Generally, to perform most tasks it is not required that we open a port on our router. However, for some special tasks it is essential to do so. In some moments for the correct functioning of a program or game, we need to open some ports so that they are accessible from the Internet. This task must be done with great care, since cybercriminals carry out the port scan looking for different possibilities to execute their attacks. Here we are going to explain if viruses can enter if I open the ports and how we should do it correctly.
Things to keep in mind about ports
We are going to clarify a series of concepts before addressing whether I can catch a virus if I open the ports. A router has 65536 ports, and they start from zero and end at 65535. An entity that has a lot to say in this regard is the upcoming IANA Internet Assigned Numbers Authority . This authority is responsible for overseeing the global allocation of IP addresses, autonomous systems, DNS domain name root servers, and other resources related to Internet protocols. Thus, three different groups have been created each with a different function:
- Well-known ports , ranging from 0 to 1023 and are those that are reserved for the operating system of our computer together with the most important protocols. Some examples are port 21 for FTP, 23 for Telnet, and 80 for HTTP.
- Registered ports are those from 1024 to 49151 . As for these, they can be used by any application, although there is a public list on the IANA website where the protocol used by each one can be consulted.
- Dynamic or private ports ranging from 49152 to 65535 and dynamically assigned to client applications upon connection initiation. In this range, for example, we would find P2P download clients.
Correctly open router ports
Before starting, an important thing to comment on is that in the transport layer of the TCP / IP model, we have to talk about two types of protocols: TCP and UDP. Both can be used when opening ports.
In that sense, some recommendations to avoid problems when opening the ports would be:
- Be clear about the local IP to which we are going to open the ports . A good measure may be to leave it fixed in Windows TCP / IP or in the router configuration. Otherwise if you have DHCP in automatic the next time you could be assigned a different local IP and it would not work.
- Set the proper port . Sometimes, to function it is required that we use a specific port. For example, in the previous section we talked about well-known ports. And, for example, if we want to create a web server to host a website, we will use port 80. In the hypothetical case that we can choose one, we must do it carefully.
- Sometimes just putting the port number is not enough . Depending on the router you will also have to specify if you are going to use the TCP or UDP protocol.
If we want to open ports on our Windows PC, we will start by using the command ipconfig / all in a Command Prompt window.
From here we need the default gateway which is the IP of our router and that we will need to access its settings. The other is the IPv4 address, which is our local IP to which we are going to open the ports.
Next, we write the router’s IP in the browser and enter our username and password to enter the router’s configuration. Then, we look for a section generally called NAT, Virtual Server or Port Forwarding and we follow the steps that I established above.
However, if you want more detailed information, here is a tutorial to open the TCP / UDP ports of any router .
Can I get a virus if I open the ports of my router?
The moment we open a port it can be dangerous, especially because at any moment a vulnerable service could be listening on that port, therefore, we will be exposed. So that they do not attack us through an open port that has a vulnerable service, and, therefore, that they can exploit a vulnerability, it is very important that you follow these tips:
- Do not open any port at random , make sure that the service that is listening behind does not have any vulnerability. We must update the software to the latest version always.
- Make sure that the port range is as small as possible . The less possibilities we give the attackers, the better.
- It is safer to open the ports manually, than automatically using UPnP, because surely you have clients connected that you do not know that use UPnP and open the ports autonomously.
One of the reasons why we do this is that in search engines like Shodan you can see the open ports of different services, and it is even able to tell us if there is a service running behind this port.
In that sense, to improve our security we must avoid the use of some ports if we are not going to use that service. For example, port 21 for FTP, 22 for SSH, 23 for Telnet, or 80 for creating a web server are well-known ports, and will be the first to be found in a port scan. Even if you use the FTP or SSH services, it is advisable to change the listening ports to something other than the default one.
Here are the most dangerous TCP and UDP ports that we recommend not using unless you specifically need them. Therefore, if we only open the strictly necessary ports, we will have a more protected system. Remember that the more open ports we have, the more possibilities of attack we are giving to cybercriminals.