Can some one explain to me why open ports are bad?

Some one was saying some hackers use port scanning tools ? Not sure what it is or how it works but using this can they put bad software on your computer or steal stuff from you or find out what you have on the computer and what web sites you go to?

Some people say a good OS and good firewall will close all open ports and stop port scanning.

I had IT guy look at my logs and he was saying people or bots are opening up ports using UPnP IGD hacking , with the command AddPortMapping.

No idea what this is or what he is talking about .


Is my security too low?

It really matters what services you are running.

The best practice is to never have open ports exposed to the Public Internet if not needed. Regardless of a service running, it is consuming resources from your box & bandwidth.

You can delete the unneeded ports with the 'iptables' command, make sure you save your modified iptables rules after you remove the open ports.

Despite the inaccuracy of sentence "open ports are bad", the main reason of closing unnecessary ports is that every application can have security "holes", and if one of this hole will be dicovered (sometimes by a hacker) someone can use open port to transfer malicius data uses this vulnerability and do something what was not foreseen by author of program (for example, take control of whole machine).

Of course if some machine is designed to expose services on the Internet (for example a web server) then it must open a port to connection. Without that, it will not work. For not a public access there is a solutions like ports automatically opened after specifc, secret pattern has been send to machine (the knock daemon), or allowing connection only for specific IP addresses.

So, not exactly open ports are bad, but rather applications who opened it. And as rhbegin mentioned, good practise is to minimalize danger and closing not needed ports, for example by firewall or switching off unneeded services.

4 members found this post helpful.

ports that are open with no service on them are kind of useless, ports that are open with services on them can be exploited if the software listening isn't secure. The idea of closing them as others said is to minimize the potential for someone to scan for vulnerable software. Also closing them at hardware firewall level can prevent a rogue software from opening it on your computer really doing damage and getting through as they're still blocked from the firewall.

1 members found this post helpful.

I think the mix up here at the start of this thread was understanding ports and service and how hackers can use port scanning and what that does .


Why most firwalls close most ports.

Also other thing that comes up with security is people who have web servers at home and people using torrent has this opens alot of ports and there is lots of bandwith do to the open ports they must use.

just example if someone scan server for certain range ip which is mysql installed mean port 3306 is running, once they got it , they will do further scanning about mysql vulnerability for those ip, and they go further further and so on

this is good purpose for the firewall operator to open the port services which is needed to be used only.
example again if your server run mysql, which actually no need to tell outside your mysql is running
just enough for system itself only know its running

as mentioned before just open what is need, for torrent also the port can be configured properly from firewall, and bandwidth got nothing to do with open port actually

just 5 cent from me

+1
basics-101, disable or remove whats not needed. i have seen some apps/services that provide local system services and they bind a listener to the iface just in case you want to get that service over the network with no way to have the app/service running w/o binding a listener. thats dumb code, but can be handled by a firewall, etc.

so, bottom line is, if its not there or not reachable then if a unknown vulnerability suddenly becomes known the risk associated with such is minimal. as good as that sounds i often see places that do not address the issue head-on by patching or upgrading because they think the external mitigation is good enough, but thats a poor strategy. often times you'll see a network audit pass but a system compliance check fail. if you have something that needs fixing then fix it. i typically apply all of my checking/auditing/compliance/lock-down stuff as local as possible so the further away you get the harder it is to penetrate the system. most places get very very soft once you get by perimeter security, etc.

A firewall gets it's name from a literal wall designed to keep out actual fire. That may be in a building, or the wall between the engine compartment of your car and the passenger compartment. The idea is to keep any threat (engine fire, bad guy) on one side of the wall, keeping you safe on the other wide of the wall. Open ports are holes in the wall. Any hole (open port) could possibly let an attacker either get in or at least see in, so you don't want any unnecessary open ports. If you look under the dash you'll see the car manufacturer does the same thing. There are several openings in the firewall for wires and such to go through, but no unused openings, no opening larger than necessary, and all openings are sealed with rubber so fire can't get from one side of the wall to the other.

... and the "fw" is only as good as what its made from. physical wall of tinfoil has issues, and bad coding in cisco's asa, etc etc. a fw alone doesnt keep the bad guys out, it just slows them down.

ana hah, another good tagline, adding that to my sig.

Let me bstardize a good investing comment made by Peter Lynch: "Know what you're running, and know why you're running it."

The problem here is not so much that, "a port is open," but rather, why it is open, and especially do you know that it is, and do you intend for your computer to be doing that?

If the answer is "no," then you are merely a(nother) "but I had no idea ..." that is waiting to happen.