How to Protect TCP and UDP Ports and Why Some Are Dangerous

February 25, 2021 Matt Mills Tips and Tricks 0

In the transport layer of the TCP / IP model, we have two types of protocols: TCP and UDP. Both are constantly used by different application layer programs and protocols, such as port 80 and 443 for browsing the web, port 22 for the SSH protocol, or the popular port 1194 for OpenVPN VPNs. Some of these ports are quite dangerous if we do not filter them correctly with a firewall, because they could carry out different types of attacks and even hack our equipment. Today in this article we are going to show you which are the ports that we must protect especially to avoid problems.

TCP and UDP Ports

What are TCP and UDP ports?

TCP and UDP refer to the transport layer protocol used for end-to-end communication between two hosts, the ports are part of the TCP segment or UDP datagram for communication to be established correctly. We could say that the “ports” are something like the “doors” to a certain service, regardless of whether we use TCP or UDP since both protocols make use of ports. The ports themselves are not dangerous, a port is a port and it does not matter whether it is port 22 than port 50505, what is most important is the use that is given to a port, the dangerous thing is to have a port open to an application layer service that is not protected, because anyone could connect to that service and exploit vulnerabilities or hack us directly. Of course, it is always necessary that if we expose a port to the Internet, we control the traffic with an IDS / IPS to detect possible attacks, and have the program that is listening on this port updated.

In both TCP and UDP we have a total of 65535 ports available, we have a classification depending on the port number to use, since some ports are commonly called “known”, and they are reserved for specific applications, although there are many other ports They are commonly used by different software to communicate both on a local network or over the Internet. We also have registered ports, and ephemeral ports.

Known ports

Well-known ports ranging from port 0 to 1023, are registered and assigned by the Internet Assigned Numbers Authority (IANA). For example, in this list of ports is port 20 for FTP-Data, port 21 for FTP-Control, port 22 for SSH, port 23 for Telnet, port 80 and 443 for web (HTTP and HTTPS respectively), and also the mail port among many other application layer protocols.

Registered ports

Registered ports range from port 1024 to port 49151. The main difference of these ports is that different organizations can make requests to the IANA to grant them a certain port by default, and it will be assigned for use with a specific application. These registered ports are reserved, and no other organization will be able to register them again, however, they are usually as “semi-reserved”, because if the organization stops using it, it can be reused by another company. A clear example of a registered port is 3389, used for Remote Desktop RDP connections in Windows.

Ephemeral ports

These ports range from 49152 to 65535, this range of ports is used by client programs, and they are constantly being reused. This range of ports is typically used when you are transmitting to a known or reserved port from another device, such as passive web or FTP. For example, when we visit a website, the destination port will always be 80 or 443, but the source port (so that the data knows how to return) makes use of an epimeter port.

What ports should I especially protect?

All ports that are used to establish remote communications, whether for file sharing, remote control via console, and even remote desktop applications, email and other services that are susceptible to attacks, must be adequately protected. Next, you have a list of ports (TCP) that you must protect especially, and close whenever we are not going to use it, because in the future it is possible that they are in use and we have forgotten to protect it properly.

  • Port 21: is used by the file transfer FTP protocol.
  • Port 22: is used by the SSH protocol to remotely manage computers
  • Port 23: used by the Telnet protocol to manage computers remotely (insecure)
  • Ports 80, 8080, 8088, 8888 and 443: we should close all web-oriented ports if we do not have a web server, and if we do, we should monitor it properly to mitigate possible web attacks such as SQL injection attacks, XSS and others.
  • Port 4444: this port is usually used by Trojans and malware in general, it is advisable to always have it blocked.
  • Ports 6660-6669: these ports are used by the popular IRC, if we don’t use them, we won’t open them.
  • Port 161 UDP: it is used by the SNMP protocol to view the configuration and manage different equipment such as routers, switches, and also servers. It is advisable to close it if you are not going to use it.
  • Port 53 UDP: the port used by the DNS protocol, this port can be used to exfiltrate information in the DNS requests themselves.

Of course, all these ports that we have explained are the most basic, but we must always follow the policy of blocking everything except those that are in use, in this way, we will not forget to close the different ports. If we block everything (except those that are in use and allowed), we will have a highly protected system, since having an open port is the first step for an intrusion.

How should I protect the ports properly?

By default all ports should be closed, unless you are using a certain service and have to open it. It is very important to always have the least number of local services exported, since the attack surface will be less. The firewalls will allow us to close all ports automatically, and open only the ones we need.

The software used that opens a TCP or UDP socket is essential that it is up to date, it is of little use to have all the ports closed except one, if the service running on that port is not updated and has security flaws. For this reason, it is so important to update all the software, it is always recommended to use software that is still maintained, to receive the different updates.

If authentication is required to access a certain service, it is necessary that the credentials be strong, if possible, use digital certificates or SSH keys (if you are going to authenticate on an SSH server). For example, it is always advisable to close Telnet port 23, because it is an insecure protocol, and therefore, it is better not to use it under any circumstances.

It is highly recommended to monitor which TCP and UDP ports are in use, to detect possible problems of intrusions or infection by Trojans. It is important to investigate any strange traffic, or ports that are open when they shouldn’t be. It is also very important to know how a certain service (listening on a certain port) behaves under normal use, in order to identify unusual behavior.

Finally, in addition to using firewalls to close all ports that we do not use, it would also be highly recommended to use IDS / IPS to detect strange behavior at the network level, and it would even be advisable to install an IDS on our own PC, so that it detects any anomaly.