Computer port problems

Source: Internet
Author: User
Tags default ftp port website server

Speaking of the port, this is indeed an old topic, but everything starts from it and has to be said. What is port? For example, if you live in a house and want others to visit you, you have to open a door on the house. You have a cute kitten, for its entry and exit, I made a small door for it. In order to go to the back garden, I opened a backdoor ...... All these ports opened to enter the house are called "service ports ".

If you want to visit a person named James, Michael should open a service port that allows you to access. Otherwise, the door will be rejected. When you go, first open a "Door" at home, and then go straight to the door of Michael Jacob through this "door. The "Door" opened in your house to access others is called the "client port ". It is opened randomly and automatically, and is disabled after access. It is different from the service port in nature. The service port opens a door waiting for others to access, and the client port actively opens a door to open others' doors, which must be clear.

The following is a brief explanation of the port concept from a professional perspective. A networked computer must use the same protocol to communicate with each other. The protocol is the language of computer communication. Computers must speak one language to communicate with each other. The common language of the Internet is TCP/TP, it is a set of protocols, which stipulate that the layer-4 Transport Layer of the network has two protocols TCP and UDP. The port is opened by the two protocols. The port is divided into the source port and the destination port. The source port is opened by the local machine, and the destination port is the port of another computer that is communicating with the local machine, the source port is divided into active client ports and passive Connection Service ports. On the Internet, When you access a website, you open a port on the local machine to connect to a port on the website server. This is also true when others access you. That is to say, the communication between computers is like the communication between each other.

After the system is installed, many "service ports" are enabled by default ". How do I know the ports opened by my computer system? This is what we will talk about below.

2) view the port

1. Command Method

The following uses Windows XP as an example to check which ports are opened on the newly installed system. That is to say, all ports are reserved. The command to view ports without any tools is netstat. The method is as follows:

A. Type CMD in "start" "Run" and press Enter.

B. On the doscommand interface, type netstat-na. Figure 2 shows the opened service port, where proto

Indicates the protocol, which can be TCP or UDP. Local Address indicates the address of the local machine. The number after the colon is the open port number. Foreign Address indicates the remote address. If you are communicating with other machines, the address of the other party is displayed. The State indicates the status, and the listening indicates that the port is open, waiting for connection, but not connected yet. Just as the door of your house has been opened, but no one has come in. Take the first behavior as an example to see what it means.

TCP 0.0.0.0: 135 0.0.0.0: 0 listening

This line means that port 135 of the local machine is waiting for connection. Note: Only the TCP Service port can be in the listening status.

Figure 1 use the netstat command to view the port status

2. Use the tcpview Tool

For better analysis of the port, it is best to use the tcpview software, the software is only 93kb small, and is a green software, do not need to install.

Figure 3 shows the running interface of tcpview. The font size is small for the first time. In Options> font, increase the font size. The data displayed in tcpview is dynamic. In Figure 3, the local address shows the port opened on the local machine (number after the port number). tcpview can see which port is initiated by which program. As shown in figure 3, ports 445, 139, 1025, 135, and 5000 are open, ports 445 and 139 are initiated by system, and ports 135 and are initiated by SVCHOST.

Figure 2 Use tcpview to view port status

3) purpose of research on Ports

1. Who opened the ports on the local machine, that is, the number of "Doors" that can enter the local machine?

2. What is the current status of the local port? Is it waiting for a connection or connection? If it is already connected, pay special attention to whether the connection is a normal connection or an abnormal connection (Trojan Horse, etc )?

3. Is the local machine currently exchanging data with other computers? Is it a normal program to prevent a normal website or access a trap?

When you access the Internet, it is the process of transferring data between the local machine and other machines. to transfer data, you must use ports. Even some very clever Trojans use normal ports to transmit data without any trace, data has their own statuses at different stages of transmission, transmission, and termination. To understand the preceding three problems, you must understand the port status changes. The following uses the instance to analyze the status changes of the Service port. Only the TCP protocol is stateful. The UDP protocol is unreliable for transmission and stateless.

4) Service port status changes

First configure the FTP service on the local machine (IP Address: 192.168.1.10), then access the FTP service on other computers (IP Address: 192.168.1.1), and check the port status changes from the tcpview.

The section in the black text below is truncated from the tcpview.

1. Listening status

After the FTP service is started, it is in the listening status.

When the State is displayed as listening, it indicates that the port is in the listening state, that is, it is open and waiting for connection, but it is not connected yet. Just as the door of your house has been opened, but no one has come in.

The tcpview shows that FTP is enabled on the local machine. It means that the program inetinfo.exe opens port 21, and the default FTP port is port 21. It can be seen that the FTP service is opened on the local machine. It is currently in the listening status.

Inetinfo.exe: 1260 TCP 0.0.0.0: 21 0.0.0.0: 0 listening

2. established status

Access the FTP service of 192.168.1.10 from the computer 192.168.1.1. The tcpview on the local machine shows that the port status changes to established.

Established means to establish a connection. The two machines are communicating.

The following shows that the local FTP service is being accessed by the computer 192.168.1.1.

Inetinfo.exe: 1260 TCP 192.168.1.10: 21 192.168.1.1: 3009 established

Note: You must pay special attention to the connection in the established status, because it may not be a normal connection. This issue will be discussed later.

3. time_wait status

Now, access to the FTP service of 192.168.1.10 is terminated from 192.168.1.1. The tcpview on the local machine shows that the port status changes to time_wait.

Time_wait indicates that the connection has ended. Port 21 has been accessed, but the access is over.

[System process]: 0 TCP 192.168.1.10: 21 192.168.1.1: 3009 time_wait

4. Tips

A. You can telnet an open port to observe its changes. For example, if port 1025 is open, run the following command in command status (1. Run cmd:

Telnet 192.168.1.10 1025.

B. It can also be tested from the local machine, but the display is that the local machine is connected to the Local Machine

C. Double-click the connection in tcpview to view the program location. Right-click the connection and select end process to end the connection.

5) client port status changes

The client port is actually the source port opened when accessing other computer services from the local machine. The most common application is internet access. The following uses accessing Baidu.com as an example to check the port opening and status changes.

1. syn_sent status

The syn_sent status indicates a request for connection. When you want to access the services of other computers, you must first send a synchronous signal to this port. The status is syn_sent. If the connection is successful, it becomes established, at this time, the syn_sent status is very short. However, if syn_sent is found to be very large and is being sent to different machines, your machine may be infected with viruses such as shock waves or shock waves. To infect other computers, these viruses need to scan other computers and send synchronous requests to each computer to be scanned during the scanning process, which is also the cause of many syn_sent attacks.

The following shows the starting status when the local machine is connected to the Baidu.com website. If your network is normal, it will soon become the connection status of established.

Iexplore.exe: 2928 TCP 192.168.1.10: 1035 202.108.250.249: 80 syn_sent

2. established status

The following shows that the local machine is accessing the Baidu.com website. If the website you visit has a lot of content, such as accessing www.yesky.com, you will find that there are many established addresses. This is normal. Each content in the website must be connected separately, such as tablets and flash. When you look at the establishedstatus, it is definitely not the connection of the i2.16e.exeprogram (internet explorer initiator. If it is a connection initiated by a program such as explore.exe, it may be a trojan in your computer.

Iexplore.exe: 3120 TCP 192.168.1.10: 1045 202.108.250.249: 80 established

3. time_wait status

If the web page is viewed, the status changes to time_wait.

[System process]: 0 TCP 192.168.1.10: 4259 202.108.250.249: 80 time_wait

6) Detailed port change diagram

The above are the most important statuses, but there are still some. Figure 4 shows the detailed change of TCP status (cut from the details of TCP/IP ), use a thick solid arrow to indicate normal client status changes, and use a thick dotted arrow to indicate normal server status changes. These are not covered in this article. If you are interested, you can study it.

Figure 3 transition of TCP status

7) Key Points

Generally, users must be familiar with it (then ?? ):

1. The service port should focus on the listening and established statuses. Listening is the port opened on the local machine, and the address from which the listablished accesses your machine.

2. syn_sent status and established status of the client port. syn_sent is a connection request sent from the local machine to other computers. Generally, this status has a short time, but if the local machine sends many syn_sent, it may be poisoned. Check whether the State of established is to find the machine with which the local machine is transmitting data, mainly to see if it is initiated by a normal program.

Ii. Trojan

What is a Trojan, simply put, is to secretly open a backdoor on your computer without your permission. There are two main methods to open a backdoor on the Trojan.

1. Trojan with service port

This type of Trojan horse must open a backdoor of the Service port. After successful, the backdoor is in the listening state, and its port number may be fixed to a fixed number or changed, other Trojans can be used together with normal ports. For example, if you open normal port 80 (Web Service), the trojan also uses port 80. The biggest characteristic of this trojan is that a port is in the listening state and needs to be connected by a remote computer. This trojan is a good precaution for general users. Set the firewall to reject connections from the outside to the inside. A rebound Trojan is hard to prevent.

2. Rebound Trojan

A bounce Trojan is a connection between the Intranet and the outside. It can effectively penetrate the firewall and access your computer even if you are using an intranet IP address. The principle of this trojan is that the server actively connects to the client (hacker) address. Like your Internet Explorer, the Trojan server uses a dynamically allocated port to connect to a port of the client, which is usually a common port, such as port 80. In addition, it will use a relatively strong implicit file name, such as iexpiore.exepolicer(ie's program is ipolice.exe ). If you do not take a closer look, you may think it is your Internet Explorer. In this way, your firewall will also be cheated. If you see the following connection in tcpview, it is likely to be a Trojan. Iexpiore.exe 192.168.1.10 (local IP): 1035 (your port) Y. Y (remote IP): 80 (remote port)

Or rundll32.exe 192.168.1.10 (local IP address): 1035 (your port) Y. Y (remote IP address): 80 (remote port)

Or cmder.exe 192.168.1.10 (local IP): 1035 (your port) Y. Y (remote IP): 80 (remote port)

Iii. Security

The purpose of the analysis port is to ensure the security of the Internet. Based on the above ideas, we can prevent it from the following aspects.

1) disable unnecessary ports

For Internet users, you only need to access the Internet and do not need to be accessed by others. That is to say, there is no need to open the service port. In WIN 98, You Can Do not open any service port to access the Internet, however, Windows XP, Windows 2000, and Windows 2003 do not work, but you can disable unnecessary ports. Figure 3 shows the default port opened by the Windows XP system after it is installed. This is an example to disable unnecessary ports.

1. disable ports 137, 138, 139, and 445.

These ports are all open for sharing and are NetBIOS protocol applications. Generally, Internet users do not need to share your content, and they are also the most vulnerable ports. There are many ways to close the port. Recently I learned from the Internet that it is very useful to close all the above ports at once.

Start> Control Panel> system> hardware> Device Manager> View> display hidden devices> plug-and-play drivers> NetBIOS over tcpip.

Find Figure 5 and disable the device from restarting.

Figure 4 disable ports 137, 138, 139, and 445

2. disable port 123.

Some worms can use UDP port 123 to disable the Windows Time Service.

Figure 5 close port 123

3. disable port 1900.

As long as an attacker sends a fake UDP packet to a network with multiple Windows XP systems, these windows XP hosts may attack the specified host (DDoS ). In addition, if you send a UDP packet to the system port 1900 and direct the address of the location domain to the chargen port of another system, the system may be in an endless loop, all resources of the system are consumed (manually enable hardware installation ).

Method 7 to disable port 1900-stop the SSDP Discovery Service.

Figure 6 Close port 1900

If some ports with vulnerabilities or unused ports are closed through the above method, is it okay? No. Because some ports cannot be switched off. For example, port 135 is the port opened by the RPC service. If the service is stopped, the computer will shut down. Similarly, ports 500 and 4500 opened by LSASS cannot be closed. The shock wave virus uses port 135. The best solution for a port that cannot be closed is to install a regular patch, and the port is opened by the corresponding service, however, it is difficult for general users to determine the purpose of these services, and it is difficult to find out which services can be stopped to close the corresponding port. The best solution is to install the firewall as described below. In general, the function of installing a firewall is like whether you live in a solid, good house or in a broken house, as long as you build an airtight wall around the house, it is safe for the house in the wall.

2) install the Firewall

For general users, there are three types of firewalls:

1. built-in Firewall

For settings of Windows XP and Windows 2003 built-in firewall, refer to the deployment in Skynet.

2. ADSL cat Firewall

If you use ADSL to access the Internet, it is best to set the ADSL cat as the address translation mode (NAT) If you have the conditions, that is, the common routing mode. In fact, the routing is different from the NAT mode, that's right. The biggest advantage of using NAT is that after the configuration is complete, the ADSL cat is a fire wall, which generally only opens 80, 21, 161 and so on to set open ports for the ADSL cat. If Port ing is not performed, generally remote attacks cannot be performed on computers behind ADSL cats. The biggest security risk for ADSL cats is that many users do not change the default password. In this way, if a hacker enters your cat and creates a port ing, the hacker may access your computer and change the default password.

The built-in firewall and the NAT mode of ADSL cat can basically defend against attacks from the outside to the inside, that is to say, even if the service port is open (including the system Port and the Trojan with the Service port opened), hackers and viruses similar to the shock wave will not be able to help your computer. The above firewall can only prevent external to internal connections, and cannot prevent internal to external connections. When you open a webpage and use QQ chat, It is a connection from internal to external, A bounce trojan uses this feature to steal data from your machine. Although rebound Trojans are hidden, they are not without Trojans. The best way to prevent such Trojans is to use a third-party firewall.

3. Third-party Firewall

The desired name or rundll32 may seem to be the name of the system file, but the essence of a Trojan is to communicate with a remote computer, as long as the communication has a connection. As shown in the following figure: the normal connection is initiated by iexplore.exe, and the abnormal connection is initiated by the trojan program explorer.

Figure 7 normal connection

Figure 8 Trojan connection

Generally, firewalls have the permission settings for applications to access the network, as shown in figure 8. In this type of firewall option, select X for applications that do not allow access to the network, that is, network access is not allowed.

Before writing this article, I found a bounce Trojan, that is, the Explorer program connects to the outside, and I used several anti-virus software to prevent it from accessing the network, then it took a lot of effort to clear the manual. Unfortunately, it was not done. I have no courage to sacrifice this article.

4. Use tcpview to end a connection

When you use tcpview to check which connection may be abnormal, you can right-click the connection in tcpview and select end process to end the connection.

Iv. Scanning

Scanning is another big topic, including superscan and X-scan, this article only briefly introduces online security detection for general users. If you have taken the appropriate security measures as mentioned above, you can find an online security testing website on the Internet to test the security of your current system, as shown on the following website:

1. Millennium online-Online Detection

2. Alibaba Cloud Security Online Detection

3. Cloud security online

4. Norton Online Security Detection

Note that ports 21, 23, and 80 are enabled when the machine is tested, but these are all ADSL service ports. modem does not provide any modification or closure, but it does not matter, you just need to make the password complex.

5. Shock Wave

If you close port 445 or open the firewall as mentioned above, it will not be affected by the shock wave or similar virus. There are too many articles about the shock wave virus, so I will not talk about it here. As long as the security protection is done, whether it is a large wave of shock or an impact wavelet, you can only pass in front of your computer, but you can't help.

Vi. Postscript

There are still many settings for computer security, but for general users, too many security settings mean no security, this is because security settings are not easy for professional computer security personnel, not to mention general users who do not have enough knowledge about computers. If you need to make a lot of settings to ensure security, there will certainly be many people who will not do it. Personal suggestions for general users are to do what they can, for example:

1. Install and Upgrade anti-virus software when accessing the Internet.

2. Install at least one firewall. It is best for ADSL users to use a route to access the Internet and change the default password.

3. Install patches frequently. It is best for Windows users to set the system to automatic upgrade.

4. All you have to do is use tcpview to check the connection and prevent the bounce Trojan Horse. I often look at it. It may take a long time to become an expert.

5. UDP is unreliable and stateless. It is hard to see from tcpview whether it is transmitting data, if you are interested, you can use protocol analysis tools such as Iris and sniffer to check whether UDP data exists. I will talk about this topic later.

6. The topic of this article is very big, but I think many problems are mentioned by others, so I have not discussed them in depth.

A high foot, a high devil. Network security will be an eternal topic. There is no absolute security, but it is better to have a sense of precaution than to open the door.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.