
Also check what is being reported as "port scan". Is Transmission configured to use LPD? If it is, then it could be doing one of two things (I'm not sure w/o spending some time looking at the code): broadcasting, or probing one port. My guess is that it would broadcast, so other Transmission clients can respond telling the first one which port to use. BTW LPD means Local Peer Discovery.
Anyway, that is not port scanning, Transmission doesn't do any of that.
Re: Does Transmission do Port Scans ?
Hello rb07!
Thanks for your feeback!
I do know that such scans are typically done by virus, compromised systems etc. This is why i (have concerns and) started the post . I did some checks with differnent anti-virus tools but did not find any (at least on my windows machine). The NAS transmission is running on has an LINUX embedded. The transmission version is 2.75-b19 .
Well maybe port scan is as such exaggerated, but every 9 minute a port scan (the ports are almos always different) is just odd.
LPD was/is a good hint , thanks for that. This option is enabled (although for the normal home user i think it does not make sense ).
I will disable it, keep an eye on the firewell and will let you know in a couple of days.
THANKS!!!
Thanks for your feeback!
I do know that such scans are typically done by virus, compromised systems etc. This is why i (have concerns and) started the post . I did some checks with differnent anti-virus tools but did not find any (at least on my windows machine). The NAS transmission is running on has an LINUX embedded. The transmission version is 2.75-b19 .
Well maybe port scan is as such exaggerated, but every 9 minute a port scan (the ports are almos always different) is just odd.
LPD was/is a good hint , thanks for that. This option is enabled (although for the normal home user i think it does not make sense ).
I will disable it, keep an eye on the firewell and will let you know in a couple of days.
THANKS!!!
Re: Does Transmission do Port Scans ?
Another feature that could be flagged as 'scanning' (not port scanning) is enabling UPnP and NAT-PMP to open the peer port on the router. Its a one time probe, when the daemon starts, to find the router in the LAN (I think a multicast is used for UPnP). So again, that operation is nothing like port scanning.
Talking about opening the port on the router, if you did it manually then make sure you opened just the peer port, not the 9091 port (a.k.a. Web client port / RPC port). I don't know if there are exploits targeting Transmission, but if you don't need to control it from outside your LAN, then you don't need to open that port.
Two points you make raise red flags: the scan is made once every 9 minutes, different ports... if its on a regular schedule, then its (probably) a program, if its not then its (probably) a person. A virus usually scans like crazy, thousands per second, but maybe a smarter virus lowers that speed so it can't be detected easily (high end switches detect the first type of scan, and block it, most firewalls if configured correctly also do that -- but for Internet traffic).
The second point is your apparent trust on Linux. I know what a NAS runs, I also have one, and I know what a virus is... not a Windows exclusive, granted that 99% of virus are for Windows, but there are also for Linux, Mac OS X, whatever (even the iPhone has them). A NAS is usually safe because nothing gets installed (and executed) in them; that is obviously not the case here, at least Transmission got installed and executed, better ask the provider (Optware? It would be nice if they provided some level of security: checksum, signature).
Talking about opening the port on the router, if you did it manually then make sure you opened just the peer port, not the 9091 port (a.k.a. Web client port / RPC port). I don't know if there are exploits targeting Transmission, but if you don't need to control it from outside your LAN, then you don't need to open that port.
Two points you make raise red flags: the scan is made once every 9 minutes, different ports... if its on a regular schedule, then its (probably) a program, if its not then its (probably) a person. A virus usually scans like crazy, thousands per second, but maybe a smarter virus lowers that speed so it can't be detected easily (high end switches detect the first type of scan, and block it, most firewalls if configured correctly also do that -- but for Internet traffic).
The second point is your apparent trust on Linux. I know what a NAS runs, I also have one, and I know what a virus is... not a Windows exclusive, granted that 99% of virus are for Windows, but there are also for Linux, Mac OS X, whatever (even the iPhone has them). A NAS is usually safe because nothing gets installed (and executed) in them; that is obviously not the case here, at least Transmission got installed and executed, better ask the provider (Optware? It would be nice if they provided some level of security: checksum, signature).
Re: Does Transmission do Port Scans ?
Hi rb07,
as promised i will inform you about the results.
Apparently it really was this LocalPeerDiscovery feature that gave me "a suspicious impression" (but one can never be to careful these days, right
) . No Network Port block logs recorded from my NAS (IP) ever since it was disabled.
Thanks a lot for your comprehensive answers. Much appreciated!
Take Care.
as promised i will inform you about the results.
Apparently it really was this LocalPeerDiscovery feature that gave me "a suspicious impression" (but one can never be to careful these days, right
) . No Network Port block logs recorded from my NAS (IP) ever since it was disabled.Thanks a lot for your comprehensive answers. Much appreciated!
Take Care.