D
DevynCJohnson
Guest
With computer networking, there are these special entities called "ports". These ports are the end-points of TCP and UDP network connections. However, these ports are very important to understand due to security vulnerabilities. These ports can offer intruders an entrance. Therefore, Linux users must know about ports so that they can protect their systems.
General Concepts
Numerous networks (especially the Internet) use TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). Both of those protocols are used with either IPv4 or IPv6. The port numbers are important to TCP, UDP, and many other protocols that are on the transport layer (such as SCTP). However, IP and many other protocols do not use ports.
NOTE: If IP is used with TCP (such as TCP/IP), ports are used, but it is TCP using the ports, not IP.
Ports serve as the end-points of a network connection. This means programs send and receive data at the ports. For instance, when Firefox is opened and a website is accessed, Firefox opens a port. Then, Firefox sends the data from the system through the opened port. On the receiving computer (the website server), the program offering the website (such as Apache or Lighttpd) is listening on port 80 (for HTTP). When the signal from Firefox connects to the server's port, then the listening program will serve the request. Firefox will open a port when sending and receiving data. However, once the data has been transferred, then the port will be closed.
When going across the Internet, the TCP protocol (or some other transport-layer protocol) will store the port information in the packet.
Port Addressing
IP addresses identify a machine on a network. A port specifies a particular entry point. Ports and IP addresses are designated in a form like "192.168.1.3:80", where the "80" after the colon is the port and the numbers to the left of the colon make the IP address. However, a port is sub-divided into sockets. Each socket accepts a different protocol. For instance, there is a socket for UDP with IPv4 and another socket for UDP with IPv6. Sockets are part of the transport layer of the OSI model, and they are bi-directional. This means a single socket can send and receive data. Sockets are identified by pairing the local IP address and port with the remote address and port.
NOTE: Ports do not need to match. For example, the local system can send data through port 50000, but then the server may accept the connection through port 80. Also, servers can listen on one port, but open the connection through another port to continue listening on the original port.
Programs that listen on ports can listen for all sockets or only those with a specific protocol. For instance, on many Linux systems with sshd, the secure shell daemon (sshd) will listen on port 22 for TCP with either IPv4 or IPv6. Some programs may listen on multiple ports. However, only one program can listen on a port at a time, unless each program connects to a different remote system or remote port. Although, a single program may serve multiple programs on the local system. For example, sshd listening on port 22 may manage requests and data flow on behalf of two local programs (such as Filezilla and SSH terminal session).
NOTE: To better explain ports, think of an IP address as a zip code for a city. The ports would be like the buildings and the sockets (UDP, UDP6, TCP6, etc.) would be like separate individuals living in a building.
There are 65535 ports that are each designated by a 16-bit number (hence the 65535 limit). Ports 0 to 1023 (the first 1024 ports) are called the "well-known ports" or "system ports". These ports are the typically used ports that have an official or assigned use whether it be for FTP (port 21), Kerberos (88), SQL services (118), etc. Also, the system ports require elevated user privileges to use them. The ports numbered 1024 to 49151 are registered ports which are assigned by the IANA. The "private" or "dynamic" ports are the ports numbered 49152 to 65535, and they are for an user to utilize as needed.
List Ports and Programs
To list open ports on a local Linux system that are transferring data, execute "lsof -Pnl -i" in a terminal. This will list all open ports, the programs that opened the ports, the protocol going through th port, and much more. To list only the IPv4 connections, then replace "-i" with "-i4", and to list only IPv6, use "-i6".
To list all local ports that have listening programs, execute "netstat -tunpl". To narrow the search down to a specific port, use "grep" like "netstat -tulpn | grep :80", where "80" is the port number.
Security
The two best ways to secure the ports are to enable a firewall and disable unneeded programs that are listening on ports. Intruders can use programs (like Metasploit) to gain information about a system based on the open ports and the programs that are listening on the ports. The more information the potential intruder obtains, then the easier it will be for the intruder to cause problems. For instance, with Metasploit and other programs, it is possible to get the version number of sshd remotely.
It may also help to make programs use different ports than usual. For example, since HTTP requests are almost always sent and received through port 80, then hackers know that port 80 should be used when exploiting a bug or vulnerability in HTTP. However, if programs use a different port each time, then the hacker must find the HTTP port among the 65535 possible ports.
Further Reading
General Concepts
Numerous networks (especially the Internet) use TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). Both of those protocols are used with either IPv4 or IPv6. The port numbers are important to TCP, UDP, and many other protocols that are on the transport layer (such as SCTP). However, IP and many other protocols do not use ports.
NOTE: If IP is used with TCP (such as TCP/IP), ports are used, but it is TCP using the ports, not IP.
Ports serve as the end-points of a network connection. This means programs send and receive data at the ports. For instance, when Firefox is opened and a website is accessed, Firefox opens a port. Then, Firefox sends the data from the system through the opened port. On the receiving computer (the website server), the program offering the website (such as Apache or Lighttpd) is listening on port 80 (for HTTP). When the signal from Firefox connects to the server's port, then the listening program will serve the request. Firefox will open a port when sending and receiving data. However, once the data has been transferred, then the port will be closed.
When going across the Internet, the TCP protocol (or some other transport-layer protocol) will store the port information in the packet.
Port Addressing
IP addresses identify a machine on a network. A port specifies a particular entry point. Ports and IP addresses are designated in a form like "192.168.1.3:80", where the "80" after the colon is the port and the numbers to the left of the colon make the IP address. However, a port is sub-divided into sockets. Each socket accepts a different protocol. For instance, there is a socket for UDP with IPv4 and another socket for UDP with IPv6. Sockets are part of the transport layer of the OSI model, and they are bi-directional. This means a single socket can send and receive data. Sockets are identified by pairing the local IP address and port with the remote address and port.
NOTE: Ports do not need to match. For example, the local system can send data through port 50000, but then the server may accept the connection through port 80. Also, servers can listen on one port, but open the connection through another port to continue listening on the original port.
Programs that listen on ports can listen for all sockets or only those with a specific protocol. For instance, on many Linux systems with sshd, the secure shell daemon (sshd) will listen on port 22 for TCP with either IPv4 or IPv6. Some programs may listen on multiple ports. However, only one program can listen on a port at a time, unless each program connects to a different remote system or remote port. Although, a single program may serve multiple programs on the local system. For example, sshd listening on port 22 may manage requests and data flow on behalf of two local programs (such as Filezilla and SSH terminal session).
NOTE: To better explain ports, think of an IP address as a zip code for a city. The ports would be like the buildings and the sockets (UDP, UDP6, TCP6, etc.) would be like separate individuals living in a building.
There are 65535 ports that are each designated by a 16-bit number (hence the 65535 limit). Ports 0 to 1023 (the first 1024 ports) are called the "well-known ports" or "system ports". These ports are the typically used ports that have an official or assigned use whether it be for FTP (port 21), Kerberos (88), SQL services (118), etc. Also, the system ports require elevated user privileges to use them. The ports numbered 1024 to 49151 are registered ports which are assigned by the IANA. The "private" or "dynamic" ports are the ports numbered 49152 to 65535, and they are for an user to utilize as needed.
List Ports and Programs
To list open ports on a local Linux system that are transferring data, execute "lsof -Pnl -i" in a terminal. This will list all open ports, the programs that opened the ports, the protocol going through th port, and much more. To list only the IPv4 connections, then replace "-i" with "-i4", and to list only IPv6, use "-i6".
To list all local ports that have listening programs, execute "netstat -tunpl". To narrow the search down to a specific port, use "grep" like "netstat -tulpn | grep :80", where "80" is the port number.
Security
The two best ways to secure the ports are to enable a firewall and disable unneeded programs that are listening on ports. Intruders can use programs (like Metasploit) to gain information about a system based on the open ports and the programs that are listening on the ports. The more information the potential intruder obtains, then the easier it will be for the intruder to cause problems. For instance, with Metasploit and other programs, it is possible to get the version number of sshd remotely.
It may also help to make programs use different ports than usual. For example, since HTTP requests are almost always sent and received through port 80, then hackers know that port 80 should be used when exploiting a bug or vulnerability in HTTP. However, if programs use a different port each time, then the hacker must find the HTTP port among the 65535 possible ports.
Further Reading
- List of TCP and UDP port numbers - https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
- Free PDF Cheatsheet Download for Port Numbers and Services - http://dcjtech.info/topic/free-pdf-cheatsheets/#post-1497
- Uncomplicated Firewall (ufw) - http://www.linux.org/threads/uncomplicated-firewall-ufw.7172/
- Introduction to IPTables - http://www.linux.org/threads/introduction-to-iptables.7310/
Attachments
Last edited: