Ports are used to identify specific network services. They have port numbers for identification purposes and are linked to protocols, applications, or services. If open ports are not adequately protected, they can pose a serious risk to your IT environment as threat actors can exploit them through various techniques. For example, in 2017, cybercriminals exploited an SMB vulnerability on port 445 to spread the WannaCry ransomware strain. TCP and UDP are the most common transport protocols that use port numbers. TCP is connection-oriented and provides error recovery, while UDP is connectionless and faster. Both TCP and UDP use the IP protocol to address and route data on the internet. Ports can be open, closed, or filtered depending on their ability to respond to connection requests. This article will focus on the vulnerabilities that come with open ports, as well as tips to help secure them.
Why Are Open Ports A Security Risk?
Open ports themselves are not inherently dangerous, but they can be exploited by hackers to gain unauthorized access to sensitive data. Vulnerable, unpatched, misconfigured, or infected services running on open ports can provide an entry point for hackers to move through a network. Studies have shown that organizations with a low open port grade are more likely to experience a breach.
Threat actors can exploit open ports to launch various cyberattacks, such as spoofing, in which a malicious actor pretends to be a system or service and sends harmful packets, often combined with IP spoofing and man-in-the-middle attacks. Additionally, ports that have intentionally been left open (such as on a web server) can be targeted through application-layer attacks like SQL injection, cross-site request forgery, and directory traversal. Another popular technique that exploits open ports is the distributed denial of service (DDoS) attack, where attackers overload the target’s resources by flooding it with an excessive number of connection requests from various machines.
Which Ports Are the Most Vulnerable?
Threat actors can target any port, but certain ports are more susceptible to cyberattacks due to their deficiencies, such as application vulnerabilities, weak credentials or the absence of two-factor authentication. Below is a list of the most vulnerable, and thus frequently targeted ports to watch out for:
- FTP (Ports 20 and 21): These ports allow for file transfer through FTP, but they are insecure and commonly exploited with brute-force attacks, anonymous authentication, cross-site scripting, and directory traversal attacks.
- DNS (Port 53): This UDP and TCP port is used for DNS queries and transfers. It is particularly susceptible to DDoS attacks.
- SSH (Port 22): This TCP port provides secure access to servers, but hackers can still exploit it through brute-force attacks, or by using leaked SSH keys.
- HTTP and HTTPS (Ports 80, 443, 8080, and 8443): These hotly-targeted ports are used for HTTP and HTTPS protocols and are vulnerable to attacks such as cross-site scripting, SQL injections, cross-site request forgeries, and DDoS attacks.
- Telnet (Port 23): Telnet is an outdated and insecure TCP protocol that connects users to remote computers. It is vulnerable to attacks such as brute-forcing, spoofing, and sniffing.
- SMTP (Port 25): This port is used for sending and receiving emails through SMTP. Without proper protection, it is vulnerable to spoofing and spamming.
- Remote desktop (Port 3389): This port is commonly exploited through vulnerabilities in remote desktop protocols and weak user authentication. Remote desktop vulnerabilities, such as the BlueKeep vulnerability, are commonly exploited by hackers.
- NetBIOS over TCP and SMB (Ports 137, 139 and 445): Cybercriminals exploit these ports by capturing NTLM hashes, and brute-forcing SMB login credentials.
- Databases (Ports 1433, 1434 and 3306): These default ports for SQL Server and MySQL are often targeted for distributing malware or as targets for DDoS attacks. Attackers commonly search for unprotected databases with exploitable default configurations.
Tips for Improving the Security of Open Ports
Managing open ports on larger networks with a constant flow of new devices can be a time-consuming and error-prone process. As such, it is important to use port scanning tools, which help to identify and close any open ports that are being used for communication within the network. However, it is essential for administrators to have knowledge of which ports are necessary for the services being used. Some ports, such as port 80 for web traffic, are universally required, while others are reserved for specific services. If an open port is not associated with any known service on the network, it should be closed immediately. It is also important to ensure that services exchanging information through the necessary open ports are patched, properly configured, and free from malware. To ensure port security and discover open port vulnerabilities, consider the following tips:
Assess your external attack surface: Scan your network to visualize your digital ecosystem and identify internet-facing assets, open ports, and services. Look for a solution that offers a dashboard and real-time notifications to promptly identify potential threats.
Keep a close eye on emerging risks: Due to the constant changes in your IT environment, it is important to regularly monitor relevant changes to your network. Look for a solution that provides automatic and continuous insights into open ports, misconfigured software, and unpatched systems.
Grade the performance of your open ports: Evaluate your network’s ability to resist intrusion attempts by assigning it an open port grade. Look for a solution that generates an automatic and updated daily grade to assess your performance compared to similar organizations.
Adhere to a consistent schedule for applying patches: Stay protected against threats by promptly installing software updates and patches when they are released. This will prevent vulnerabilities such as the EternalBlue exploit, which was famously used to spread the WannaCry ransomware in 2017.
Use SSH keys: SSH keys are more secure than passwords, and thus should be used. There are numerous public-key encryption algorithms that can easily generate SSH keys for both public and private communication.
Misconfigured, unpatched, and vulnerable services using open ports can pose a huge risk to your network, especially for wormable ports that are open by default on certain operating systems. However, as mentioned above, open ports themselves are not inherently dangerous. The level of risk depends on the system configuration and the services exposed on those ports. Closing unnecessary ports can minimize the potential attack surface.