logo

Handling Open Ports Secure and Finding Vulnerabilities

A port can be defined as a communication channel between two devices in computer networking. So, are there any security risks connected to them?

An unwanted open port can be unsafe for your network. Open ports can provide threat actors access to your information technology (IT) environment if not sufficiently protected or configured correctly. Case in point: in 2017, cybercriminals exploited port 445 to spread WannaCry ransomware.

So yes, in the age of increasing number of cyberattacks, open network ports are worth drawing your attention as they are particularly susceptible to be exploited by hackers.

What are the ways to detect and check open ports? Our guide outlining open ports discusses the risks of open ports, which open ports are safe, and ways to find open ports in your network. We’ll also share tips for ensuring port security.

What are open ports and which risks do they hold?

Ports are communication endpoints where network communications begin an end, thus all Internet communication depend on them. There are up to 65,535 of each of the two port types, UDP and TCP, that are included in every IP address. To understand better how ports are involved in the process of data sharing between devices read about Layer 3 and 4 of OSI/RM model.

What about the risks connected to open ports? Sadly, open ports give attackers an opportunity to exploit security holes in your system. While some network ports serve as a good access point for attackers, others serve as ideal exit points. Hackers are continuously looking for new ways to access to computers so they may install trojans, backdoors for future re-entry, and the botnet clients. The port may serve as their beginning point of network security breach.

What is more, Center for Internet Security (CIS) Critical Security Control 12 includes open ports as a substantial network infrastructure risk. That’s why it’s critical to disable open ports if you’re not using them. Besides CIS, other compliance regulators require you to detect and disable unwanted ports. These include:

Which open ports are safe and which are unsafe?

Knowing the definition of an open port, let’s look at which open ports are safe and which are unsafe.

Essentially, every open port is safe unless the services running on them are vulnerable, misconfigured, or unpatched. If that’s the case, cybercriminals can exploit the vulnerabilities of open ports. They’re especially likely to target:

  • Applications with weak credentials such as simple, repeated passwords
  • Old, unpatched software
  • Open ports that are not intended for public exposure, such as Windows’ Server Messages Block (SMB) protocol ports or Remote Desktop Protocol (RDP).
  • Systems that can’t lock out accounts from several failed logins

Which ports are commonly abused?

Although any port can be a potential target by threat actors, some ports are more likely to be targeted than others. These ports and their applications generally have shortcomings like lack of two-factor authentication, weak credentials, and application vulnerabilities.

The most commonly abused ports are:

  • FTP (Port 20 and 21):An insecure and outdated protocol, FTP doesn’t have encryption for data transfer or authentication. Cybercriminals can easily exploit this port through cross-site scripting, brute-forcing passwords, and directory traversal attacks.
  • SSH (Port 22): Often used for remote management, Port 22 is a TCP port for ensuring secure remote access to servers. Threat actors can exploit this port by using a private key to gain access to the system or forcing SSH credentials.
  • Telnet (Port 23): Telnet is a TCP protocol that lets users connect to remote devices. It’s vulnerable to spoofing, malware, credential brute-forcing, and credential sniffing.
  • SMTP (Port 25): Short for Simple Mail Transfer Protocol, SMTP is a TCP port for receiving and sending emails. It can be vulnerable to spoofing and mail spamming if not secure.
  • DNS (Port 53): This is used for zone transfers and maintaining coherence between the server and the DNS database. Threat actors often target this for amplified DDoS attacks.
  • TFTP (Port 69): Short for Trivial File Transfer Protocol, TFTP is used to send and receive files between users and servers. Since it’s a UDP port, it doesn’t require authentication, which means it’s faster but less secure.
  • NetBIOS (Port 139):  Primarily used for printer and file sharing, this legacy mechanism, when open, allows attackers to discover IP addresses, session information, NetBIOS names, and user IDs.
  • Ports 80 and 443: These are ports used by HTTP and HTTPS servers. Attackers often target these ports to expose server components.
  • SMB (Port 445): This port is open by default on Windows machines. Cybercriminals exploited this port in 2017 to spread WannaCry ransomware.
  • SQL Server and MySQL default ports (Ports 1433, 1434, and 3306):  These ports have previously distributed malware and were used for data exfiltration.
  • Remote Desktop (Port 3389): The Remote Desktop port is a common target to attack remote desktops. A recent example is the Remote Desktop Protocol Remote Code Execution Vulnerability from January 2022.

 

What are the ways to detect open ports in your network?

As you can see, attackers can exploit open ports in many ways. Fortunately, you can use port scanning to detect open ports in your network. Port scanning helps you determine which ports on a network are open and vulnerable to sending or receiving data. You can also send packets to specific ports and analyze responses to spot vulnerabilities.

There are several ways to detect open ports in your network:

Command-line tools – If you don’t mind doing things manually, consider using command-line tools like Netstat. On Windows, typing “netstat -a” will show all active TCP connections on your machine, including open ports. Another tool is Network Mapper or Nmap, which can be an add-on to many popular operating systems, including Linux and Windows. You can use Nmap to scan both external and internal domains, IP networks and IP addresses.

Port scanners – If you want faster results, consider using port scanners. It’s a computer program that checks if ports are open, closed or filtered. The process is simple: it transmits a network request to connect to a specific port and then captures the response.

Vulnerability scanners – These tools also help to discover open ports or those configured with default passwords.

What are the tips to ensure the ports’ security?

Besides using port scanning tools, you should also follow these rules to ensure port security:

  1. Conduct regular port scans – Conducting regular port scans will help you find problems as they appear. Regular monitoring will also show you which ports are the most vulnerable to attack to create a better defense plan.
  2. Services monitoring – It’s also important to focus on monitoring services, which allows gathering the details of running states of installed services and continuously tracking changes to service configuration settings. Services are vulnerable when they are unpatched or misconfigured. Using Netwrix Change Tracker, you can harden your systems by tracking unauthorized changes and other suspicious activities. In particular, it provides the following functionality:
    • Actionable alerting about configuration changes
    • Automatically recording, analyzing, validating and verifying every change
    • Real-time change monitoring
    • Constant application vulnerability monitoring
  1. Close all unused ports – By disabling ports you’re not using, you’ll be able to protect your data from attackers.
  2. Continuously carry out port traffic filtering – Port traffic filtering means blocking or allowing network packets into or out of your network based on their port number. It can protect you from cyber attacks associated with some ports. Most companies apply port traffic filtering to the most commonly vulnerable ports, such as port 20.
  3. Install firewalls on every host and patch firewalls regularly – Firewalls will also block threat actors from accessing information through your ports. Remember to patch firewalls regularly for maximum efficacy.
  4. Monitor open port vulnerabilities – Finally, you should monitor open port vulnerabilities. You can do this by:
    • Using penetration testing to simulate attacks through open ports:  Penetration testing allows you to check for ports vulnerable to such attacks.
    • Conducting vulnerability assessments:  Vulnerability assessment tools can protect your IT infrastructure by identifying which software or devices have opened ports and running tests for all known vulnerabilities.

FAQ

Are open ports safe?

They can pose a significant risk by providing a loophole for attackers to access applications in your system. To reduce your attack surface, you will need to regulate open ports.

How do I scan open ports on my IP?

To scan open ports on your IP, type “portqry.exe -n” in the Windows command line. Then, type your IP address.

Why is port monitoring necessary?

Cybercriminals can exploit open ports and protocols vulnerabilities to access sensitive. If you don’t constantly monitor ports, hackers may exploit vulnerabilities in these ports to steal and leak data from your system.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.