Computers communicate with each other through ports. For example, when accessing a website, Windows opens a port (such as port 1025) on the local machine and connects to a port of the remote website server, this is also true when others access you. By default, Windows opens many service ports. Hackers often use these ports to intrude. Therefore, mastering port knowledge is essential for secure Internet access.
I. Common ports and their classification
Computers need to use the TCP/IP protocol to communicate with each other over the Internet. According to the TCP/IP protocol, the computer has 256x256 (65536) ports, these ports can be divided into TCP port and UDP port. By port number, they can be divided into the following two categories:
1. system reserved ports (from 0 to 1023)
These ports are not allowed to be used. They all have a definite definition and correspond to some common services on the Internet. Each opened port represents a system service, for example: port 80 represents the web service. 21 corresponds to FTP, 25 corresponds to SMTP (email), 110 corresponds to POP3 (email receiving), and so on.
HTTP: 80: WWW Service.
DHCP: the port number on the server is 67.
DHCP: the port number of the client is 68.
POP3: POP3 only supports the receiving protocol. The POP3 client uses SMTP to send emails to the server. The port number used by POP3 is 110.
SMTP: the port number is 25. SMTP is not really concerned about how emails are transmitted, but about whether emails can reach their destination smoothly. SMTP has a robust mail processing feature, which allows automatic routing of emails based on certain standards. SMTP can notify users immediately when the email address does not exist, in addition, it has the characteristics of returning non-transmitted mails to the sender within a certain period of time.
TELNET: the port number is 23. Telnet is the oldest Internet application and originated from ARPNET. It is abbreviated as "telecommunication network protocol.
FTP: The ports used by FTP are 20 and 21. Port 20 is used for data transmission, port 21 is used to control the transmission of signaling, and control information and data can be transmitted at the same time, which is special for FTP. FTP uses a TCP connection.
TFTP: Port Number 69, which is a UDP connection.
DNS: 53, Name Service
NetBIOS: 137,138,139, of which 137 and 138 are UDP ports. This port is used when files are transmitted through network neighbors. Port 139: the connection through this port tries to obtain the NetBIOS/smb service. This protocol is used for Windows file and printer sharing and samba. Also, wins regisrtation also uses it.
NNTP network news transmission protocol: 119
SNMP (Simple Network Management Protocol): port 161
RPC (Remote process call) Service: port 135
QQ: Port 8000 (server) and port 4000 (client)
Port 21: port 21 is mainly used for FTP (file transfer protocol) services.
Port 23: port 23 is mainly used for the telnet (Remote logon) service. It is a common logon and simulation program on the Internet. It was originally designed to help administrators manage computers remotely, but the "hacker" is the one that makes the most of it "!
Port 25: port 25 is open to SMTP (Simple Mail Transfer Protocol) servers and is mainly used to send emails. Most mail servers use this Protocol today.
Port 53: port 53 is open to DNS (Domain Name Server) servers and is mainly used for domain name resolution. DNS is the most widely used in the NT System.
Port 67, port 68: port 67, and port 68 are opened for the Bootstrap Protocol server and Bootstrap Protocol client of The BOOTP service respectively.
Port 69: TFTP is a simple file transfer protocol developed by Cisco, similar to FTP.
Port 79: port 79 is open for the Finger service. It is mainly used to query details of users such as online users of remote hosts, operating system types, and whether a buffer overflow occurs.
Port 80: Port 80 is open for HTTP (HyperText Transport Protocol, Hypertext Transfer Protocol), which is the most widely used protocol for surfing the Internet. It is mainly used in WWW (World Wide Web, World Wide Web) the Protocol for transmitting information on the service.
Port 99: port 99 is used for a service named "metemedirelay" (sub-countermeasure delay). This service is rare and generally unavailable.
Port 109 and port 110: Port 109 is open for the pop2 (Post Office Protocol version2, Post Office Protocol 2) service, and port 110 is open for the POP3 (mail protocol 3) service, pop2 and POP3 are mainly used to receive emails.
Port 111: port 111 is the port opened by Sun's Remote Procedure Call service. It is mainly used for internal process communication between different computers in a distributed system, RPC is an important component in a variety of network services.
Port 113: port 113 is mainly used for authentication service in windows ).
Port 119: port 119 is open for "Network News Transfer Protocol" (NNTP.
Port 135: port 135 is mainly used to use the Remote Procedure Call Protocol and provide the DCOM (Distributed Component Object Model) service.
Port 137: port 137 is mainly used for "NetBIOS name service" (NetBIOS Name Service ).
Port 139: port 139 is provided for "NetBIOS Session Service" and is mainly used to provide Windows file and printer sharing and SAMBA service in UNIX.
Port 143: port 143 is mainly used for "Internet Message Access Protocol" V2 (Internet Message Access Protocol (IMAP ).
Port 161: port 161 is used for "Simple Network Management Protocol" (SNMP ).
Port 443: port 443 is the Web browsing port. It is mainly used for HTTPS services and is another type of HTTP that provides encryption and transmission through secure ports.
Port 554: port 554 is used by default for "Real Time Streaming Protocol" (RTSP ).
2. Dynamic port (from 1024 to 65535)
When you need to communicate with others, Windows will allocate a dynamic port on the local machine starting from 1024. If Port 1024 is not closed, port 1025 will be allocated for use when you need it, and so on.
However, some system services are bound to ports 1024 to 49151, such as port 3389 (Remote Terminal Service ). Ports from 49152 to 65535 are usually not bundled with system services, allowing windows to dynamically allocate them to you.
Port 1024: Port 1024 is generally not allocated to a service. It is interpreted as "Reserved" in English ).
Port 1080: port 1080 is the port used by the socks proxy service. The WWW Service is usually used by the Internet.
Port 1755: port 1755 is used by default for Microsoft Media Server (MMS ).
Port 3389: Remote Desktop! This port is used for 3389 intrusion)
Ii. How to check which ports are enabled on the local machine
By default, Windows opens many "service ports". To view which ports are opened on the local machine and which websites are connected to the local machine, run the netstat command:
Windows provides the netstat command to display the current TCP/IP network connection.
Operation Method: Click Start → program → attachment → command prompt to enter the DOS window. Enter netstat-Na and press enter to display the connection status and opened port of the local machine. Localaddress indicates the local IP address and the opened port number. foreignaddress indicates the remote computer IP address and port number, and the State indicates the current TCP connection status.
Enter the netstat-Nab command in the DOS window, and the program that creates each connection is displayed. If a Suspicious Port is opened on the local machine, you can use this command to check which components it calls, and then check the creation time and modification time of each component. if an exception is found, it may be a Trojan.
3. disable ports not used by the Local Machine
By default, many windows ports are open. After the network is connected, hackers can connect to your computer through these ports. Therefore, these ports should be closed. Mainly include: tcp139, 445, 593, 1025, and udp123, 137, 138, 445, 1900, and some popular Backdoor Ports (such: tcp2513, 2745, 3127, 6129), and remote service access port 3389.
The closing method is as follows:
Ports 137, 138, 139, and 445: they are all open for sharing and should be prohibited from sharing your machine, so close all these ports: click Start> Control Panel> system> hardware> Device Manager, Click Show Hidden devices under view, and double-click plug-and-play driver ", find and double-click netbiosovertcpip. In the "netbiosovertcpip properties" window, click "do not use this device (disable)" under the "General" tab )", click OK and restart.
Close port 135
Windows XP system (close port 135)
Run dcomcnfg, expand "component service"> "computer", right-click "my computer", select "properties", switch to "default properties", and disable "enable Distributed COM "; switch to "default Protocol" and delete "connection-oriented TCP/IP ".
The above options have the corresponding registry key value, so you can also modify it through the registry:
HKEY_LOCAL_MACHINE/software/Microsoft/OLE: change the value of enabledcom to "N"
HKEY_LOCAL_MACHINE/software/Microsoft/RPC: Delete "ncacn_ip_tcp" from dcomprotocols"
In addition, you must disable the "distributedtransactioncoordinator" service. Service deactivation method here System Service Optimization
After the computer is restarted, port 135 is disabled.
Close port 139
Control Panel-network and dial-up connections-local connection-properties, double-click Internet Protocol (TCP/IP)-advanced-wins-click Disable NetBIOS on TCP/IP-OK.
Close port 445
Run regedit to open HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/netbt/parameters.
Name the New DWORD parameter "smbdeviceenabled", and the default value is "0 ".
② Close udp123 port: click "Start> Settings> Control Panel", double-click "Administrative Tools> services", and stop the windowstime service. Disable the udp123 port to prevent some worms.
③ Close the udp1900 port: Double-click "Administrative Tools> Services" on the Control Panel to stop the ssdpdiscoveryservice service. Disable this port to prevent DDoS attacks.
④ Other ports: You can use network firewall to disable them. Alternatively, on the control panel, double-click "Administrative Tools> Local Security Policy" and select "IP Security Policy, on the local computer ", create an IP Security Policy to disable it.
4. Redirect the local default port to Protect System Security
If the default port of the local machine cannot be closed, it should be "redirected ". Redirect the port to another address to hide the accepted default port, reduce the probability of damage, and protect the system security.
For example, if the terminal server port (3389 by default) is opened on your computer, you can redirect it to another port (1123 for example). The method is as follows:
1. Modify on the local machine (server side)
Locate the following two registry items and change all portnumbers to custom ports (such as 1123:
HKEY_LOCAL_MACHINE/system/CurrentControlSet/control/terminalserver/WDS/rdpwd/tDS/tcp
HKEY_LOCAL_MACHINE/system/CurrentControlSet/control/terminalserver/winstations/RDP-TCP
2. Modify on the client
Choose Start> program> attachment> communication> Remote Desktop Connection. In the Remote Desktop Connection window, click options to expand the window. after entering the relevant parameters, click "Save as" under "General" to export the connection parameter. RDP file. Open the file in notepad and add a line at the end of the file: SERVERPORT: I: 1123 (enter the custom port of your server here ). Then, double-click the. RDP file to connect to the custom port on the server.