is it bad to have open ports?
Hello!
I am wondering what the securtiy risks are to have open ports that do not connect to any meaningful application or protocol (like ftp, smb, etc.). It's like have a telephone where nobody ever answers. There may be some issues with overflows and other programming bugs that could be used in tandem with an open port, but essentially what could be wrong? thanks, Murdock |
An open port means that someone can try connecting to them. You probably have a service running that uses that port. If for example you have an ftp service running, but don't need it, you should disable the service.
|
i think by "open" he means "closed"... :)
like, unfiltered, yet unused ports... it's a question i've heard before... well, if that's the case then: some of the risks are that your stealth is compromised (in cases where you actually don't need anything listening) and plus if you ever start any service aimed at the LAN but you accidentaly had it configured to listen on the WAN also then the entire WAN will have access... there's also the risk that non-root users could start their own daemons on your box (on non-root ports), etc... there's actually many reasons why you should filter all your ports even if you don't have anything listening at this current time... just my :twocents:... |
Yes, by "open" I do mean "closed". If I'd only get my network jargon correct. So does that mean "open" is where a service is running, "closed" when it's available, but without a service, and finally "stealthed", when the firewall just doesn't respond to the request?
A specific example I have is for P2P clients. Clients use many ports (from port 6000 and on), and if I'd like to have all of those ports open. So the only service actually listening on those ports is the P2P client application. I am behind a NAT, so the computer is stealthed. However, the P2P client (not the router) still routes requests from those ports to my P2P system. I still don't understand how that works exactly if NAT totally hides my computer, but somehow the translation works. Thanks, Murdock |
Quote:
I have opened ports 6696-6699 on my NAT firewall, but I also have Firestarter installed on my PC, and I only open those ports in Firestarter when I'm using the p2p program. |
"open" - There is a service running on a port and people can connect to the port.
"closed" - Someone tries to connect to a port and is actively denied. This means a packet is sent back from your computer, firewall, or router telling them "No way Buddy, you're not connecting". There may or may not be a service actually running on the port. Your firewall or router may REJECT the incoming connection request before it even gets to the point of trying to invoke a service. If the connection request gets through your router and firewall, it will also be REJECTED if there is no service actually running on the port. Or a service COULD be running, and some configuration is telling it to REJECT the connection request. "stealthed" - Someone tries to connect to a port and they just never hear back from your computer, firewall, or router. The connection request is said to be DROPPED (as opposed to REJECTED as described above). You could very well have a service running on the port in question, but you have things configured (firewall, router, etc.) to not let outsiders know that fact. You are trying to completely hide your existance. DROP hides, REJECT shows your existance but doesn't allow connections. |
Ill go ahead and say this first
P2P APPS DO NOT NEED OPEN INCOMING PORTS. Bittorrent works better, but not needed. P2P apps create an outgoing port for connectivity so you dont need to open any ports. If your NAT router has UPnP turned on, TURN IT OFF. This will allow apps to automatically open and close ports. Bad Idea. Unless you are running a service/server that you want accessed from the internet(or a speedier bittorrent), there is no reason to have any ports open on a home router. Close them all, all will be stealthed. Soule |
Quote:
|
Quote:
|
Quote:
|
Quote:
Quote:
|
Quote:
|
I heard they manage to use port 81 that's already opened for HTTP.
|
Quote:
but they could always turn to application-layer proxies (Zorp, for example) to do the filtering i guess... there's also some iptables methods for dealing with this kinda stuff, like: http://www.lowth.com/p2pwall/ Quote:
|
All times are GMT -5. The time now is 11:49 AM. |