Open ports and their vulnerabilities
One of the age-old tenets of good network security is only open network ports that are necessary and make sure you have protection around any port open to the outside world.
Open ports provide attackers with an opportunity to compromise your environment. Let’s look at commonly opened ports, their vulnerabilities, and why these can be dangerous.
What is an open port?
An open port is a network port that accepts traffic either using TCP or UDP and allows communication with underlying server technologies. Open ports are required when hosting remote services to which end-users can connect.
Why are ports open in the first place?
Many of the common technologies on the Internet and allow communication rely on open ports to work. Standard technologies like web servers, FTP file transfers, voice-over-IP (VOIP), name resolution, and many other common technologies that allow network traffic to traverse the Internet use specific ports and technologies for communication.
What is the difference between TCP and UDP
You will note that ports are defined as being TCP or UDP ports. Both TCP and UDP operate in the transport layer of the TCP/IP stack and use the IP protocol. What is the difference between TCP and UDP? Transmission Control Protocol (TCP) is connection-oriented. It includes built-in error recovery and re-transmission.
User Datagram Protocol (UDP) is a connectionless protocol that does not require acknowledgment of delivery. It helps to improve the performance of UDP compared to TCP at the sacrifice of guaranteed delivery.
Common open ports
There are specific network ports associated with technologies and network communications standards in the enterprise environment, specifically in a Windows network. What are these? Note the following ports and their associated communication technologies:
- TCP port 21 FTP (File Transfer Protocol) – Provides a way to transfer files between computers that operate on the simple get and put concepts to either receive or send files to a remote endpoint. FTP was not intended to be a secure means of communication
- TCP port 22 SSH (Secure Shell) – The purpose of SSH is to provide administrators the ability to connect to an endpoint over an unsecured network securely
- TCP port 23 Telnet – allows interacting with a network endpoint from the command line and is sometimes used as a tool for remote management
- TCP port 25 SMTP (Simple Mail Transfer Protocol) – a protocol used to relay mail from email server to email server
- TCP and UDP port 53 DNS (Domain Name System) – a protocol used for name resolution across the Internet. It traverses port 53 using TCP and UDP connections. DNS is responsible for converting the IP addresses that are non-intuitive to the human-friendly domain names typed into a web browser
- TCP port 110 POP3 – Known as the Post Office Protocol, it is used by email clients to synchronize and download mail from remote mail servers
- TCP port 145 IMAP – Internet Message Access Protocol synchronizes and displays emails without the need to download them
- TCP ports 80 & 443 HTTP and HTTPS – HTTP (Hypertext Transport Protocol) and HTTPS (Hypertext Transport Protocol over SSL) are today’s web servers’ standard protocols and ports. HTTP port 80 is the legacy, insecure protocol and port in use, while HTTPS is the secured web server protocol and port used for encrypted web communications. Most organizations have deprecated the use of HTTP across the board as it is clear text and insecure communication
- TCP port 81 – Commonly used as a web proxy port
- TCP and UDP port 135, 137, 139 — Windows Remote Procedure Call (RPC) and Windows NetBIOS over TCP/IP are well-known in Windows networking. These communicate over TCP and UDP ports 135, 137, and 139 and historically have many vulnerabilities
- TCP port 1433 SQL – Microsoft SQL Server, used throughout many enterprise organizations today communicates over TCP port 1433.
- TCP port 3306 MySQL – This port is used for MySQL database communication
- TCP port 3389 RDP – Remote Desktop Protocol (RDP) is used to display remote GUI desktop sessions of a remote Windows computer. It is commonly used with Virtual Desktop Infrastructure (VDI) environments.
- TCP port 5900 VNC – VNC is a tool that is commonly used for remote access administration. It communicates on TCP port 5900.
Vulnerabilities of open ports
As mentioned at the outset, open ports provide a more extensive “attack surface” or opportunity for an attacker to find vulnerabilities, exploits, misconfigurations, and other risks due to the allowed network communication over a specific network port.
It is not necessarily the open port that is the risk, but the underlying technology and infrastructure “listening” on that port. After all, the port and listener are simply the door. The technology behind the door is what leads to compromise. As an example, Apache, NGINX, or Tomcat may be the webserver used for listening to port 80/443 traffic. Therefore, attackers may look for specific vulnerabilities in Apache, NGINX, or Tomcat to attempt to attack the environment.
Also, clear text and unencrypted protocols can lead to network “snooping”. For example, an attacker can view passwords and other sensitive information transmitted in cleartext using a network tool that can capture network traffic, such as Wireshark.
How to protect an open port
When it comes to protecting open ports, the first step is only to use ports that encrypt traffic. It means that an attacker cannot easily capture network traffic and decipher sensitive information. Organizations also want to scrutinize and decide if an open port is necessary. As mentioned at the outset, any open port increases the attack surface and the potential for compromise due to vulnerabilities, misconfiguration, and other factors.
Open ports to the Internet should sit behind a modern firewall or another filtering device to scrutinize traffic connecting to the open port. It ensures the communication is meant to be valid communication with the technology listening on that port or if it has malicious intentions.
Open ports should also be segmented from your internal network in what is known as a DMZ or demilitarized zone. If an attacker compromises the open network port, it is easier to contain the malicious activity if segmented from the rest of the network.
Password-protected services that are listening on an open port require organizations to protect the passwords used to authenticate services on these ports. Aside from never using cleartext protocols, this point emphasizes the need to have strong password policies that prevent weak, breached, or easily guessable passwords.
Last, but perhaps the most important, make sure the underlying technologies and systems listening and answering on the open port are fully patched, and security updates are applied as soon as possible. Attackers often look for unpatched vulnerabilities to compromise an open port. In addition to the strategies mentioned above for protecting open ports, auditing, and other cybersecurity strategies, businesses must enforce strong passwords and use strong password policies.
Strengthen passwords in your environment
Passwords often are used to authenticate users on open ports. Unfortunately, password-authenticated services securing open ports are vulnerable to attack and password compromise. What best practices need to be considered?
- Never use cleartext network protocols
- Audit open network ports
- Use strong password policies and breached password protection
Specops Password Policy allows organizations to extend the native capabilities found in Active Directory Password Policy and easily add breached password protection and many other features such as multiple password dictionaries, length-based aging, and other features.
Specops Password Auditor allows quickly seeing the password risks in the environment and auditing password policies that are used currently with industry best practice recommendations.
Gain visibility into existing password policies and if these meet with industry best practices.
(Last updated on September 7, 2022)