There is a network port for every type of traffic. Some ports are more at risk than others. Here are the worst offenders and what you can do to keep them safe.
Network and Internet Transport Control Protocol / Internet Protocol connections are made from one IP address to another. For convenience we can use a website name such as cloudsavvyit.com, but it is the underlying IP address used to direct your connection to the correct web server. The same also works in reverse. The network traffic that arrives on your computer has been redirected to its IP address.
Many programs and services will be running on your computer. You may have an email application and a browser open on your desktop. Maybe you use a chat client such as Slack or Microsoft Teams. If you manage remote machines, you may be using a secure shell connection (SSH). If you work from home and need to connect to your office, you can use a Remote Desktop Protocol (RDP) connection or a Virtual Private Network (VPN) connection.
The IP address only identifies the computer. It couldn̵
When a courier delivers a package to a hotel, the address identifies the building. The room number identifies the room and the hotel guest. The street address is as the IP address and the room number is as the port address. Applications and services use specific, numbered ports. So the actual destination for a network packet is to a port on an IP address. This is enough to identify the application or service on a particular computer for which the package is intended.
Standard port numbering
Some ports are dedicated to specific types of traffic. These will be the known ports. Other ports are registered by applications and reserved for their use. These are the registered ports. There is a third set of ports available for every application. They are requested, allocated, used and released on one to this base. These are called ephemeral gates.
A combination of ports will be used in a connection. The network connection needs a port on the local end of the connection – in the computer – to connect to the remote end of the connection, such as a web server. If the web server uses Hypertext Transfer Protocol Secure (HTTPS), the external port is port 443. Your computer uses one of the free temporary ports to connect to port 443 on the web server’s IP address.
There are 65535 TCP / IP ports (and the same number of User Datagram Protocol (UDP) ports).
- 0-1023: Known ports. These are assigned to services by the Internet Assigned Numbers Authority (IANA). For example, SSH uses port 22 by default, web servers listen for secure connections on port 443, and Simple Mail Transfer Protocol (SMTP) traffic uses port 25.
- 1024 – 49151: Registered ports. Organizations can request a port from IANA to be registered and allocated for them for use with an application. While these registered ports are called semi-reserved, they should still be considered Reserved. They are called semi-reserved because it is possible that the registration of a gate is no longer necessary and the gate becomes available for reuse. However, although it is not currently registered, the port is still in the list of registered ports. It is kept ready to be registered by another organization. An example of a registered port is port 3389. This is the port associated with RDP connections.
- 49152 – 65535: Momentary gates. These are used on an ad hoc basis by client programs. You are free to use it in any application you write. Typically, they are used as the local port in the computer when sending to a known or reserved port on another device to request and establish a connection.
No port is inherently secure
Any particular port is not more secure or more at risk than any other port. A port is a port. It is the use of the port and how securely that use is managed that determines whether a port is secure.
The protocol used to communicate over a port, the service or application consuming or generating the traffic passing through the port must be current implementations and within the manufacturer’s support period. They must receive security updates and bug fixes and these must be applied in a timely manner.
Here are some common ports and how they can be exploited.
Port 21, File Transfer Protocol
An insecure FTP port hosting an FTP server is a huge security flaw. Many FTP servers have vulnerabilities that allow for anonymous authentication, lateral movement within the network, access to privilege escalation techniques, and – because many FTP servers can be managed via scripts – a way to implement cross-site scripting.
Malware programs such as Dark FTP, Windows and WinCrash have taken advantage of insecure FTP ports and services.
Port 22, safe shell
Secure Shell accounts (SSH) configured with short, non-unique, reused, or predictable passwords are insecure and can be easily compromised by password dictionary attacks. Many vulnerabilities in previous deployments of SSH services and daemons have been discovered and are still being discovered. Patching is essential to maintain security with SSH.
Port 23, Telnet
Telnet is an old service and one that should be retired. There is no justification for using this old and insecure way of text-based communication. All information it sends and receives through port 23 is sent in plain text. There is no encryption at all.
Threatening actors can eavesdrop on any Telnet communication and can easily pick out authentication credentials. They can perform man-in-the-middle attacks by injecting specially crafted malicious packages into the unmasked text streams.
Even an unauthenticated remote attacker could exploit a buffer overflow vulnerability in the Telnet daemon or service and, by crafting malicious packages and injecting them into the text stream, run processes on the remote server. This is a technique known as Remote (or abrasive) Code Execution (RCE).
Port 80, Hypertext Transport Protocol
Port 80 is used for unsecured Hypertext Transport Protocol (HTTP) traffic. HTTPS has almost replaced HTTP, but HTTP still exists on the Internet. Other ports commonly used with HTTP are ports 8080, 8088, 8888. These are mostly used on older HTTP servers and web proxies.
Unsecured web traffic and its ports are susceptible to cross-site scripting and forgery, buffer overflow attacks, and SQL injection attacks.
Port 1080, SOCKS Proxies
SOCKS is a protocol used by SOCKS proxies to route and forward network packets on TCP connections to IP addresses. Port 1080 was once one of the preferred ports for malware such as Mydoom and many worm and denial of service attacks.
Port 4444, Transport Control Protocol
Some rootkit, backdoor, and Trojan horse software opens and uses port 4444. It uses this port to eavesdrop on traffic and communications, for its own communications, and to exfiltrate data from the compromised computer. It is also used to download new malicious payloads. Malware such as the Blaster worm and its variants used port 4444 to create back doors.
Port 6660 – 6669, Internet Relay Chat
Internet Relay Chat (IRC) started in Finland in 1988 and is still going on. Nowadays you need a strong business case to bring IRC traffic into your organization.
Numerous IRC vulnerabilities have been discovered and exploited over its twenty years of use. The UnrealIRCD daemon had a bug in 2009 that made remote code execution a trivial matter.
Port 161, Small Network Messaging Protocol
Some ports and protocols can give attackers a lot of information about your infrastructure. UDP port 161 is attractive to threat actors because it can be used to poll information from servers – about itself as well as the hardware and users behind it.
Port 161 is used by the Simple Network Management Protocol, which allows the threat actors to request information such as infrastructure hardware, usernames, network share names and other sensitive information, that is, information useful to the threat actor.
Port 53, Domain Name Service
Threat actors must consider the exfiltration route that their malware will use to send data and files from within your organization to their own servers.
Port 53 has been used as the exfiltration port of choice because traffic through the Domain Name Service is rarely monitored. Threats would loosely disguise the stolen data as DNS traffic and send it to their own fake DNS server. The fake DNS server accepted the traffic and restored the data to its original format.
Some malware writers choose easy-to-remember strings of digits or repeated numbers to use as ports. Ports 234, 6789, 1111, 666, and 8888 were all used for this. Detecting one of these strange looking port numbers used in your network should start a deeper investigation.
Port 31337, meaning elite in leet speak, is another common port number used by malware. It has been used by at least 30 malware variants, including Back Orifice and Bindshell.
How to secure these ports
All gates should be closed unless there is a documented, revised and approved business case. Do the same for exposed services. Default passwords should be changed and replaced with robust, unique passwords. If possible, two-factor authentication should be used.
All services, protocols, firmware, and applications must still be within the manufacturer’s support lifecycles, and security and bug fix patches must be available to them.
Monitor the ports in use on your network and investigate any quirks or unexplained open ports. Understand what your normal port usage looks like so that unusual behavior can be identified. Perform port scans and penetration tests.
Close port 23 and stop using Telnet. Serious. Just stop.
SSH ports can be secured through public key authentication and two-factor authentication. It will also help to configure your network to use a different port number for SSH traffic.
If you must use IRC make sure it is behind a firewall and requires IRC users to use VPN in your network to connect to use it. Do not allow outside traffic to hit your IRC directly.
Monitor and filter DNS traffic. Nothing should leave port 53 except real DNS requests.
Apply a deep strategy and make your defense multi-layered. Use host-based and network-based firewalls. Consider an intrusion detection system (IDS) such as the free and open source Snort.
Disable any proxies that you have not set up or that you no longer need.
Some SNMP return strings have standard plain text credentials. Turn this off.
Remove unwanted HTTP and HTTPS response headers and disable the banners that are included by default in responses from certain network hardware. These unnecessarily give away information that only benefits the threat actors.