In network technology, a port has two meanings: one is a physical port, for example, ADSL modem, Hub, switch, router is used to connect other network equipment interface, such as RJ-45 port, SC port and so on. The second is the logical port, which generally refers to the port in the TCP/IP protocol. The port number ranges from 0 to 65535, for example, port 80 used to browse Web Services, port 21 for the FTP service. Here we will introduce the logical port. Port category Logically speaking, ports have multiple classification standards. The following describes two common classifications: 1. Distribution by port number (1) well-known ports) A well-known port is a well-known port number ranging from 0 to 1023. These ports are usually allocated to some services. For example, port 21 is allocated to the FTP service, port 25 is allocated to the SMTP (Simple Mail Transfer Protocol) service, port 80 is allocated to the HTTP service, and port 135 is allocated to the RPC (Remote process call) service) services. (2) dynamic ports) The range of dynamic ports is from 1024 to 65535. These ports are generally not allocated to a service, that is, many services can use these ports. As long as the program runs to the system to request access to the network, the system can assign a port number for the program to use. For example, port 1024 is allocated to the first application to the system. After the program process is closed, the occupied port number is released. However, dynamic ports are often used by viruses and Trojans. For example, the default connection ports of glaciers are 7626, way 2.4 is 8011, NetSpy 3.0 is 7306, and Yai is 1024. 2. Divided by protocol type Divided by protocol type, can be divided into TCP, UDP, IP, ICMP (Internet Control Message Protocol) and other ports. The following describes TCP and UDP ports: (1) TCP port TCP port, that is, the transmission control protocol port, needs to establish a connection between the client and the server, this can provide * data transmission. Common include port 21 of the FTP service, port 23 of the Telnet service, port 25 of the SMTP service, and port 80 of the HTTP service. (2) UDP port UDP port, that is, the user data packet protocol port, does not need to establish a connection between the client and the server, security is not guaranteed. Common services include DNS Service port 53, SNMP (Simple Network Management Protocol) Service port 161, and QQ port 8000 and port 4000. View port To view the port in Windows 2000/XP/Server 2003, run the netstat command: Click Start> Run, type cmd, and press enter to open the Command Prompt window. Type "netstat-a-n" in the command prompt. Press the Enter key to view the TCP and UDP connection port numbers and statuses displayed in numbers. TIPS: netstat command usage Command Format: netstat-a-e-n-o-s -A indicates that all active TCP connections and TCP and UDP ports listened by the computer are displayed. -E indicates the number of bytes sent and received over the Ethernet, and the number of packets. -N indicates that only the active TCP connection addresses and port numbers are displayed in numbers. -O indicates that active TCP connections are displayed and the process ID (PID) of each connection is included ). -S indicates that statistics of various connections are displayed by protocol, including the port number. Close/enable port Before introducing the functions of various ports, we will first introduce how to disable/enable ports in windows, because the default situation is, many insecure or useless ports are enabled, for example, port 23 of the Telnet service, port 21 of the FTP service, port 25 of the SMTP service, and port 135 of the RPC service. To ensure system security, we can disable/enable the port through the following methods. Close the port For example, to disable port 25 of the SMTP service in Windows 2000/XP, you can do this: first open "Control Panel", double-click "Administrative Tools", and then double-click "service ". In the displayed service window, find and double-click the "Simple Mail Transfer Protocol (SMTP)" service and click "stop" to stop the service, select "disabled" in "Start type" and click "OK. In this way, closing the SMTP service is equivalent to closing the corresponding port. Enable Port If you want to enable this port, you only need to select "Auto" in "Start type", click "OK", and then open the service, in "service status", click "start" to enable the port. Finally, click "OK.Common Network Ports Port 21 Port Description: port 21 is mainly used for the FTP (file transfer protocol) service. The FTP service is mainly used to upload and download files between two computers, one computer acts as the FTP client, and the other computer acts as the FTP server. you can log on to the FTP server using anonymous logon and authorized username and password logon. Currently, file transmission through the FTP service is the most important method for uploading and downloading files on the Internet. In addition, Port 20 is the default port number for FTP data transmission. In Windows, you can use Internet Information Service (IIS) to provide FTP connection and management, or install FTP server software to implement FTP functions, such as common FTP Serv-U. Suggestion: Some FTP servers can be used by hackers to log on anonymously. In addition, port 21 will be used by some Trojans, such as Blade Runner, FTP Trojan, Doly Trojan, and WebEx. If you do not set up an FTP server, we recommend that you disable port 21. -------------------------------------------- (2) port 23 Port Description: port 23 is mainly used for the telnet (Remote logon) service and is a common logon and simulation program on the Internet. You also need to set the client and server. The client that enables the telnet service can log on to the remote telnet server and use the authorized user name and password to log on. After logging on, you can use the Command Prompt window to perform corresponding operations. In Windows, you can type the "Telnet" command in the Command Prompt window to remotely log on using telnet. Suggestion: using the telnet service, hackers can search for UNIX services remotely and scan the operating system type. In addition, the telnet service in Windows 2000 has multiple serious vulnerabilities, such as permission escalation and denial of service, which can cause remote server crash. Port 23 of the Telnet service is also the default port of the TTS (Tiny Telnet Server) Trojan. Therefore, we recommend that you disable port 23. The preceding section describes how to disable/enable ports, and ports 21 and 23. The following section describes other common ports and corresponding operation suggestions. Port 25 Port Description: port 25 is open to the SMTP (Simple Mail Transfer Protocol) server, which is mainly used to send emails. Currently, most mail servers use this protocol. For example, when using the e-mail client program, we need to enter the SMTP server address when creating an account. By default, this server address uses port 25. Port vulnerabilities: 1. Using port 25, hackers can find SMTP servers to forward spam. Port 2. 25 is opened by many Trojans, such as ajan, antigen, email password sender, promail, Trojan, tapiras, Terminator, winpc, and winspy. For winspy, open port 25 to monitor all windows and modules running on the computer. Operation suggestion: if you do not want to set up an SMTP mail server, you can disable this port. Port 53 Port Description: port 53 is open to DNS (Domain Name Server) servers and is mainly used for domain name resolution. DNS is the most widely used in the NT System. You can use the DNS server to convert the domain name to the IP address. You only need to remember the domain name to quickly access the website. Port Vulnerability: If the DNS service is enabled, hackers can analyze the DNS server to directly obtain the IP addresses of hosts such as web servers, and use port 53 to break through some unstable firewalls to launch attacks. Recently, a U.S. company also announced 10 most vulnerable vulnerabilities, the first of which is the BIND vulnerability of DNS servers. Operation suggestion: if the current computer is not used to provide the domain name resolution service, we recommend that you disable this port. Port 67 and port 68 Port Description: port 67 and port 68 are opened for the Bootstrap Protocol server and Bootstrap Protocol client of The BOOTP service respectively. BOOTP is a remote startup protocol generated in early UNIX versions. The DHCP service we often use is extended from the BOOTP service. Through the BOOTP service, you can dynamically allocate IP addresses to computers in the LAN without having to set static IP addresses for each user. Port Vulnerability: If the BOOTP service is enabled, Hackers often use a assigned IP address as a local router to launch attacks in man-in-middle mode. Operation suggestion: We recommend that you disable this port. The above section describes port 25 for the SMTP service, port 53 for the DNS server, and port 67 and port 68 For The BOOTP service, the following describes port 69 for TFTP, port 79 for the Finger service, and common port 80 for the HTTP service. Port 69 Port Description: port 69 is open for the TFTP (trival file tranfer protocol) service. TFTP is a simple file transfer protocol developed by Cisco, similar to FTP. However, compared with FTP, TFTP does not have complex interactive access interfaces and authentication control. This service is suitable for data transmission between clients and servers that do not need complex exchange environments. Port Vulnerability: many servers and The BOOTP service provide the TFTP service, which is mainly used to download startup code from the system. However, because the TFTP service can write files to the system, and hackers can also use the incorrect configuration of TFTP to obtain any files from the system. Operation suggestion: We recommend that you disable this port. Port 79 Port Description: port 79 is open for the Finger service. It is mainly used to query details of users such as online users of remote hosts, operating system types, and whether a buffer overflow occurs. For example, to display the user01 user information on the remote computer www.abc.com, you can enter finger user01@www.abc.com. Port vulnerabilities: Generally, hackers must use port scanning tools to obtain relevant information to attack the other's computers, for example, you can use port 79 to scan remote computer operating system versions, obtain user information, and detect known buffer overflow errors. In this way, hackers are prone to attacks. Port 79 is also used as the default port by the firehotcker Trojan. Operation suggestion: We recommend that you disable this port. Port 80 Port Description: Port 80 is open for HTTP (HyperText Transport Protocol, Hypertext Transfer Protocol), which is the most widely used protocol for surfing the Internet. It is mainly used in WWW (World Wide Web, World Wide Web) the Protocol for transmitting information on the service. We can through the HTTP address plus ": 80" (that is often said "web site") to visit the site, such as http://www.cce.com.cn: 80, because browsing ?.. Enter ": 80 ". Port vulnerabilities: some Trojans can use port 80 to attack computers, such as executor and Ringzero. Operation suggestion: In order to surf the Internet normally, we must enable port 80. Through the above introduction, we learned about port 69 For the TFTP service, port 79 for the Finger service, and port 80 for the WWW Service for surfing the Internet. Next we will introduce the unfamiliar port 99, port 109 for POP3 Service, port 110 for RPC service, and port 111 for RPC service. Port 99 Port Description: port 99 is used for a service named "metemedirelay" (sub-countermeasure delay). This service is rare and generally unavailable. Port Vulnerability: although the metemedirelay service is not commonly used, trojan programs such as Hidden Port and ncx99 use this port. For example, in windows, ncx99can bind the cmd.exe program to port 99, in this way, you can use Telnet to connect to the server, add users at will, and change permissions. Operation suggestion: We recommend that you disable this port. Ports 109 and 110 Port Description: Port 109 is open for the pop2 (Post Office Protocol Version 2, Post Office Protocol 2) service, and port 110 is open for the POP3 (mail protocol 3) service, pop2 and POP3 are mainly used to receive mails. Currently, many POP3 servers support both pop2 and POP3. The client can use the POP3 protocol to access the mail service on the server. Currently, most mail servers on the ISP use this protocol. When using the email client, you must enter the POP3 server address. By default, port 110 is used. Port vulnerabilities: pop2 and POP3 have many vulnerabilities while providing the mail receiving service. The POP3 Service has no less than 20 vulnerabilities in the user name and password exchange Buffer Overflow. For example, the webeasymail POP3 server legal user name information leakage vulnerability allows remote attackers to verify the existence of user accounts. In addition, port 110 is also used by trojan programs such as promail Trojan. port 110 can steal the user name and password of the POP account. Suggestion: Open this port if the email server is running. Port 111 Port Description: port 111 is the port opened by Sun's Remote Procedure Call service. It is mainly used for internal process communication between different computers in a distributed system, RPC is an important component in a variety of network services. Common RPC services include rpc. mountd, NFS, rpc. statd, rpc. csmd, rpc. ttybd, and AMD. The RPC service is also available in Microsoft Windows. Port vulnerability: a major vulnerability in Sun RPC is that The xdr_array function has the remote buffer overflow vulnerability in multiple RPC services. We have introduced port 99, which is unknown but vulnerable to Trojan attacks, common ports 109 and 110 for the POP service, and port 111 for the sun rpc service. The following sections describe port 113, port 119, which is closely related to many network services for news group transmission, and port 135, which is under "Shock Wave" attack. Port 113 Port Description: port 113 is mainly used for "authentication service" (authentication service) of windows. Generally, this service is run on computers connected to the network, and is mainly used to verify users connected to TCP, you can use this service to obtain information about the connected computer. In Windows 2000/2003 server, there is also a dedicated IAS component, through which you can easily perform authentication and policy management during remote access. Port Vulnerability: although port 113 can facilitate authentication, it is often used as a recorder for FTP, Pop, SMTP, IMAP, IRC, and other network services, this will be exploited by the corresponding trojan program, such as the trojan controlled based on the IRC chat room. In addition, port 113 is also the default port opened by trojans such as invisible identd deamon and kazimas. Operation suggestion: We recommend that you disable this port. Port 119 Port Description: port 119 is open for "Network News Transfer Protocol" (NNTP) and is mainly used for the transmission of newsgroups, this port is used when you search for the Usenet server. Port Vulnerability: the famous happy99 worm opens port 119 by default. If the virus is in progress, it will continuously send emails for transmission and cause network congestion. Suggestion: If USENET newsgroup is frequently used, you must disable this port from time to time. Port 135 Port Description: port 135 is mainly used to use the RPC (Remote Procedure Call, remote process call) Protocol and provide the DCOM (Distributed Component Object Model) service, by using RPC, programs running on a computer can smoothly execute code on a remote computer. By using DCOM, you can directly communicate through the network, it can transmit data across multiple networks, including HTTP. Port Vulnerability: it is believed that many Windows 2000 and Windows XP users suffered the "Shock Wave" virus last year. The virus uses the RPC vulnerability to attack computers. RPC itself has a vulnerability in the message exchange through TCP/IP. This vulnerability is caused by incorrectly processing incorrectly formatted messages. This vulnerability affects an interface between RPC and DCOM. The port that the interface listens on is 135. Operation suggestion: to avoid the "Shock Wave" virus attack, we recommend that you disable this port. Through the above introduction, we may have learned about port 113 for the verification service, port 119 for the network newsgroup, and port 135 used by the "Shock Wave" virus. Below I will introduce port 137 for NetBIOS Name Service, port 139 for sharing Windows files and printers, and port 143 for imap protocol. Port 137 Port Description: port 137 is mainly used for "NetBIOS name service" (NetBIOS Name Service) and belongs to the UDP port, you only need to send a request to a LAN or port 137 of a computer on the Internet to obtain the name and User Name of the computer, and whether the master domain controller is installed, and whether IIS is running. Port Vulnerability: because it is a UDP port, attackers can easily obtain information about the target computer by sending requests. Some information can be exploited directly and analyzed, for example, the IIS service. In addition, by capturing information packets that are using port 137 for communication, you may also get the start time and close time of the target computer, so that you can use a dedicated tool to attack. Operation suggestion: We recommend that you disable this port. Port 139 Port Description: port 139 is provided for "NetBIOS Session Service" and is mainly used to provide Windows file and printer sharing and SAMBA service in UNIX. To share files in a LAN in Windows, you must use this service. For example, in Windows 98, you can open the "control panel" and double-click the "network" icon, on the "configuration" tab, click the "file and print share" button and select the corresponding settings to install and enable the Service. in Windows 2000/XP, you can open the "control panel ", double-click the "Network Connection" icon to open the local connection properties. In the "General" tab of the Properties window, select "Internet Protocol (TCP/IP)" and click "properties; in the displayed window, click the "advanced" button. In the "Advanced TCP/IP Settings" window, select the "wins" tab, enable NetBIOS on TCP/IP in the "NetBIOS Settings" area. Port Vulnerability: Although enabling port 139 can provide shared services, it is often exploited by attackers. For example, port scanning tools such as streamer and superscan can scan port 139 of the target computer, if a vulnerability is found, attackers can try to obtain the user name and password, which is very dangerous. Operation suggestion: if you do not need to provide file and printer sharing, we recommend that you disable this port. We have introduced port 137 for obtaining remote computer names and other information, providing windows with port 139 shared by files and printers. The following describes port 143 for the email receiving service (IMAP), port 161 For the SNMP service, and port 443 for the HTTPS service. Port 143 Port Description: port 143 is mainly used for "Internet Message Access Protocol" V2 (Internet Message Access Protocol (IMAP). Like POP3, it is used for receiving emails. Through the IMAP protocol, we can know the content of the mail without receiving it, so as to facilitate the management of emails on the server. However, the POP3 protocol is more responsible than the POP3 protocol. Today, most mainstream email client software supports this protocol. Port Vulnerability: Same as port 110 of POP3 protocol, port 143 used by IMAP also has a buffer overflow vulnerability. This vulnerability allows you to obtain the user name and password. In addition, a Linux worm named "admv0rm" uses this port to breed. Suggestion: if you are not using the IMAP server, disable the port. Port 161 Port Description: port 161 is used for "Simple Network Management Protocol" (SNMP). This protocol is mainly used to manage network protocols in TCP/IP networks, in Windows, you can use the SNMP service to provide status information about hosts on TCP/IP networks and various network devices. Currently, almost all network device vendors support SNMP. To install the SNMP service in Windows 2000/XP, open the "Windows component wizard" and select "management and monitoring tools" in "components ", click "details" to view "Simple Network Management Protocol (SNMP)", select this component, and click "Next" to install it. Port vulnerabilities: SNMP can be used to obtain the status information of various devices in the network and control network devices. Therefore, hackers can use SNMP to completely control the network. Operation suggestion: We recommend that you disable this port. Bytes --------------------------------------------------------------------------------------------------------- (3) ports 443 Port Description: port 443 is the Web browsing port, which is mainly used for HTTPS services. It is another type of HTTP that provides encryption and transmission through secure ports. Websites with high security requirements, such as banks, securities, and shopping, all Use https services, so that information exchange on these websites cannot be seen by others, this ensures transaction security. The webpage address starts with https: //, rather than common http ://. Port vulnerabilities: https services generally use SSL (Secure Socket Layer) to ensure security. However, SSL vulnerabilities may be attacked by hackers, such as hacking the online banking system, steal credit card accounts. Operation suggestion: We recommend that you enable this port for secure webpage access. In addition, to prevent hacker attacks, install the latest security patch released by Microsoft for SSL vulnerabilities in a timely manner. Port 554 Port Description: port 554 is used by default for "Real Time Streaming Protocol" (RTSP). This protocol is jointly proposed by RealNetworks and Netscape, the RTSP protocol can be used to transmit streaming media files to RealPlayer for playback over the Internet, and effectively and to maximize the use of limited network bandwidth. The transmitted streaming media files are generally published by the Real Server, including. rm ,. ram. Nowadays, many download software support the RTSP protocol, such as flashget and audio and video conveyor belts. Port Vulnerability: currently, the RTSP protocol has discovered a buffer overflow vulnerability in the Helix Universal Server released in RealNetworks. port 554 is relatively secure. Operation suggestion: to enjoy and download the RTSP Streaming Media file, we recommend that you enable port 554. Port 1024 Port Description: Port 1024 is generally not allocated to a service. It is interpreted as "Reserved" in English ). Previously, we mentioned that the range of dynamic ports is from 1024 ~ 65535, and 1024 is the beginning of dynamic port. This port is usually allocated to the first service that sends an application to the system. When the service is closed, port 1024 will be released, waiting for calls from other services. Port vulnerabilities: the famous Yai trojan uses port 1024 by default. This Trojan can be used to remotely control the target computer, obtain screen images of the computer, record Keyboard Events, and obtain passwords, the consequence is serious. Operation suggestion: general anti-virus software can easily scan and kill the Yai virus. Therefore, we recommend that you enable this port when you confirm that there is no Yai virus. Port 1080 Port Description: port 1080 is the port used by the socks proxy service. The WWW Service is usually used by the Internet. The socks proxy service is different from the HTTP proxy service. it traverses the firewall through a channel and allows users behind the firewall to access the Internet through an IP address. Socks proxy service is often used in Lan. For example, if QQ is restricted, you can open the QQ parameter settings window, select "Network Settings", and set socks proxy service. In addition, you can install socks proxy software to use QQ, such as socks2http and sockscap32. Port Vulnerability: the default port of Wingate, the well-known proxy server software, is 1080. This Port enables computers in the LAN to share the Internet. However, such as worm. bugbear. B (monster II), worm. novarg. B (SCO bomb Variant B) and other worms will also listen to port 1080 in the Local System, which is detrimental to computer security. Operation suggestion: In addition to frequently using WinGate to share the Internet, it is recommended that you disable this port. Port 1755 Port Description: port 1755 is used by default for "Microsoft Media Server" (Microsoft Media Server (MMS). This protocol is a Streaming Media Protocol published by Microsoft, the MMS protocol can be used to transfer and play streaming media files on Windows Media Servers over the Internet. These files include. ASF and. WMV files. You can use media playing software such as Windows Media Player for real-time playback. Specifically, port 1755 can be divided into TCP and udp mms protocols, namely, mmst and mmsu. Generally, the MMS protocol of TCP is used, that is, mmst. Currently, most streaming media and common download software support the MMS protocol. Port vulnerabilities: at present, there are no obvious vulnerabilities in the transmission and playback of streaming media files using the MMS protocol by Microsoft official and users, one of the main problems is the compatibility between the MMS protocol and the firewall and NAT (network address translation. Operation suggestion: To Play and download the stream media file to the MMS protocol in real time, we recommend that you enable this port. The following describes port 4000 used by QQ, port 5554 used by the "Shock Wave" virus, port 5632 used by pcAnywhere, and port 8080 used by the WWW Proxy service. Port 4000 Port Description: port 4000 is a commonly used QQ token tool, which is a port opened for the QQ client. The port used by the QQ server is 8000. Through port 4000, the QQ client program can send information to the QQ server for identity authentication and message forwarding. messages sent between QQ users are transmitted through this port by default. Ports 4000 and 8000 do not belong to the TCP protocol, but to the UDP protocol. Port Vulnerability: port 4000 is a UDP port. Although messages can be directly transmitted, there are also various vulnerabilities. For example, the worm_witty.a (vidi) worm uses port 4000 to send viruses to random IP addresses, and disguised as an ICQ data packet, the consequence is to write random data to the hard disk. In addition, Trojan. skydance Trojan Horse uses this port. Operation suggestion: In order to use QQ chat, the 4000 portal is also open. Port 5554 Port Description: In April 30 this year, it was reported that there was a new worm against the Microsoft LSASS Service-wave (worm. (Sasser), the virus can use TCP port 5554 to enable an FTP service, which is mainly used for virus propagation. Port Vulnerability: After being infected with the "Shock Wave" virus, it will send the worm to other infected computers through port 5554, and attempt to connect to port tcp 445 and send attacks, poisoned computers may experience repeated system restart, slow operation, and failure to access the Internet. hackers may even exploit this vulnerability to gain control of the system. Operation suggestion: to prevent virus infection, we recommend that you disable port 5554. Port 5632 Port Description: Port 5632 is the port opened by the remote control software pcAnywhere, which can be divided into TCP and UDP. Through this port, you can control the remote computer on the local computer, view the remote computer screen and transfer files to Achieve Synchronous file transfer. After the pcanwhere controlled computer is installed, the pcAnywhere host automatically scans the port. Port vulnerabilities: through port 5632, the master computer can control remote computers and perform various operations, which may be exploited by criminals to steal accounts, Steal important data, and perform various damages. Operation suggestion: To avoid scanning through port 5632 and remotely control the computer, we recommend that you disable this port. Port 8080 Port Description: port 8080 is the same as port 80. It is used for WWW Proxy Service and can be browsed on webpages. when accessing a website or using a proxy server, ": 8080 "port number, such as http://www.cce.com.cn: 8080. Port vulnerabilities: port 8080 can be exploited by various virus programs. For example, the Brown Orifice (BRO) Trojan Horse virus can use port 8080 to remotely control the infected computer. In addition, remoconchubo and Ringzero Trojans can also use this port for attacks. Operation suggestion: We generally use port 80 for Web browsing. To avoid virus attacks, we can disable this port. Reprinted to http://hi.baidu.com/dream824/blog/item/7e1b012df900c534349bf709.html |