[nzlug] How dangerous are open ports

Mark Foster blakjak at blakjak.net
Thu Sep 7 21:07:53 NZST 2006 

On Thu, 7 Sep 2006, Johnathan wrote:

> I have a rudimental understanding of how ports work. How they are used to 
> allow various services/protocols on the internet to communicate with our 
> computer software (e.g. HTTP, FTP, SSH etc).
>
> What I don't understand is what is preventing a would-be intruder from 
> scanning my ip address and detecting my open port, say on port 22 when I'm 
> SSH'ing. How difficult would it be then for said intruder to get into my 
> computer through that open port (assuming here that they've found it open)??
>
> Even with a firewall, which would stealth ports, the ports are still to be 
> opened when the services are started, so what would prevent someone from 
> doing what I described above?
>
> And without a firewall, are the ports always open waiting for the services to 
> be started (and equiavlently waiting for an intruder to get in)?
>
> Can someone with more knowledge about networking (I'm guessing that's 
> everyone else on this list :p), offer an explanation to the paranoidly insane 
> please?

If you have a service running, it occupies a port... that port cannot then 
be 'stealth' (unless the service has some stealthy charactaristics).  It 
can be firewalled in the form of a filter (inbound connections must meet 
some parameter - usually source IP limitations).

To secure your system and leave it usable the rules would be:

- Block All ports.
- Allow those required for the services you intend to run.
- The daemons tied to your services must be kept up-to-date.  For every 
port you open, every service you run - you create a means by which someone 
may be able to get into your system.  You're security then comes from the 
knowledge that the daemon you're running (sshd as an example) is secure.

If you were running, say, telnetd - you'd need to know your telnet server 
didn't have any vulnerabilities. And you'd still be screwed by the fact 
that its a plain-text protocol, easily sniffed.

As to whats on and whats not by default, this depends on your distro; it 
was not unusual for a system to be 'wide open' back in the day. One of 
your first acts should be to verify that all ports not required by 
services you're actually using, are secured - by disabling services you 
dont need, and then firewalling.

And if you can limit inbound connectivity through an ACL (Access Control 
List) - say, for example, that only users within a certain netblock can 
come in on port 22/tcp (SSH) - then you've further protected the SSH 
Daemon from people who might try to break in somehow.

My personal thoughts, and I don't profess to be an expert.

Oh, and one final thing: Consideration between the act of silently 
dropping inbound connections, and actively rejecting them.  By being 
silent, you make it harder for people to even know you are there, or to 
find out about your host.  An active rejection will mean that people will 
quickly get a 'refused' response, but it does confirm to the attacker that 
you are there, and may even tell the clooful amongst them more about your 
system than you'd prefer.


Mark.

More information about the NZLUG mailing list