Windows has many open ports. When you access the Internet, network viruses and hackers can connect to your computer through these ports.
To change your system to a copper wall, you should close these ports, mainly including TCP 135, 139, 445, 593, 1025, and UDP 135, 137, 138, and 445, some popular Backdoor Ports (such as TCP 2745, 3127, and 6129) and remote service access port 3389.
View port
To view the port in Windows 2000/XP/Server 2003, run the netstat command:
Click Start> Run, type cmd, and press enter to open the Command Prompt window. Type "netstat-a-n" in the command prompt. Press the Enter key to view the TCP and UDP connection port numbers and statuses displayed in numbers.
TIPS: netstat command usage
Command Format: netstat-a-e-n-o-s-
-A indicates that all active TCP connections and TCP and UDP ports listened by the computer are displayed.
-E indicates the number of bytes sent and received over the Ethernet, and the number of packets.
-N indicates that only the active TCP connection addresses and port numbers are displayed in numbers.
-O indicates that active TCP connections are displayed and the process ID (PID) of each connection is included ).
-S indicates that statistics of various connections are displayed by protocol, including the port number.
-An: view all open ports
Close/enable port
First, we will introduce how to disable/enable ports in windows, because many insecure or useless ports are enabled by default, for example, port 23 of the Telnet service, port 21 of the FTP service, port 25 of the SMTP service, and port 135 of the RPC service. To ensure system security, we can disable/enable the port through the following methods.
Close the port
For example, to disable port 25 of the SMTP service in Windows 2000/XP, you can do this: first open "Control Panel", double-click "Administrative Tools", and then double-click "service ". In the displayed service window, find and double-click the "Simple Mail Transfer Protocol (SMTP)" service and click "stop" to stop the service, select "disabled" in "Start type" and click "OK. In this way, closing the SMTP service is equivalent to closing the corresponding port.
Enable Port
If you want to enable this port, you only need to select "Auto" in "Start type", click "OK", and then open the service, in "service status", click "start" to enable the port. Finally, click "OK.
Tip: the "service" option is not available in Windows 98. You can use the firewall rule setting function to disable/enable the port.
How to disable and Open Network Ports in WINXP/2000/2003
Step 1: Click Start Menu/settings/control panel/management tools, double-click to open the Local Security Policy, select the IP Security Policy, and right-click the blank position in the right pane on the local computer, in the shortcut menu, select create IP Security Policy (such as the picture on the right). A wizard is displayed. In the wizard, click the next button to name the new security policy. Then, press next to display the Secure Communication Request screen. On the screen, remove the hook on the left of the default rule to be activated, click Finish to create a new IP Security Policy.
Step 2: Right-click the IP Security Policy. In the Properties dialog box, remove the hook on the left of the add wizard, and click Add to add a new rule. Then, the new rule attribute dialog box is displayed, click the Add button on the screen to bring up the IP Filter list window. In the list, first remove the hook on the left side of the add wizard, and then click the Add button on the right side to add a new filter.
Step 3: Enter the Filter Properties dialog box. First, you will see addressing. Select any IP address from the source address, and select my IP address from the target address. Click the protocol tab, select TCP from the select protocol type drop-down list, enter 135 in the text box at this port, and click OK (as shown in the left figure ), in this way, a filter is added to shield the TCP 135 (RPC) port, which can prevent the outside world from connecting to your computer through port 135.
Click OK and return to the filter List dialog box. A policy has been added. Repeat the preceding steps to add TCP 137, 139, 445, 593, UDP 135, 139, and 445 ports, create a filter for them.
Repeat the preceding steps to add a blocking policy for TCP ports 1025, 2745, 3127, 6129, and 3389, create a filter for the above ports, and click OK.
Step 4: In the new rule Attributes dialog box, select the new IP Filter list and click a dot in the circle on the left to activate the filter. Then, click the filter operation tab. On the Filter Operations tab, remove the hook on the left of the add wizard and click Add to add a blocking operation (picture on the right). On the Security Measures tab of the new filter operation attribute, select block, click OK.
Step 5. Go to the new rule Attributes dialog box and click the new filter operation. A dot is added to the circle on the left to indicate that it has been activated. Click the close button to close the dialog box; return to the new IP Security Policy attribute dialog box, tick the left side of the new IP Filter list, and press OK to close the dialog box. In the Local Security Policy window, right-click the newly added IP Security Policy and select assign.
After the computer is restarted, the above network ports are closed, and viruses and hackers can no longer connect to these ports, thus protecting your computer. We have not heard of any patch downloads.
Port category
Logically speaking, ports have multiple classification standards. The following describes two common classifications:
1. Distribution by port number
(1) well-known ports)
A well-known port is a well-known port number ranging from 0 to 1023. These ports are usually allocated to some services.
For example, port 21 is allocated to the FTP service, port 25 is allocated to the SMTP (Simple Mail Transfer Protocol) service, port 80 is allocated to the HTTP service, and port 135 is allocated to the RPC (Remote process call) service) services.
(2) dynamic ports)
The range of dynamic ports is from 1024 to 65535. These ports are generally not allocated to a service, that is, many services can use these ports. As long asProgramApply to the system for network access, then the system can allocate one from these port numbers for the program to use. For example, port 1024 is allocated to the first application to the system. After the program process is closed, the occupied port number is released.
However, dynamic ports are often used by viruses and Trojans. For example, the default connection ports of glaciers are 7626, way 2.4 is 8011, NetSpy 3.0 is 7306, and Yai is 1024.
2. Divided by protocol type
Divided by protocol type, can be divided into TCP, UDP, IP, ICMP (Internet Control Message Protocol) and other ports. The following describes TCP and UDP ports:
(1) TCP port
TCP port, that is, the transmission control protocol port, must be connected between the client and the server to provide reliable data transmission. Common include port 21 of the FTP service, port 23 of the Telnet service, port 25 of the SMTP service, and port 80 of the HTTP service.
(2) UDP port
UDP port, that is, the user data packet protocol port, does not need to establish a connection between the client and the server, security is not guaranteed. Common services include DNS Service port 53, SNMP (Simple Network Management Protocol) Service port 161, and QQ port 8000 and port 4000.
Common Network Ports
Port: 0
Service: Reserved
Description: it is usually used to analyze the operating system. This method works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a normally closed port. A typical scan uses the IP address 0.0.0.0 to set the ACK bit and broadcast it on the Ethernet layer.
Port: 1
Service: tcpmux
Note: This shows someone is looking for an sgi irix machine. IRIX is the main provider for implementing tcpmux. By default, tcpmux is enabled in this system. IRIX machines are released with several default password-free accounts, such as IP, guest uucp, nuucp, demos, tutor, DIAG, and outofbox. Many administrators forget to delete these accounts after installation. Therefore, hacker searches for tcpmux on the Internet and uses these accounts.
Port: 7
Service: Echo
Note: When many people search for the Fraggle amplifier, the information sent to x. x. x.0 and x. x. x.255 is displayed.
Port: 19
Service: Character Generator
Note: This is a service that only sends characters. The UDP version will respond to packets containing spam characters after receiving the UDP packet. When a TCP connection is established, data streams containing spam characters are sent until the connection is closed. Hacker uses IP spoofing to launch DoS attacks. Forge a UDP packet between two chargen servers. Similarly, the Fraggle DoS attack broadcasts a packet with a spoofed IP address to the port of the target address. The victim is overloaded to respond to the data.
Port: 21
Service: ftp
Description: The port opened by the FTP server for uploading and downloading. The most common attacker is used to find the method to open the FTP server of anonymous. These servers have read/write directories. Ports opened by Doly Trojan, fore, invisible FTP, WebEx, WinCrash, and Blade Runner.
Port: 22
Service: SSH
Note: The TCP Connection established by pcAnywhere to this port may be used to search for SSH. This service has many vulnerabilities. If configured in a specific mode, many versions using the rsaref library may have many vulnerabilities.
Port: 23
Service: Telnet
Description: Remote logon. Intruders are searching for remote logon to UNIX services. In most cases, this port is scanned to find the operating system on which the machine runs. There are other technologies that allow intruders to find their passwords. The Tiny Telnet server of the Trojan opens this port.
Port: 25
Service: SMTP
Description: The port opened by the SMTP server for sending emails. Intruders look for SMTP servers to pass their spam. The intruder's account is closed and they need to connect to a high-bandwidth E-MAIL server, passing simple information to different addresses. This port is available for trojans such as antigen, email password sender, haebu coceda, shtrilitz stealth, winpc, and winspy.
Port: 31
Service: MSG Authentication
Note: This port is enabled for Trojan master paradise and Hackers Paradise.
Port: 42
Service: WINS replication
Note: WINS replication
Port: 53
Service: Domain Name Server (DNS)
Description: The port opened by the DNS server. Intruders may attempt to pass through the region (TCP), spoof DNS (UDP), or hide other communications. Therefore, firewalls often filter or record this port.
Port: 67
Service: Bootstrap Protocol server
Note: Through the DSL and cable modem firewalls, you will often see a large amount of data sent to the broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. Hacker often enters them and assigns an address to act as a local router to initiate a large number of man-in-middle attacks. The client broadcasts the request configuration to port 68, and the server broadcasts the response to the request to port 67. This response uses broadcast because the client does not know the IP address that can be sent.
Port: 69
Service: trival File Transfer
Note: many servers provide this service together with BOOTP to facilitate download and startup from the system.Code. However, they often enable intruders to steal any files from the system due to misconfiguration. They can also be used to write files to the system.
Port: 79
Service: Finger server
Note: Intruders are used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from their own machines to other machines.
Port: 80
Service: HTTP
Description: used for Web browsing. The trojan executor opens this port.
Port: 99
Service: metemedirelay
Note: The backdoor program ncx99 opens this port.
Port 102
Service: Message Transfer Agent (MTA)-x.400 over TCP/IP
Description: message transmission proxy.