Open TCP/IP ports on your servers can be an invitation to hackers, especially if they're well-known ports such as 21 (FTP), 80 (HTTP), and 25 (SMTP). Many Trojans also monitor certain ports that are often unused (and therefore often unmonitored by admins), allowing intruders to take advantage of these ports as well--if they are open.
In response to a recent article on TCP/IP filtering, many IT professionals expressed concerns about determining which ports to leave open and which to close. It's a dilemma that could leave networks open to attacks, but the tips and resources members presented in response to these concerns offer valuable insights that can help you better secure your networks.
Knowing what's open
Before you can shut down the ports that represent vulnerabilities, you have to know what's open and which applications monitor which ports. Inexperienced admins may be unfamiliar with many of the issues involved in TCP/IP filtering.
One TechRepublic member, for example, wrote that as an inexperienced server admin, he wasn't sure which ports should be left open.
"My [Windows 2000] box acts as a central share repository, so I've got some shared folders and CD units. It also [serves as] a simple Web [server]."
The member wanted to know what ports besides port 80 should be left open and specifically, which ports the Windows shares use.
In response to this question members suggested a variety of tools that can scan ports and extract usage information. Member Michael Schaeffner, for example, suggested using Ethereal to analyse traffic on the network. In terms of simply gathering information on ports, however, Ethereal may not be the friendliest tool for the inexperienced admin. MasterYoda pointed out that the information Ethereal displays isn't easy to decipher unless you have a firm understanding of the product and the underlying networking technologies.
Other members suggested using Foundstone tools, such as SuperScan, which is free to download. Another Foundstone tool that Member bigaldepr mentioned Foundstone's Vision, which can identify "PID number, process name, port, and protocol". Bigaldepr also agreed that Foundstone's SuperScan is useful.
"[It] can be configured to ping all addresses in a range on the network and then check for open ports according to a pick list on each machine that replies."
In addition to Vision and SuperScan, Foundstone offers Fscan, which can be run with various switches from the command line to filter and organise the scan results. And for simply determining which applications are associated with which port numbers, Fport is handy. It's simple to use and presents straightforward information that isn't bogged down with unnecessary detail. For more information or to download Fport, visit this page on Foundstone's site.
Another member suggested simply using NETSTAT to view data on ports in use. When run with the -a switch, NETSTAT displays a list of all listening ports on the network.
All of these tools present you with detailed data about port activity on your network. Of course, before you can determine which doors to close, you have to find out which ones are open on your servers and why. Fport and other free utilities can deliver this information quickly and easily. For a detailed report on identifying and securing vulnerabilities, see the SANS article on security best practices. Section 2.2 of the article discusses scanning and suggests tools to use to determine vulnerabilities. You can also find detailed information on port assignments in this document from the IANA's Web site.
4%
2%
Linux server admins should use tcpdump, ethereal, netstat, nmap and possibly etherape or iptraf for traffic monitoring. These tools will allow you to get a good sense of your usual network activity, keep an eye out for unusual activity, and debug your iptables firewall rules, etc.
In all honesty, if you can't decypher ethereal output, go study TCP/IP and basic computer operation - its not hard, and if you're running a server on a network (esp. if its internet connected, directly or indirectly) you need to know this stuff, and know it well.