[nzlug] How dangerous are open ports

[Matt Brown]

Johnathan wrote:
> I have a rudimental understanding of how ports work. How they are used
> to allow various services/protocols on the internet to communicate with
> our computer software (e.g. HTTP, FTP, SSH etc).

A port is the second part of an address used to talk to your computer,
the first part is your IP address. Together the port and IP form a tuple
that uniquely identifies a particular application (process) that is
running on your computer.

> What I don't understand is what is preventing a would-be intruder from
> scanning my ip address and detecting my open port, say on port 22 when
> I'm SSH'ing. How difficult would it be then for said intruder to get
> into my computer through that open port (assuming here that they've
> found it open)??

An attacker can only connect to port 22 on your computer if you are
running an SSH daemon that has placed the port into the LISTEN state.
This is true for all ports.

Simply starting an SSH connection to another machine will not open port
22 on your computer to incoming SSH connections. Infact if you're just
SSHing to another machine you're almost certainly not using port 22 on
your machine at all. When your ssh client starts it's outbound
connection it is allocated an "ephemeral" port by Linux which is usually
in the range from 32768-6100 (see /proc/sys/net/ipv4/ip_local_port_range).

If you are running an ssh server (typically sshd) then that daemon will
put port 22 into the LISTEN state in which case anyone can initiate a
connection to your machine (assuming the firewall allows it). At this
point you begin to rely on the security of the application listening on
the port to stop unauthorised access to your system.

> Even with a firewall, which would stealth ports, the ports are still to
> be opened when the services are started, so what would prevent someone
> from doing what I described above?

I think the distinction between a port used for an outgoing connection
and a port that is LISTENing answers this.

> And without a firewall, are the ports always open waiting for the
> services to be started (and equiavlently waiting for an intruder to get
> in)?

If there is nothing listening on a port the operating system will return
an ICMP connection refused error to any incoming packets.

See Mark's email for more suggestions about how to secure ports and
applications once you've decided to run a daemon and have the port in
the LISTENing state.

HTH.

Cheers

-- 
Matt Brown
matt at mattb.net.nz
Mob +64 21 611 544 www.mattb.net.nz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
Url : http://www.linux.net.nz/pipermail/nzlug/attachments/20060907/068aebe2/signature.pgp