In our last issue, we discussed some of the basics for securing a machine on a network. The tactics that were mentioned are great for a first line of defense and will prevent a majority of attacks. In this issue, we will look a little closer at some of the most common TCP/IP ports that are used, the services that are generally run on these ports and what this means to you.
First of all let’s look at ports and what they are. When two machines across a TCP/IP network communicate with each other via a service (such as NetBIOS, HTTP, FTP, etc…) each machine will need to know not only the IP address but the port number that translates to the service that is being used. For instance, when someone is “surfing the web” the service that they will be using will be HTTP (hyper-text transfer protocol), which uses port number 80 by default.
Most port numbers can be changed so that vulnerable services can be disguised by using a non-standard port number. For instance, if you knew that certain software exposed a vulnerability in a service, you could try to change the port number in order to circumvent that weakness. However, you would need to be sure all machines on the network are configured as such in order to continue using the service.
Unfortunately, a hacker will likely have a port scanner and will be able to see which services are being run on which ports even if you change the port number. In other words, simply changing a port number will not hide the susceptible service. Additionally, you may create connectivity problems by using these non-standard ports. In general, it is considered to be poor practice to change default ports unless you have a good reason to do so. A better solution would be to determine which services are necessary to keep your network up and running and then uninstall all services that you are not using and close all ports associated with these unused services.
Let’s suppose you are setting up a web server on a Windows NT/2000 Server based machine. By default, Windows will install NetBEUI (NetBIOS Extended User Interface), which is a non-routable protocol and unnecessary for your web server to perform its duties. NetBIOS is also at risk for Denial of Service attacks, which may or may not hurt your data but will prevent your server from perfoming its job (i.e. web serving). Another point to consider, some ports that show up in a port scan can identify the operating system of the machine that is being scanned. NetBIOS, which operates on ports 137-139, is a good example of this. Most Unix/Linux boxes don’t use NetBIOS, and are not going to be using ports 137-139. When a hacker sees these ports open he has a good idea that the operating system being used is Windows, and thus knows which tools to use for his attack. In summary, if you do not use it, uninstall it.
Once you have disabled all unused ports, you will need to take a closer look at the ports that you have left. You may be able to further lock down these open ports and services by using IP filtering and by configuring remaining services appropriately. For example, if you must use FTP, do not allow anonymous FTP traffic unless you are fully aware of the security risks. I cannot imagine a situation when an anonymous user should ever have FTP write access on a machine. If someone is sharing files with you, helping you with your web site, or needs the ability to upload to your machine for any reason, give them an account on the server. It is too easy for someone to upload malicious software to your machine otherwise.
Another thing to consider with ports is the complexity of the service that utilizes each port. In most cases the more complex the service, the more likely it is to be exploited. As an example, consider SMTP (Simple Mail Transport Protocol, or as it is better known; email). This is a complex service that allows for many methods of exploitation from attached executables to scripts embedded in HTML email. Spammers will also use weakly protected SMTP ports to redirect their junk mail so that it can not be traced back to them. We have all seen the effects of Trojans, virii, and other types of attacks propagated by email. These attacks can spread around the internet very quickly and in some cases can even use so many resources that the entire internet can be affected.
In contrast, take a look at port 7 which by default is echo. The echo service is a very simple service that echos whatever has been sent to it. Although it is not nearly as susceptible to attack, it can be used in a Denial of Service attack against another server. This is accomplished by forging the header information on a TCP packet so that it appears to have come from somewhere that it did not. When packets like this are sent to many servers, these servers will echo these packets back to where it appears as though they had originated, flooding the victim’s server with so many packets that connectivity to that server is disrupted. This is a popular attack for IRC based chat room servers. These types of attacks are much less of a problem than something like the I Love You virus, which utilizes the complex capabilities of email.
Following is a table of some of the most common port numbers and their related services:
Port# UDP/TCPDescription 7 UDPEcho9 UDP/TCPDiscard13 UDPDaytime 17 UDPQOTD (Quote of the Day) 19 UDP/TCPChargen (Character Generator) 20/21 TCPFTP 23 TCPTelnet 25 TCPSMTP 53 UDPDNS 67/68 UDPBootP/DHCP 69 UDPTFTP 70 TCPGopher79 TCPFinger 80 TCPHTTP 110 TCPPOP3 111 UDPRPC(sun)123 UDPNTP 137/138/139 TCPNetBIOS 143 TCPIMAP 161 UDPSNMP 389 UDP/TCPLDAP 514 TCPRSH 2049 UDP/TCPNFS
If you are really serious about learning about ports and would like to read some more be sure to check out Richard Akerman’s page on TCP/IP ports
Jay Fougere is the IT manager for the Murdok network. He also writes occasional articles. If you have any IT questions, please direct them to Jay@https://www.murdok.org.