Data packets travel to and from numbered network ports associated with particular IP addresses and endpoints, using the TCP or UDP transport layer protocols. All ports are potentially at risk of attack. No port is natively secure.\n\n\u201cEach port and underlying service has its risks. The risk comes from the version of the service, whether someone has configured it correctly, and, if there are passwords for the service, whether these are strong? There are many more factors that determine whether a port or service is safe,\u201d explains Kurt Muhl, lead security consultant at RedTeam Security. Other factors include whether the port is simply one that attackers have selected to slip their attacks and malware through and whether you leave the port open.\n\nCSO examines risky network ports based on related applications, vulnerabilities, and attacks, providing approaches to protect the enterprise from malicious hackers who misuse these openings.\n\nWhat makes these ports risky?\n\nThere is a total of 65,535 TCP ports and another 65,535 UDP ports; we\u2019ll look at some of the diciest ones. TCP port 21 connects FTP servers to the internet. FTP servers carry numerous vulnerabilities such as anonymous authentication capabilities, directory traversals, and cross-site scripting, making port 21 an ideal target.\n\nWhile some vulnerable services have continuing utility, legacy services such as Telnet on TCP port 23 were fundamentally unsafe from the start. Though its bandwidth is tiny at a few bytes at a time, Telnet sends data completely unmasked in clear text. \u201cAttackers can listen in, watch for credentials, inject commands via [man-in-the-middle] attacks, and ultimately perform Remote Code Executions (RCE),\u201d says Austin Norby, computer scientist at the U.S. Department of Defense (comments are his own and don\u2019t represent the views of any employer).\n\nWhile some network ports make good entry points for attackers, others make good escape routes. TCP\/UDP port 53 for DNS offers an exit strategy. Once criminal hackers inside the network have their prize, all they need to do to get it out the door is use readily available software that turns data into DNS traffic. \u201cDNS is rarely monitored and even more rarely filtered,\u201d says Norby. Once the attackers safely escort the data beyond the enterprise, they simply send it through their DNS server, which they have uniquely designed to translate it back into its original form.\n\nThe more commonly used a port is, the easier it can be to sneak attacks in with all the other packets. TCP port 80 for HTTP supports the web traffic that web browsers receive. According to Norby, attacks on web clients that travel over port 80 include SQL injections, cross-site request forgeries, cross-site scripting, and buffer overruns.\n\nCyber criminals will set up their services on individual ports. Attackers use TCP port 1080, which the industry has designated for socket secure \u201cSOCKS\u201d proxies, in support of malicious software and activity. Trojan horses and worms such as Mydoom and Bugbear have historically used port 1080 in attacks. \u201cIf a network admin did not set up the SOCKS proxy, its existence might indicate malicious activity,\u201d says Norby.\n\nWhen hackers get lackadaisical, they use port numbers they can easily remember, such as sequences of numbers like 234 or 6789, or the same number repeatedly, such as 666 or 8888. Some backdoor and Trojan horse software opens and uses TCP port 4444 to listen in, communicate, forward malicious traffic from the outside, and send malicious payloads. Some malicious software that has used this port includes Prosiak, Swift Remote, and CrackDown.\n\nWeb traffic doesn\u2019t use port 80 alone. HTTP traffic also uses TCP ports 8080, 8088, and 8888. The servers attached to these ports are largely legacy boxes that have been left unmanaged and unprotected, gathering increasing vulnerabilities over time. \u201cServers on these ports can also be HTTP proxies, which, if network administrators did not install them, could represent a security concern within the system,\u201d says Norby.\n\nSupposedly elite attackers have used TCP and UDP ports 31337 for the famed Back Orifice backdoor and some other malicious software programs. On the TCP port, these include Sockdmini, Back Fire, icmp_pipe.c, Back Orifice Russian, Freak88, Baron Night, and BO client to name several; examples on the UDP port include Deep BO. In "leetspeak", which uses letters and numbers, 31337 spells "eleet," meaning elite.\n\nWeak passwords can make SSH and port 22 easy targets. Port 22, the designated Secure Shell port that enables access to remote shells on physical server hardware is vulnerable where the credentials include default or easily guessed user names and passwords, according to David Widen, systems engineer at BoxBoat Technologies. Short passwords of less than eight characters using a familiar phrase together with a sequence of numbers are far too easy for attackers to guess.\n\nCriminal hackers are still attacking IRC, which runs on ports 6660 through 6669. \u201cThere have been many IRC vulnerabilities, such as Unreal IRCD that allow for trivial remote execution by attackers,\u201d says Widen.\n\nSome ports and protocols can give attackers a lot of reach. Case in point, UDP port 161 is enticing to attackers because the SNMP protocol, which is useful for managing networked machines and polling information, sends traffic through this port. \u201cSNMP allows you to query the server for usernames, network shares, and other information. SNMP often comes with default strings that act like passwords,\u201d explains Muhl.\n\nSecuring ports, and services and vulnerabilities\n\nThe enterprise can protect SSH by using SSH public key authentication, disabling logins as root, and moving SSH to a higher port number so that attackers won\u2019t easily find it, says Widen. \u201cIf a user connects to SSH on a high port number like 25,000, it will be harder for the attackers to locate the attack surface for the SSH service,\u201d says Widen.\n\nIf your enterprise runs IRC, keep it behind the firewall. \u201cDon\u2019t allow any traffic to the IRC service that came from outside the network. Have users VPN into the network to use IRC,\u201d says Widen.\n\nRepeated port numbers and especially long sequences of numbers rarely represent a legitimate use of ports. \u201cWhen you see these ports in use, make sure they are genuine,\u201d says Norby. Monitor and filter DNS to avoid exfiltration. And stop using Telnet and close port 23.\n\nSecurity across all network ports should include defense-in-depth. Close any ports you don\u2019t use, use host-based firewalls on every host, run a network-based next-generation firewall, and monitor and filter port traffic, says Norby. Do regular port scans as part of pen tests to ensure there are no unchecked vulnerabilities on any port. Pay particular attention to SOCKS proxies or any other service you did not set up. Patch and harden any device, software, or service connected to the port until there are no dents in your networked assets\u2019 armor. Be proactive as new vulnerabilities appear in old and new software that attackers can reach via network ports.\n\nUse the latest version of any service you support, configure it appropriately, and use strong passwords; access control lists can help you to limit who can connect to ports and services, says Muhl. \u201cTest your ports and services often. When you have services such as HTTP and HTTPS that you can customize a lot, it is easy to misconfigure the service and accidentally introduce a vulnerability,\u201d explains Muhl; \u201cand change those default SNMP strings.\u201d\n\nSafe harbor for risky ports\n\nExperts publish different lists of ports that carry significant risk based on varying criteria such as the type or severity of the threats attached to each port or the degree of vulnerability of the services on the given ports. No one list is a catch-all. For further investigation, you can start with lists from SANS.org, the internet SpeedGuide, and GaryKessler.net.