Loading...
Networking Concepts

Ports

In Total of 65,536 TCP and UDP ports Some of them are classified as “privileged”, those ports are below 1024, and “unprivileged”, ports are  1024 and above. Most servers use the privileged ports.

How this ports works

Only one server may listen on, or “bind” to, a port at a time. Though that server may well be able to open multiple connections via that one port. Computers talk to each other via these “port” connections. One computer will open a connection to a “port” on another computer, and thus be able to exchange data via the connection that has been established between their respective ports.

Still not understood how port works ,lets get in to this

Getting back to the phone analogy, and stretching it a bit, think of calling a large organization with a complex phone system. The organization has many “departments”: sales, shipping, billing, receiving, customer service, R&D, etc. Each department has it’s own “extension” number. So the shipping department might be extension 21, the sales might be department 80 and so on. The main phone number is the IP Address, and the department’s extension is the port in this analogy. The “department’s” number is always the same when we call. And generally they can handle many simultaneous incoming calls

How data transmits

The data itself is contained in “packets”, which are small chunks of data, generally 1500 bytes or less each. Packets are used to control and organize the connection, as well as carry data. There are different types of packets. Some are specifically used for controlling the connection, and then some packets carry our data as their payload. If there is a lot of data, it will be broken up into multiple packets which is almost always how it works. The packets will be transmitted one at a time, and then “re-assembled” at the other end. One web page for instance, will take many packets to transmit — maybe hundreds or even thousands. This all happens very quickly and transparently.

A quick run down of some commonly seen and used ports, with the commonly associated service name, and risk factor. All have some risk. It is just that some have historically had more exploits than others. That is how they are evaluated below, and not necessarily to be interpreted as whether any given service is safe or not.

Notice the below ports which we use regular in our day to day

1-19, assorted protocols, many of which are antiquated, and probably none of which are needed on a modern system. If you don’t know what any of these are, then you definitely don’t need them. The echo service (port 7) should not be confused with the common ping program. Leave all these off.

20 – FTP-DATA. “Active” FTP connections use two ports: 21 is the control port, and 20 is where the data comes through. Passive FTP does not use port 20 at all. Low risk, but see below.

21 – FTP server port, aka File Transfer Protocol. A well entrenched protocol for transferring files between systems. Very high risk, and maybe the number one crack target.

22 – SSH (Secure Shell), or sometimes PCAnywhere. Low to moderate risk (yes there are exploits even against so called “secure” services).

23 – Telnet server. For LAN use only. Use ssh instead in non-secure environments. Moderate risk.

25 – SMTP, Simple Mail Transfer Protocol, or mail server port, used for sending outgoing mail, and transferring mail from one place to another. Moderate risk. This has had a bad history of exploits, but has improved lately.

37 – Time service. This is the built-in inetd time service. Low risk. For LAN use only.

53 – DNS, or Domain Name Server port. Name servers listen on this port, and answer queries for resolving host names to IP addresses. High Risk.

67 (UDP) – BOOTP, or DHCP, server port. Low risk. If using DHCP on your LAN, this does not need to be exposed to the Internet.

68 (UDP) – BOOTP, or DHCP, client port. Low risk.

69 – tftp, or Trivial File Transfer Protocol. Extremely insecure. LAN only, if really, really needed.

79 – Finger, used to provide information about the system, and logged in users. Low risk as a crack target, but gives out way too much information and should not be run.

80 – WWW or HTTP standard web server port. The most commonly used service on the Internet. Low risk.

98 – Linuxconf web access administrative port. LAN only, if really needed at all.

110 – POP3, aka Post Office Protocol, mail server port. POP mail is mail that the user retrieves from a remote system. Low risk.

111 – sunrpc (Sun Remote Procedure Call), or portmapper port. Used by NFS (Network File System), NIS (Network Information Service), and various related services. Sounds dangerous and is high risk. LAN use only. A favorite crack target.

113 – identd, or auth, server port. Used, and sometimes required, by some older style services (like SMTP and IRC) to validate the connection. Probably not needed in most cases. Low risk, but could give an attacker too much information about your system.

119 — nntp or news server port. Low risk.

123 – Network Time Protocol for synchronizing with time servers where a high degree of accuracy is required. Low risk, but probably not required for most users. rdate makes an easier and more secure way of updating the system clock. And then inetd’s built in time service for synchronizing LAN systems is another option.

137-139 – NetBios (SMB) services. Mostly a Windows thing. Low risk on Linux, but LAN use only. 137 is a very commonly seen port attempt. A rather obnoxious protocol from Redmond that generates a lot of “noise”, much of which is harmless.

143 – IMAP, Interim Mail Access Protocol. Another mail retrieval protocol. Low to moderate risk.

161 – SNMP, Simple Network Management Protocol. More commonly used in routers and switches to monitor statistics and vital signs. Not needed for most of us, and low risk.

177 – XDMCP, the X Display Management Control Protocol for remote connections to X servers. Low risk, but LAN only is recommended.

443 – HTTPS, a secure HTTP (WWW) protocol in fairly wide use. Low risk.

465 – SMTP over SSL, secure mail server protocol. Low risk.

512 (TCP) – exec is how it shows in netstat. Actually the proper name is rexec, for Remote Execution. Sounds dangerous, and is. High risk, LAN only if at all.

512 (UDP) – biff, a mail notification protocol. Low risk, LAN only.

513 – login, actually rlogin, aka Remote Login. No relation to the standard /bin/login that we use every time we log in. Sounds dangerous, and is. High risk, and LAN only if really needed.

514 (TCP) – shell is the nickname, and how netstat shows it. Actually, rsh is the application for “Remote Shell”. Like all the “r” commands, this is a throw back to kindler, gentler times. Very insecure, so high risk, and LAN only usage, if at all.

514 (UDP) – syslog daemon port, only used for remote logging purposes. The average user does not need this. Probably low risk, but definitely LAN only if really required.

515 – lp or print server port. High risk, and LAN only of course. Someone on the other side of the world does not want to use your printer for it’s intended purpose!

587 – MSA, or “submission”, the Mail Submission Agent protocol. A new mail handling protocol supported by most MTA’s (mail servers). Low risk.

631 – the CUPS (print daemon) web management port. LAN only, low risk.

635 – mountd, part of NFS. LAN use only.

901 – SWAT, Samba Web Administration Tool port. LAN only.

993 – IMAP over SSL, secure IMAP mail service. Very low risk.

995 – POP over SSL, secure POP mail service. Very low risk.

1024 – This is the first “unprivileged” port, which is dynamically assigned by the kernel to whatever application requests it. This can be almost anything. Ditto for ports just above this.

1080 – Socks Proxy server. A favorite crack target.

1243 – SubSeven Trojan. Windows only problem.

1433 – MS SQL server port. A sometimes target. N/A on Linux.

2049 – nfsd, Network File Service Daemon port. High risk, and LAN usage only is recommended.

3128 – Squid proxy server port. Low risk, but for most should be LAN only.

3306 – MySQL server port. Low risk, but for most should be LAN only.

5432 – PostgreSQL server port. LAN only, relatively low risk.

5631 (TCP), 5632 (UDP) – PCAnywhere ports. Windows only. PCAnywhere can be quite “noisy”, and broadcast wide address ranges.

6000 – X11 TCP port for remote connections. Low to moderate risk, but again, this should be LAN only. Actually, this can include ports 6000-6009 since X can support multiple displays and each display would have its own port. ssh’s X11Forwarding will start using ports at 6010.

6346 – gnutella.

6667 – ircd, Internet Relay Chat Daemon.

6699 – napster.

7100-7101 – Some font servers use these ports. Low risk, but LAN only.

8000 and 8080 – common web cache and proxy server ports. LAN only.

10000 – webmin, a web based system administration utility. Low risk at this point.

27374 – SubSeven, a commonly probed for Windows only Trojan. Also, 1243.

31337 – Back Orifice, another commonly probed for Windows only Trojan.
More services and corresponding port numbers can be found in /etc/services.

Leave a Reply

Your email address will not be published. Required fields are marked *