Speaking of the port, this is indeed an old topic, but everything starts from it and has to be said. What is port? For example, if you live in a house and want others to visit you, you have to open a door on the house. You have a cute kitten, for its entry and exit, I made a small door for it. In order to go to the back garden, I opened a backdoor ...... All these ports opened to enter the house are called "service ports ". If you want to visit a person named James, Michael should open a service port that allows you to access. Otherwise, the door will be rejected. When you go, first open a "Door" at home, and then go straight to the door of Michael Jacob through this "door. The "Door" opened in your house to access others is called the "client port ". It is opened randomly and automatically, and is disabled after access. It is different from the service port in nature. The service port opens a door waiting for others to access, and the client port actively opens a door to open others' doors, which must be clear. The following is a brief explanation of the port concept from a professional perspective. A networked computer must use the same protocol to communicate with each other. The protocol is the language of computer communication. Computers must speak one language to communicate with each other. The common language of the Internet is TCP/TP, it is a set of protocols, which stipulate that the layer-4 Transport Layer of the network has two protocols TCP and UDP. The port is opened by the two protocols. The port is divided into the source port and the destination port. The source port is opened by the local machine, and the destination port is the port of another computer that is communicating with the local machine, the source port is divided into active client ports and passive Connection Service ports. On the Internet, When you access a website, you open a port on the local machine to connect to a port on the website server. This is also true when others access you. That is to say, the communication between computers is like the communication between each other. After the system is installed, many "service ports" are enabled by default ". How do I know the ports opened by my computer system? This is what we will talk about below. (2) method 1. Command method: Take Windows XP as an example to see which ports are opened in the newly installed system. That is to say, all the ports are reserved, the command for viewing the port without any tools is netstat. The method is as follows: A. Enter cmd in the "run" section of "start", Press enter B, and on the doscommand interface, type netstat-na. Figure 2 shows the opened service port. proto indicates the protocol. The figure shows the TCP and UDP protocols. Local Address indicates the address of the local machine. The number after the colon is the open port number. Foreign Address indicates the remote address. If you are communicating with other machines, the address of the other party is displayed. The State indicates the status, and the listening indicates that the port is open, waiting for connection, but not connected yet. Just as the door of your house has been opened, but no one has come in. Take the first behavior as an example to see what it means. TCP 0.0.0.0: 135 0.0.0.0: 0 listening indicates that the local port 135 is waiting for connection. Note: Only the TCP Service port can be in the listening status. Figure 1 use the netstat command to view the port status 2. Use the tcpview tool to better analyze the port. It is best to use the tcpview software. The software is very small and only 93kb, and it is a green software without installation. Figure 3 shows the running interface of tcpview. The font size is small for the first time. In Options> font, increase the font size. The data displayed in tcpview is dynamic. In Figure 3, the local address shows the port opened on the local machine (number after the port number). tcpview can see which port is initiated by which program. As shown in figure 3, ports 445, 139, 1025, 135, and 5000 are open, ports 445 and 139 are initiated by system, and ports 135 and are initiated by SVCHOST. Figure 2 Use tcpview to view port status 3) study port Objective 1. Know the ports opened on the local machine, that is, there are several "Doors" that can enter the local machine, who started it? 2. What is the current status of the local port? Is it waiting for a connection or connection? If it is already connected, pay special attention to whether the connection is a normal connection or an abnormal connection (Trojan Horse, etc )? 3. Is the local machine currently exchanging data with other computers? Is it a normal program to prevent a normal website or access a trap? When you access the Internet, it is the process of transferring data between the local machine and other machines. to transfer data, you must use ports. Even some very clever Trojans use normal ports to transmit data without any trace, data has their own statuses at different stages of transmission, transmission, and termination. To understand the preceding three problems, you must understand the port status changes. The following uses the instance to analyze the status changes of the Service port. Only the TCP protocol is stateful. The UDP protocol is unreliable for transmission and stateless. 4) when the status of the Service port changes, configure the FTP service on the local machine (IP Address: 192.168.1.10) and access the FTP service on other computers (IP Address: 192.168.1.1, check the status of the port in tcpview. The section in the black text below is truncated from the tcpview. 1. The listening status is in the listening status after the FTP service is started. When the State is displayed as listening, it indicates that the port is in the listening state, that is, it is open and waiting for connection, but it is not connected yet. Just as the door of your house has been opened, but no one has come in. The tcpview shows that FTP is enabled on the local machine. It means that the program inetinfo.exe opens port 21, and the default FTP port is port 21. It can be seen that the FTP service is opened on the local machine. It is currently in the listening status. Inetinfo.exe: 1260 TCP 0.0.0.0: 21 0.0.0.0: 0 listening 2. The status of established is now accessing the FTP service of 192.168.1.10 from 192.168.1.1. The tcpview on the local machine shows that the port status changes to established. Established means to establish a connection. The two machines are communicating. The following shows that the local FTP service is being accessed by the computer 192.168.1.1. Inetinfo.exe: 1260 TCP 192.168.1.10: 21 192.168.1.1: 3009 established Note: You must pay special attention to connections in the established status, because they may not be a normal connection. This issue will be discussed later. 3. The time_wait status is now starting from 192.168.1.1. This computer stops accessing the FTP service 192.168.1.10. The tcpview on the local machine shows that the port status changes to time_wait. Time_wait indicates that the connection has ended. Port 21 has been accessed, but the access is over. [System process]: 0 TCP 192.168.1.10: 21 192.168.1.1: 3009 time_wait 4. Tip A: Telnet an open port to observe the port changes. For example, if port 1025 is open, run in command status (1 run cmd): Telnet 192.168.1.10 1025 B, and test from the local machine, only the local connection to the local machine C is displayed. Double-click the connection in tcpview to view the program location. Right-click the connection and select end process to end the connection. 5) client port status change the client port is actually the source port opened when accessing other computer services from the local machine, the most application is the Internet, the following uses access to Baidu.com as an example to check the port opening and status changes. 1. syn_sent state syn_sent State indicates a request to connect. When you want to access services of other computers, you must first send a synchronous signal to this port. At this time, the status is syn_sent, if the connection succeeds, it becomes established, and the syn_sent status is very short. However, if syn_sent is found to be very large and is being sent to different machines, your machine may be infected with viruses such as shock waves or shock waves. To infect other computers, these viruses need to scan other computers and send synchronous requests to each computer to be scanned during the scanning process, which is also the cause of many syn_sent attacks. The following shows the starting status when the local machine is connected to the Baidu.com website. If your network is normal, it will soon become the connection status of established. Iexplore.exe: 2928 TCP 192.168.1.10: 1035 202.108.250.249: 80 syn_sent 2. Under the established status, the local machine is accessing the Baidu.com website. If the website you visit has a lot of content, such as accessing www.yesky.com, you will find that there are many established addresses. This is normal. Each content in the website must be connected separately, such as tablets and flash. When you look at the establishedstatus, it is definitely not the connection of the i2.16e.exeprogram (internet explorer initiator. If it is a connection initiated by a program such as explore.exe, it may be a trojan in your computer. Iexplore.exe: 3120 TCP 192.168.1.10: 1045 202.108.250.249: 80 established 3. time_wait status changes to time_wait status after the web page is viewed. [System process]: 0 TCP 192.168.1.10: 4259 202.108.250.249: 80 time_wait 6), the detailed port change diagram above is the most important status, there are actually some, figure 4 shows a detailed change of the TCP status (cut from the TCP/IP explanation). A rough solid-line arrow is used to indicate a normal client status change, use the bold dotted arrow to indicate normal server status changes. These are not covered in this article. If you are interested, you can study it. Figure 3 TCP Status Change Figure 7). Key points: the average user must be familiar with (then ?? 1. The service port should focus on the listening status and established status, which ports are enabled on the local host, and who is accessing your machine, from which address. 2. syn_sent status and established status of the client port. syn_sent is a connection request sent from the local machine to other computers. Generally, this status has a short time, but if the local machine sends many syn_sent, it may be poisoned. Check whether the State of established is to find the machine with which the local machine is transmitting data, mainly to see if it is initiated by a normal program. 2. What a trojan is, simply put, is to secretly open a backdoor on your computer without your permission. There are two main methods to open a backdoor on a Trojan. 1. A Trojan with a service port must open a backdoor with a service port. After the backdoor is successfully opened, it is in the listening State. Its port number may be fixed or changed, other Trojans can be used together with normal ports. For example, if you open normal port 80 (Web Service), the trojan also uses port 80. The biggest characteristic of this trojan is that a port is in the listening state and needs to be connected by a remote computer. This trojan is a good precaution for general users. Set the firewall to reject connections from the outside to the inside. A rebound Trojan is hard to prevent. 2. A bounce Trojan is an internal connection. It can effectively penetrate the firewall and access your computer even if you use an intranet IP address. The principle of this trojan is that the server actively connects to the client (hacker) address. Like your Internet Explorer, the Trojan server uses a dynamically allocated port to connect to a port of the client, which is usually a common port, such as port 80. In addition, it will use a relatively strong implicit file name, such as iexpiore.exepolicer(ie's program is ipolice.exe ). If you do not take a closer look, you may think it is your Internet Explorer. In this way, your firewall will also be cheated. If you see the following connection in tcpview, it is likely to be a Trojan. Iexpiore.exe 192.168.1.10 (local IP): 1035 (your port) Y. y. y. Y (remote IP): 80 (remote port) or rundll32.exe 192.168.1.10 (native IP): 1035 (your port) Y. y. y. Y (remote IP): 80 (remote port) or assumer.exe 192.168.1.10 (local IP): 1035 (your port) Y. y. y. Y (remote IP address): 80 (remote port) 3. The purpose of the security analysis port is to ensure the security of the Internet. Based on the above ideas, we can prevent it from the following aspects. 1) disable unnecessary ports. for Internet users, you only need to be able to access the Internet and do not need to be accessed by others. That is to say, there is no need to open the service port, in Windows 98, you can access the Internet without opening any service ports, but not in Windows XP, Windows 2000, and Windows 2003, but you can disable unnecessary ports. Figure 3 shows the default port opened by the Windows XP system after it is installed. This is an example to disable unnecessary ports. 1. ports 137, 138, 139, and 445 are all enabled for sharing. They are applications of the NetBIOS protocol, generally, Internet users do not need to share your content, and they are also the port with the most vulnerabilities. There are many ways to close the port. Recently I learned from the Internet that it is very useful to close all the above ports at once. Start> Control Panel> system> hardware> Device Manager> View> display hidden devices> plug-and-play drivers> NetBIOS over tcpip. Find Figure 5 and disable the device from restarting. Figure 4 shut down ports 137, 138, 139, and 445. 2. Shut down ports 123. Some worms can use UDP port 123 to stop the Windows Time Service. Figure 5 disable port 123 3. disable port 1900 as long as an attacker sends a fake UDP packet to a network with multiple Windows XP systems, this may cause these Windows XP hosts to attack the specified host (DDoS ). In addition, if you send a UDP packet to the system port 1900 and direct the address of the location domain to the chargen port of another system, the system may be in an endless loop, all resources of the system are consumed (manually enable hardware installation ). Method 7 to disable port 1900-stop the SSDP Discovery Service. Figure 6 if port 1900 is closed through the above method, is there no problem after some ports with vulnerabilities or are not used? No. Because some ports cannot be switched off. For example, port 135 is the port opened by the RPC service. If the service is stopped, the computer will shut down. Similarly, ports 500 and 4500 opened by LSASS cannot be closed. The shock wave virus uses port 135. The best solution for a port that cannot be closed is to install a regular patch, and the port is opened by the corresponding service, however, it is difficult for general users to determine the purpose of these services, and it is difficult to find out which services can be stopped to close the corresponding port. The best solution is to install the firewall as described below. In general, the function of installing a firewall is like whether you live in a solid, good house or in a broken house, as long as you build an airtight wall around the house, it is safe for the house in the wall. 2) install a firewall. For general users, there are the following three types of firewalls. 1. For the firewall settings of Windows XP and Windows 2003, refer to the firewall in Skynet. 2. If the ADSL cat firewall accesses the Internet through ADSL, it is best to set the ADSL cat as the address translation method (NAT) if there are conditions, that is, the common routing mode, in fact, routes are different from nat. The biggest advantage of using NAT is that after the configuration is complete, the ADSL cat is a fire wall, which generally only opens 80, 21, 161 and so on to set open ports for the ADSL cat. If Port ing is not performed, generally remote attacks cannot be performed on computers behind ADSL cats. The biggest security risk for ADSL cats is that many users do not change the default password. In this way, if a hacker enters your cat and creates a port ing, the hacker may access your computer and change the default password. The built-in firewall and the NAT mode of ADSL cat can basically defend against attacks from the outside to the inside, that is to say, even if the service port is open (including the system Port and the Trojan with the Service port opened), hackers and viruses similar to the shock wave will not be able to help your computer. The above firewall can only prevent external to internal connections, and cannot prevent internal to external connections. When you open a webpage and use QQ chat, It is a connection from internal to external, A bounce trojan uses this feature to steal data from your machine. Although rebound Trojans are hidden, they are not without Trojans. The best way to prevent such Trojans is to use a third-party firewall. 3. Third-party firewall names or rundll32 and so on seem to be the names of system files, but the essence of Trojan is to communicate with remote computers, as long as there is a connection. As shown in the following figure: the normal connection is initiated by iexplore.exe, and the abnormal connection is initiated by the trojan program explorer. Figure 7 normal connection fig 8 Trojan connection the General firewall has the permission setting for the application to access the network, as shown in figure 8, in this type of firewall option, select X for the application that does not allow access to the network, that is, access to the network is not allowed. Before writing this article, I found a bounce Trojan, that is, the Explorer program connects to the outside, and I used several anti-virus software to prevent it from accessing the network, then it took a lot of effort to clear the manual. Unfortunately, it was not done. I have no courage to sacrifice this article. 4. Use tcpview to end a connection. When you use tcpview to check which connection may be abnormal, right-click the connection in tcpview, select end process to end the connection. 4. Scanning and scanning are another big topic, including port scanning (superscan) and vulnerability scanning (X-scan, this article only briefly introduces online security detection for general users. If you have taken the appropriate security measures as mentioned above, you can find an online security testing website on the Internet to test the security of your current system, as shown on the following website: 1. Millennium online-Online Detection 2. Blue Shield online detection 3. Skynet security online 4. Norton Online Security Detection 1. ports 21, 23, and 80 are enabled during the testing, however, these are all the service ports of ADSL. the modem does not provide any modification or shutdown, but it does not matter. You just need to make the password complex. 5. If you close port 445 or open a firewall as mentioned above, you will not be harassed by the shock wave or similar viruses. There are too many articles about the shock wave virus, so I will not talk about it here. As long as the security protection is done, whether it is a large wave of shock or an impact wavelet, you can only pass in front of your computer, but you can't help. 6. Note that there are still many requirements for computer security, but for general users, too many security settings mean no security, this is because security settings are not easy for professional computer security personnel, not to mention general users who do not have enough knowledge about computers. If you need to make a lot of settings to ensure security, there will certainly be many people who will not do it. Personal suggestions for general users are what they can do. For example, 1. install anti-virus software and upgrade it in time when accessing the Internet. 2. Install at least one firewall. It is best for ADSL users to use a route to access the Internet and change the default password. 3. Install patches frequently. It is best for Windows users to set the system to automatic upgrade. 4. All you have to do is use tcpview to check the connection and prevent the bounce Trojan Horse. I often look at it. It may take a long time to become an expert. 5. UDP is unreliable and stateless. It is hard to see from tcpview whether it is transmitting data, if you are interested, you can use protocol analysis tools such as Iris and sniffer to check whether UDP data exists. I will talk about this topic later. 6. The topic of this article is very big, but I think many problems are mentioned by others, so I have not discussed them in depth.