Port Security and port comparison with functional services (1)

What is fracture

The port is the entry for information flowing into the computer. For example, if a person sends a file, such as a photo, to you during instant messaging, Windows Firewall will ask if you want to cancel the request, to allow photos to reach your computer. Alternatively, if you want to play multiplayer online games with friends over the Internet, you can open a port for the game so that the firewall will allow game information to reach your computer.

To protect computer security, Windows Firewall or another firewall you have selected should be turned on to prevent external users from establishing unsolicited connections to your computer. To allow this type of connection, you must allow exceptions or open "ports" for specific programs or services ".

Risks of port opening
Your computer becomes more vulnerable to attacks every time you allow exceptions or open ports for a program to communicate through the Windows Firewall. Opening a port is like piercing a hole in the firewall. If there are too many such holes, there will be no more firewall walls. Unknown intruders often use software scanning the Internet to find unprotected computers. If your computer has many open ports, they may become victims of these intruders.

As the saying goes, the minimum service + the minimum permission = the maximum security, So we follow the following principles to help reduce security risks:

Open the port only when you really need it.
Never open a port for an unknown program.
Once you no longer need a port, close it immediately.

To give users an understanding of the port, so that they can perform port control on their firewalls, the following table lists common port functions:

Common port functions
Port: 0
Service: Reserved
Description: it is usually used to analyze the operating system. This method works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a normally closed port. A typical scan uses the IP address 0.0.0.0 to set the ACK bit and broadcast it on the Ethernet layer.

Port: 1
Service: tcpmux
Note: This shows someone is looking for an SGI Irix machine. Irix is the main provider for implementing tcpmux. By default, tcpmux is enabled in this system. Irix machines are released with several default password-free accounts, such as IP, guest uucp, NUUCP, DEMOS, TUTOR, DIAG, and OUTOFBOX. Many administrators forget to delete these accounts after installation. Therefore, HACKER searches for tcpmux on the INTERNET and uses these accounts.

Port: 7
Service: Echo
Note: When many people search for the Fraggle amplifier, the information sent to X. X. X.0 and X. X. X.255 is displayed.

Port: 19
Service: Character Generator
Note: This is a service that only sends characters. The UDP version will respond to packets containing spam characters after receiving the UDP packet. When a TCP connection is established, data streams containing spam characters are sent until the connection is closed. HACKER uses IP spoofing to launch DoS attacks. Forge a UDP packet between two chargen servers. Similarly, the Fraggle DoS attack broadcasts a packet with a spoofed IP address to the port of the target address. The victim is overloaded to respond to the data.

Port: 21
Service: FTP
Description: The port opened by the FTP server for uploading and downloading. The most common attacker is used to find the method to open the FTP server of anonymous. These servers have read/write directories. Ports opened by Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash, and Blade Runner.

Port: 22
Service: Ssh
Note: The TCP Connection established by PcAnywhere to this port may be used to search for ssh. This service has many vulnerabilities. If configured in a specific mode, many versions using the RSAREF library may have many vulnerabilities.

Port: 23
Service: Telnet
Description: Remote logon. Intruders are searching for remote logon to UNIX services. In most cases, this port is scanned to find the operating system on which the machine runs. There are other technologies that allow intruders to find their passwords. The Tiny Telnet Server of the Trojan opens this port.

Port: 25
Service: SMTP
Description: The port opened by the SMTP server for sending emails. Intruders look for SMTP servers to pass their SPAM. The intruder's account is closed and they need to connect to a high-bandwidth E-MAIL server, passing simple information to different addresses. This port is available for trojans such as Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, and WinSpy.

Port: 31
Service: MSG Authentication
Note: This port is enabled for Trojan Master Paradise and Hackers Paradise.

Port: 42
Service: WINS Replication
Note: WINS replication

Port: 53
Service: Domain Name ServerDNS)
Description: The port opened by the DNS server. Intruders may attempt to pass TCP to the region to cheat DNSUDP or hide other communications. Therefore, firewalls often filter or record this port.

Port: 67
Service: Bootstrap Protocol Server
Note: Through the DSL and Cable modem firewalls, you will often see a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. HACKER often enters them and assigns an address to act as a local router to initiate a large number of man-in-middle attacks. The client broadcasts the request configuration to port 68, and the server broadcasts the response to the request to port 67. This response uses broadcast because the client does not know the IP address that can be sent.

Port: 69
Service: Trival File Transfer
Note: many servers and bootp provide this service to download startup code from the system. However, they often enable intruders to steal any files from the system due to misconfiguration. They can also be used to write files to the system.

Port: 79
Service: Finger Server
Note: Intruders are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to Finger scans from their own machines to other machines.

Port: 80
Service: HTTP
Description: used for Web browsing. The trojan Executor opens this port.

Port: 99
Service: metemedirelay
Note: The backdoor program ncx99 opens this port.

Port 102
Service: Message transfer agent (MTA)-X.400 over TCP/IP
Description: message transmission proxy.

Port 109
Service: Post Office Protocol-Version3
Note: The POP3 Server opens this port to receive mails and the client accesses the mail service on the server. POP3 services have many common vulnerabilities. There are at least 20 vulnerabilities in username and password exchange buffer overflow, which means that intruders can log on to the system. There are other buffer overflow errors after successful login.

Port 110
Service: all ports of SUN's RPC service
Note: Common RPC services include rpc. mountd, NFS, rpc. statd, rpc. csmd, rpc. ttybd, and amd.

Port 113
Service: Authentication Service
Note: This is a protocol run on many computers to identify users with TCP connections. Using standard services, you can obtain information from many computers. However, it can serve as a recorder for many services, especially FTP, POP, IMAP, SMTP, IRC and other services. If many customers access these services through the firewall, they will see many connection requests on this port. Remember, if you block this port, the client will feel a slow connection to the E-MAIL server on the other side of the firewall. Many firewalls support the release of RST during TCP connection blocking. This will stop the slow connection.

Port 119
Service: Network News Transfer Protocol
Note: The message group transmission protocol supports USENET communication. The connection to this port is usually found on USENET servers. Most ISP restrictions allow only their customers to access their newsgroup servers. Opening the newsgroup server will allow you to send/read any post, access the restricted newsgroup server, and post anonymously or send SPAM messages.

Port 135
Service: Location Service
Note: Microsoft runs dce rpc end-point mapper on this port to serve its DCOM. This is similar to the function of UNIX port 111. Services using DCOM and RPC use end-point mapper on the computer to register their locations. When remote customers connect to a computer, they find the end-point mapper to locate the service location. HACKER scans the computer's port to find the computer that runs the Exchange Server? What version? Some DOS attacks directly target this port.

Ports: 137, 138, and 139
Service: NETBIOS Name Service
Note: ports 137 and 138 are UDP ports. This port is used when files are transmitted through network peers. Port 139: the connection through this port tries to obtain the NetBIOS/SMB service. This protocol is used for windows file and printer sharing and SAMBA. Also, WINS Regisrtation also uses it.

Port 143
Service: Interim Mail Access Protocol v2
Note: Like POP3, many IMAP servers have buffer overflow vulnerabilities. Remember: a LINUX worm, admv0rm, will multiply through this port, so many scans of this port come from uninformed users who have already been infected. When REDHAT allows IMAP by default in their LINUX releases, these vulnerabilities become very popular. This port is also used for IMAP2, but is not popular.

Port 161
Service: SNMP
Note: SNMP allows remote device management. All configuration and operation information is stored in the database and can be obtained through SNMP. Many administrator error configurations will be exposed on the Internet. Cackers tries to use the default password public and private to access the system. They may test all possible combinations. The SNMP package may be incorrectly directed to the user's network.

Port 177
Service: X Display Manager Control Protocol
Note: many intruders use it to access the X-windows console, and Port 6000 must be enabled at the same time.