linux/Port Classification Research __linux

I. The concept of a port

In Network technology, ports (port) include both logical and physical ports. Physical ports are physical ports, such as ADSL modems, hubs, switches, and interfaces used to connect to other network devices on the router, such as RJ-45 ports, SC ports, and so on. Logical ports are those that are logically used to differentiate services, such as service ports in the TCP/IP protocol, and port numbers ranging from 0 to 65535, such as 80 ports for browsing Web services, 21 ports for FTP services, and so on. Because of the large number of physical ports and logical ports, each port is numbered for the purpose of distinguishing the ports, which is the port number.

Use

The TCP and UDP segment structures have port addresses that are 16 bits and can have port numbers in the range of 0-65535. For these 65,536 port slogans there are the following usage rules:
(1) The port number is less than 256 defined as the commonly used ports, servers are generally identified by the common port number. The service provided by any TCP/IP implementation is a port number between 1-1023 and is managed by ICANN;
(2) The client only needs to make sure that the port number is unique on this machine. The client-side slogan is short-lived and is called a temporary port number because of the existence time;
(3) Most TCP/IP implementations give a port number between 1024-5000 for the temporary port number. The port number greater than 5000 is reserved for other servers.

Each port corresponds to a service or a software. So for the sake of host security, we need to understand the port information that is open and in use under Linux.
1. Using the "cat/etc/services" command, you can view the default port list information for all services.

2, use the "netstat" command to view the connection port list information

3. Use the "netstat-a" command to view all service ports [monitor, connect] list information.

4, the type of socket in addition to T (TCP), U (UDP), there are W (RAW), X (UNIX) sockets.

5. Use "Netstat-ap" to view all service ports and corresponding program names.

The computer port can be divided into 3 main categories:
1) Accepted ports (well known Ports): from 0 to 1023, they are tightly bound to some services. Usually the communication of these ports clearly indicates the protocol of some kind of service. For example: Port 80 is actually always HTTP traffic.

2 registration port (registered Ports): from 1024 to 49151. They are loosely bound to some services. This means that there are many services that are bound to these ports and are used for many other purposes. For example, many systems handle dynamic ports starting at around 1024.

3 dynamic and/or private ports (dynamically and/or private Ports): from 49152 to 65535. In theory, these ports should not be assigned to services. In fact, machines typically allocate dynamic ports from 1024. But there are exceptions: Sun's RPC port starts at 32768.

Third, the network commonly used port number
21/TCP FTP File Transfer Protocol
22/tcp Telnet Unsecured Text transfer
22/TCP SSH Secure Login, File transfer (SCP), and port redirection
80/TCP HTTP Hypertext Transfer Protocol (WWW)
Port: 0
Service: Reserved
Description: Typically used to analyze the operating system. This approach works because "0" is an invalid port in some systems. When you try to connect to it using the usual closed port, you will have different results. A typical scan, using IP address 0.0.0.0, sets the ACK bit and broadcasts over the Ethernet layer.
PORT: 1
Service: Tcpmux
Description: This shows someone looking for a SGI IRIX machine. IRIX is the primary provider of implementation Tcpmux, and Tcpmux is opened in this system by default.
Port: 7
Service: Echo
Description: To be able to see many people searching for Fraggle amplifiers, send information to x.x.x.0 and x.x.x.255.
Port: 19
Service: Character Generator
Description: This is a service that sends only characters. The UDP version will respond to packets that contain junk characters after the UDP packet is received. A TCP connection sends a stream of data that contains a garbage character until the connection is closed. Hacker uses IP spoofing to launch a Dos attack. Fake UDP packets between two Chargen servers.
Port: 21
Services: FTP
Description: FTP server open port, for upload, download. The most common use of attackers is to find ways to open anonymous FTP servers. These servers have a read-write directory. Trojans doly ports open to Trojan, Fore, invisible FTP, WebEx, Wincrash, and Blade Runner.

Port: 22
Services: Ssh
Description: Pcanywhere established TCP and this end port connection may be to find SSH. There are many weaknesses in this service, and if configured in a specific pattern, many of the versions using the RSAREF library will have a number of vulnerabilities.

Port: 23
Services: Telnet
Description: Telnet, an intruder searches for UNIX services remotely. In most cases, this port is scanned to find the operating system on which the machine is running. And with other techniques, intruders will also find passwords. Trojan Tiny Telnet Server to open this port.

Port: 25
Services: SMTP
Description: The port that the SMTP server is open for sending messages. Intruders are looking for SMTP servers to pass on their spam. The intruders ' accounts are closed and they need to be connected to a high-bandwidth e-mail server to deliver simple information to different addresses. Trojan antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WINPC, winspy all open this port.

Port: 31
Service: MSG Authentication
Description: Trojan Master Paradise, Hackers Paradise Open this port.

Port: 42
Services: WINS Replication
Description: WINS replication

Port: 53
Services: Domain Name Server (DNS)
Description: A port that is open to a DNS server, an intruder may be attempting to perform zone transfer (TCP), spoof DNS (UDP), or hide other traffic. Therefore, firewalls often filter or record this port.

Port: 67
Service: Bootstrap Protocol Server
Description: Firewalls from DSL and cable modems often see large numbers of data sent to broadcast address 255.255.255.255. These machines are requesting an address from the DHCP server. Hacker often enter them, assigning an address that initiates a large number of man-in-the-middle (man-in-middle) attacks as a local router. The client broadcasts the request configuration to the 68-port broadcast, and the servers broadcast the response request to port 67. This response uses the broadcast because the client is unaware of the IP address that can be sent.