| 0 |
tcp/udp |
r |
Reserved |
 |
| 1 |
tcp/udp |
tcpmux |
TCP Port Service Multiplexer. One of original portmappers. SGI/IRIX is still using it - thus scans for it are probable attempts to locate IRIX targets. A HELP request to it returns Irix hosts service listings." |
|
| 2 |
tcp/udp |
compressnet |
Management Utility |
|
| 3 |
tcp/udp |
compressnet |
Compression Process |
|
| 5 |
tcp/udp |
rje |
Remote Job Entry |
|
| 7 |
tcp/udp |
echo |
Echo - Used to trouble-shoot remote TCP/IP stacks (telnet to remote echo port - then type ... all keystrokes will echo back if target stack is working thru app layer. DOS Threat: Attackers use it to relay flooding data. If relayed to a network broadcast - entire subnet can flood. To a syslog-loghost - logs can flood. Returns it to whatever you forged as your source socket. Any data sent can flood - but looping data output ports (eg: chargen - time - daytime) create deadly streaming floods. Disable on all hosts; enable only for brief trouble-shooting. |
|
| 9 |
tcp/udp |
discard |
Discard - Port equiv to /dev/null. Reads pkts - then discards them. Allows knowledge the host is alive and processing pkts. Used while trouble-shooting local stacks transmit ability (telnet to discard on remote host - knowing all transmitted keystrokes will just be discarded ... no worry of corrupting host processes). No threat - but block on hosts and perimeter network devices as general rule. |
|
| 11 |
tcp/udp |
systat |
Active Users - Provides very useful info to attackers (hosts usernames - login times - origination hosts - etc.). Disable this port on all hosts. |
|
| 13 |
tcp/udp |
daytime |
Daytime - Returns the time of day in machine language; can return OS version. Provides host time - which can be useful in timing attacks. Also creates a DOS threat when its output is looped echo port (7). Disable this port on all hosts. |
|
| 15 |
tcp/udp |
netstat |
Now Unassigned (was netstat) - Netstat was similar to systat and is still active on some operating systems. Provides remote attackers info about the host and network (socket status - route tables - arp table - multicast group members - per - protocol stats - interfaces status - etc.). Disable this port on all hosts. |
|
| 17 |
tcp/udp |
qotd |
Quote of the Day (QOTD) - Used to receive remote QOTDs. Used for social engineering attacks - where users receive fake instructions to verify passwords - etc. Disable this port on all hosts. |
|
| 18 |
tcp/udp |
msp |
Message Send Protocol |
|
| 19 |
tcp/udp |
chargen |
Character Generator - Used to trouble-shoot TCP/IP stacks. Generates random characters at a high rate. DOS Threat: Attackers will loop it to the echo port - creating a very effective host and subnet DOS. Disable this port on all hosts - enable only for brief trouble-shooting tests. |
|
| 20 |
tcp/udp |
ftp-data |
Default FTP Data Transfer Port - Is FTP services default data transfer port; required inbound if internal users are allowed access to external FTP sites - yet open port poses a threat (hole for network mapping - etc). Modern firewalls solve this by keeping it closed until a valid FTP session exists - then only opening it between those hosts. Control via a stateful-tracking firewall - do not simply open at perimeter. |
|
| 21 |
tcp/udp |
ftp-control |
FTP Control Port - Is FTP service control port. Firewall rules focus on this port - then open port 20 only when required for a data transfer. - Security Concerns with FTP: - Cleartext - re-usable passwords - Portal for user account grinding - FTP Bounce - where attacker uses ftps port command to redirect the FTP transfer to a port & IP other than default port 20 on the FTP server. Attacks can include bouncing internal network scans - email forging/flooding - etc. CERT Advisories: CA-97.16 - CA-99.13 Disable port on non-FTP servers. Open at perimeter only with static route to internal FTP server(s). |
|
Statistics |
Unique Visits: 40339
Unique Visits Today: 27
|
Page Views: 370515
Page Views Today: 45
|
Home
Add Port
Statistics
Contact Us