Ports are numbers that are used in TCP and UDP protocols for identification of applications. While some applications use well-known port numbers, such as 80 for HTTP, or 443 for HTTPS, some applications use dynamic ports. Open port refers to a port, on which a system is accepting communication. Are there any security implications to having ports open? And are open ports a security risk you should address?
Open port does not immediately mean a security issue. But, it can provide a pathway for attackers to the application listening on that port. Therefore, attackers can exploit shortcomings like weak credentials, no two-factor authentication, or even vulnerabilities in the application itself.
Ethical hacking and exploitation is a core expertise of our penetration testers and our red team members. Our experts are behaving as intruders trying to hack into your network, servers, or workstations.
When open for the Internet, attackers can use open ports as an initial attack vector. Furthermore, listening ports on a local network can be used for lateral movement. It is a good practice to close ports or at least limit them to a local network. If necessary, you can make applications accessible to remote workers via a secure VPN.
Scanning tools used by both attackers and security professionals allow an automated detection of open ports. Many network-based IDS/IPS solutions, and even workstation-based endpoint security solutions can detect port scanning. It is worthwhile to investigate port scanning originating from inside the local network, as it often means a compromised device. However, computers running some security solutions can generate false positives. This is beacause vendors of security solutions feature a port scanner to detect vulnerable devices inside a home network.
Commonly Abused Ports
- Port 20,21 – FTP. An outdated and insecure protocol, which utilize no encryption for both data transfer and authentication.
- Port 22 – SSH. Typically, it is used for remote management. While it is generally considered secure, it requires proper key management.
- Port 23 – Telnet. A predecessor to SSH, is no longer considered secure and is frequently abused by malware.
- Port 25 – SMTP. If not properly secured, it can be abused for spam e-mail distribution.
- Port 53 – DNS. Very often used for amplification DDoS attacks.
- Port 139 – NetBIOS. Legacy protocol primarily used for file and printer sharing.
- Ports 80,443 – Used by HTTP and HTTPS. HTTP servers and their various components are very exposed and often sources of attacks.
- Port 445 – SMB. Provides sharing capabilities of files and printers. Used in the 2017 WannaCry attack.
- Ports 1433,1434, and 3306 – SQL Server and MySQL default ports – used for malware distribution.
- Port 3389 – Remote Desktop. Utilized to exploit various vulnerabilities in remote desktop protocols, as well as weak user authentication. Remote desktop vulnerabilities are commonly used in real world attacks, with the last example being the BlueKeep vulnerability.
While using non-standard ports can slow down attacks, it is not an effective security measure. Modern scanners can detect applications running even on non-standard ports.
So, are open ports a security risk? It is important to realize the risks of running a network application. Having an open port does not mean a vulnerability, although vulnerability management and strong credentials are necessary to prevent attacks. Especially important is rapid patching of network applications.