Did you know that an organization with more open ports is more vulnerable to data breaches?
In the first, second, and third parts of the Are you listening to your logs? series, we saw how logs can be used to detect security and operational issues in a network. In the final blog, we’ll talk about open ports and the related security pitfalls.
Ports in your network
There are a total of 65,535 TCP and UDP ports, out of which 1,024 are the standard or “well-known” ports. Each of these ports is assigned a particular internet service by the Internet Assigned Numbers Authority. To access a service on a computer, a port connection request is sent to the associated port.
Ports can be found in three states: open, closed, or blocked. Depending on a port’s state, the computer responds to a port connection request in the following manner:
- Port open: The request is allowed to establish a connection.
- Port closed: The port is in use and cannot allow connections.
- Port blocked: No response is issued.
What is a port scan attack?
A port scan is an attack where the attacker sends requests to servers’ or workstations’ IP addresses, hoping to discover open ports and exploit vulnerabilities in the assigned service.
Port scan attacks are often part of a bigger cyberattack. Attackers use port scanning software to perform ping scans, SYN scans, FTP bounce scans, etc. A majority of this activity goes unlogged by devices and firewalls, as they use TCP flags; this makes port scan attacks all the more difficult to detect. Many ransomware attacks that have propagated globally through lateral movement, such as WannaCry, NotPetya, Mirai, ADB.Miner, and PyRoMine, are port exploits.
Here are a few of the most commonly exploited ports.
|Port number||Assigned service||Exploits|
|21 (TCP)||File Transfer Protocol (FTP)||This TCP port registered for FTP may be exploited to steal passwords, establish remote sessions, copy files, etc. Trojan horses are known to use this port for backdoor attacks.|
|23||Telnet||Telnet, one of the oldest internet protocols, is also the most exploited port. This service has multiple vulnerabilities that allow attackers to remotely access systems, assume complete system control, access admin credentials, perform a DoS attack, etc.|
|25 (TCP)||Simple Mail Transfer Protocol (SMTP)||SMTP can be used to establish spam relay servers, unleash mass mailing worms, convert a system to a malicious proxy, and cause application crashes.|
|53 (TCP, UDP)||DNS||Being an essential part of the network, this port cannot be shut down. This port is also rarely monitored owing to the huge amount of traffic on it. Hackers are known to use port 53 as an exit door in trojan attacks. Other possible attacks through this port include firewall bypass, server crashes, and DoS attacks.|
|80 (TCP)||Hyper Text Transfer Protocol (HTTP)||HTTP is the most widely used protocol for web traffic. Multiple trojans, worms, and backdoor attacks have been carried out using this port.|
|1433 (TCP)||SQL Service||One of the most attacked ports, port 1433 faces attacks like hackers trying to brute-force the service password and establish complete control over remote access.|
Finding open ports
The most straightforward fix for open port vulnerability is to find open ports and block them. One way to gain the perspective of an attacker is to perform a port scan attack yourself! This is part of many pen testing procedures, which reveal how vulnerable your network is to exploit attempts.
It is also recommended to block all of a system’s ports except the absolutely essential ones. Vulnerability scanners—which query and collect data about installed software, certificates, as well as other information—can help you find open ports, log related data, and observe port scan activity.
Further, all listening ports should be regularly monitored and assessed for vulnerabilities. Administrators should be aware of the most vulnerable ports in their network at any given time.
ManageEngine EventLog Analyzer effectively analyzes vulnerability scanner data and consolidates it on a single dashboard. With numerous prebuilt reports, it provides systematization and visibility into your network. It supports log data from vulnerability scanners such as Nessus, Qualys, OpenVas, and NMAP and also leverages port information from your logs so you can monitor port-based trends in your traffic and be on the lookout for suspicious activity.
** Optrics Inc. is an Authorized ManageEngine partner
The original article can be found here: