NetworkNewz
networknewz.com


02.26.01
Before we begin today, we are looking for your input to help us better provide you with the articles you want to see. So if you could take a moment to answer this one question survey to let us know what operating system your network is running on, we will take the results into consideration in future issues. Thanks in advance for your help.

Click here to take the poll.

Many machines on the internet are left wide open, leading to problems we might otherwise avoid, not only for the owner of that machine but for everyone who accesses the internet. In this article, we look at security issues relating to some common TCP/IP ports and how they are often times left exposed by default. In order to stop a hacker we need to think like a hacker, so lets get to it!!

Any questions/comments can be directed to myself:

Jay Fougere
NetworkNewz Editor

Clogged Network? We Have The Perfect Solution...
Your Site: Hackers Welcome Here?
In our last issue, we discussed some of the basics for securing a machine on a network. The tactics that were mentioned are great for a first line of defense and will prevent a majority of attacks. In this issue, we will look a little closer at some of the most common TCP/IP ports that are used, the services that are generally run on these ports and what this means to you.

First of all let's look at ports and what they are. When two machines across a TCP/IP network communicate with each other via a service (such as NetBIOS, HTTP, FTP, etc...) each machine will need to know not only the IP address but the port number that translates to the service that is being used. For instance, when someone is "surfing the web" the service that they will be using will be HTTP (hyper-text transfer protocol), which uses port number 80 by default.

Most port numbers can be changed so that vulnerable services can be disguised by using a non-standard port number. For instance, if you knew that certain software exposed a vulnerability in a service, you could try to change the port number in order to circumvent that weakness. However, you would need to be sure all machines on the network are configured as such in order to continue using the service.

Unfortunately, a hacker will likely have a port scanner and will be able to see which services are being run on which ports even if you change the port number. In other words, simply changing a port number will not hide the susceptible service. Additionally, you may create connectivity problems by using these non-standard ports. In general, it is considered to be poor practice to change default ports unless you have a good reason to do so. A better solution would be to determine which services are necessary to keep your network up and running and then uninstall all services that you are not using and close all ports associated with these unused services.

Let's suppose you are setting up a web server on a Windows NT/2000 Server based machine. By default, Windows will install NetBEUI (NetBIOS Extended User Interface), which is a non-routable protocol and unnecessary for your web server to perform its duties. NetBIOS is also at risk for Denial of Service attacks, which may or may not hurt your data but will prevent your server from perfoming its job (i.e. web serving). Another point to consider, some ports that show up in a port scan can identify the operating system of the machine that is being scanned. NetBIOS, which operates on ports 137-139, is a good example of this. Most Unix/Linux boxes don't use NetBIOS, and are not going to be using ports 137-139. When a hacker sees these ports open he has a good idea that the operating system being used is Windows, and thus knows which tools to use for his attack. In summary, if you do not use it, uninstall it.

Once you have disabled all unused ports, you will need to take a closer look at the ports that you have left. You may be able to further lock down these open ports and services by using IP filtering and by configuring remaining services appropriately. For example, if you must use FTP, do not allow anonymous FTP traffic unless you are fully aware of the security risks. I cannot imagine a situation when an anonymous user should ever have FTP write access on a machine. If someone is sharing files with you, helping you with your web site, or needs the ability to upload to your machine for any reason, give them an account on the server. It is too easy for someone to upload malicious software to your machine otherwise.

Click for More info about ads

Another thing to consider with ports is the complexity of the service that utilizes each port. In most cases the more complex the service, the more likely it is to be exploited. As an example, consider SMTP (Simple Mail Transport Protocol, or as it is better known; email). This is a complex service that allows for many methods of exploitation from attached executables to scripts embedded in HTML email. Spammers will also use weakly protected SMTP ports to redirect their junk mail so that it can not be traced back to them. We have all seen the effects of Trojans, virii, and other types of attacks propagated by email. These attacks can spread around the internet very quickly and in some cases can even use so many resources that the entire internet can be affected.

In contrast, take a look at port 7 which by default is echo. The echo service is a very simple service that echos whatever has been sent to it. Although it is not nearly as susceptible to attack, it can be used in a Denial of Service attack against another server. This is accomplished by forging the header information on a TCP packet so that it appears to have come from somewhere that it did not. When packets like this are sent to many servers, these servers will echo these packets back to where it appears as though they had originated, flooding the victim's server with so many packets that connectivity to that server is disrupted. This is a popular attack for IRC based chat room servers. These types of attacks are much less of a problem than something like the I Love You virus, which utilizes the complex capabilities of email.

Optimize Network Bandwidth

Following is a table of some of the most common port numbers and their related services:

Port#
UDP/TCP
 Description
7
UDP
 Echo
9
UDP/TCP
 Discard
13
UDP
 Daytime
17
UDP
 QOTD (Quote of the Day)
19
UDP/TCP
 Chargen (Character Generator)
20/21
TCP
 FTP
23
TCP
 Telnet
25
TCP
 SMTP
53
UDP
 DNS
67/68
UDP
 BootP/DHCP
69
UDP
 TFTP
70
TCP
 Gopher
79
TCP
 Finger
80
TCP
 HTTP
110
TCP
 POP3
111
UDP
 RPC(sun)
123
UDP
 NTP
137/138/139
TCP
 NetBIOS
143
TCP
 IMAP
161
UDP
 SNMP
389
UDP/TCP
 LDAP
514
TCP
 RSH
2049
UDP/TCP
 NFS

If you are really serious about learning about ports and would like to read some more be sure to check out Richard Akerman's page on TCP/IP ports

Signup FREE for NetworkNewz
Text HTML
Enter your email address below

iEntry.com | Archives | Sign-Up | Comments | Send this page to a Friend | Advertise | Links


 ©2001 iEntry Inc. All Rights Reserved