How to protect high-risk network ports?

Data packets transmitted to and from numbered network ports are associated with specific IP addresses and endpoints, using either TCP or UDP protocols. All ports are at risk of being attacked, no ports are absolutely secure.

Kurt Muhl, a leading security consultant with RedTeam, explains: "Every basic port and service has a risk. The risk comes from the version of the service, even if it is configured in a way. correct or set a password for the service, is the password strong enough? Other factors include, whether the port has been chosen by a hacker to attack, do you let it slip through the portal. Again, there are many factors that determine the security of a gateway or service. "

CSO examines network port risk based on applications, vulnerabilities and related attacks, providing multiple approaches to protect businesses from hackers who abuse these vulnerabilities.

1. Comprehensive network monitoring tool set
2. Top 10 basic network troubleshooting tools that IT people need to know

What makes network portals dangerous?

There are a total of 65,535 TCP ports and 65,535 other UDP ports, we will consider some of the most dangerous ports. TCP port 21 connects FTP servers to the Internet. These FTP servers have many major vulnerabilities such as anonymous authentication, directory traversal, cross-site scripting, making port 21 an ideal target for hackers.

While some vulnerable services are still using the utility, old services like Telnet on TCP port 23 are basically insecure from the beginning. Although its bandwidth is very small, only a few bytes at a time, Telnet sends data completely publicly in clear text. Austin Norby, a computer scientist at the US Department of Defense, said: "Attackers can listen to, view certificates, insert commands through [man-in-the-middle] attacks and end. The same is the implementation of Remote Code Executions (RCE) ". (This is your own opinion, not representative of any agency.)

While some network gateways make vulnerabilities available for attackers to enter, there are other ports that create perfect exits. TCP / UDP 53 port for DNS is an example. When entering the network and achieving the goal, all the hackers need to do to get the data out of it is to use the available software to turn the data into DNS traffic. Norby said: "DNS is rarely monitored and rarely filtered." When attackers steal data from a secure enterprise, they only need to send data via specially designed DNS servers to translate data to its original state.

The more ports that are used, the easier it is to hack into all other packets. TCP port 80 for HTTP supports web traffic that the browser receives. According to Norby, attacks on web clients via port 80 include SQL injection, cross-site request forgery, cross-site scripting and buffer overflows.

How to protect high-risk network ports? Picture 1

Attackers will set up their services on separate ports. They use TCP port 1080 - used for sockets to protect "SOCKS" proxies, in support of operations and malware. Trojans and worms like Mydoom and Bugbear used port 1080 in their attacks. Norby said: If a network administrator does not set up a SOCKS proxy, its existence is a threat.

When hackers get stuck, they will use easily rememberable port numbers, such as the string 234, 6789, or the same number as 666 or 8888. Some software Backdoor and Trojan horse are open and used. TCP port 4444 to listen, communicate, forward malicious traffic from outside and send malicious payloads. Some other malware also use this port including Prosiak, Swift Remote and CrackDown.

Web traffic not only uses port 80. HTTP traffic also uses TCP ports 8080, 8088 and 8888. The servers connected to these ports are mostly old and unmanaged boxes that protect the vulnerability. Security is increasing over time. Servers on these ports can also be HTTP proxies, if network administrators do not install them, HTTP proxies can become security concerns in the system.

Elite attackers used TCP and UDP port 31337 for famous backdoor - Back Orifice and other malware programs. The TCP port can be listed as: Sockdmini, Back Fire, icmp_pipe.c, Back Orifice Russian, Freak88, Baron Night and BO client, the example on UDP port is Deep BO. In "leetspeak" - the language uses letters and numbers, 31337 is "eleet", meaning Elite.

Weak passwords can make SSH and port 22 vulnerable to attacks. According to David Widen, system engineer at BoxBoat Technologies: Port 22 - Secure Shell port allows access to remote shells on vulnerable server hardware, because here authentication information is usually the username and Default password, easy to guess. Short passwords, less than 8 characters, use familiar phrases with a sequence of numbers that are too predictable for attackers.

Hackers are still attacking IRC running on ports 6660 through 6669. Widen said: At this portal there are many IRC vulnerabilities, such as Unreal IRCD that allow attackers to perform remote attacks, but usually normal attacks, not much value.

Some ports and protocols allow attackers to access more. For example, UDP port 161 is attracting attackers by SNMP protocol, useful for managing networked computers, exploring information and sending traffic through this port. Muhl explains: SNMP allows users to query the server to get user names, file shares on the network and more. SNMP usually comes with default strings that act as passwords.

Protection of ports, services and vulnerabilities

According to Widen, businesses can protect the SSH protocol by using public key authentication, disable login when rooted and move SSH to a higher port number so that attackers can't find it. If a user connects to SSH on a port number as high as 25,000, it will be difficult for an attacker to identify the attack surface of the SSH service.

If your business runs IRC, turn on the firewall to protect it. Widen also added: Don't allow any traffic from outside the network to be near the IRC service. Only allow VPN users to access the network to use IRC.

Repeated port numbers and especially series of numbers rarely show proper use of ports. Norby said: When you see these ports in use, make sure they are authenticated. Monitor and filter DNS to avoid leaks and stop using Telnet and close port 23 again.

Security on all network ports must include in-depth defense. Norby says: Close all unused ports, use host-based firewalls on all servers, run the latest network-based firewalls, monitor and filter traffic through the gateway. Perform network port scans regularly to ensure there are no missing holes on the port. Pay special attention to SOCKS proxies or any other service that you haven't set up yet. Patch, repair and consolidate any device, software or service connected to the network port until there are no gaps in your network. Be proactive when new vulnerabilities appear in software (both old and new) that attackers can access through network gateways.

MuHl said: Using the latest updates for any service you support, properly configuring it and using strong passwords, access control lists will help you limit who can can connect to ports and services. He added that regular portals and services should be checked. When you use services like HTTP and HTTPS, you can customize it a lot, which leads to misconfiguration and creates security holes.

Safe berth for risk ports

Experts have produced different port lists at high risk based on different criteria such as the type or severity of threats associated with each port or the level of vulnerability of the services. Service on certain ports. But so far there is no full list. For further research, you can start with listings on SANS.org, SpeedGuide.net and GaryKessler.net.

The article compiles from "Securing risky network ports" published by CSO.

1. 8 best Wifi security routers
2. How to secure your VPN more secure?
3. How to secure your accounts with U2F security key?