49

If a Linux server only open SSH port 22 and HTTP port 80, must we go through one of these two ports to hack into server from the internet?

Anders
  • 64,406
  • 24
  • 178
  • 215
244boy
  • 935
  • 2
  • 6
  • 8
  • 10
    If you only have these two ports open, then you can only communicate with those two, yes. –  Apr 18 '20 at 15:34
  • 7
    Depends on how you define "open" - perhaps as "replies with either SYN/ACK or RST to a SYN"? In that case, it might react to other ports (or non TCP traffic) in vulnerable ways though perhaps not by replies per se. – Hagen von Eitzen Apr 19 '20 at 12:52
  • 2
    Are you talking about which ports are open on the server itself? Or are you talking about what ports the router forwards? Or what exactly? – David Schwartz Apr 19 '20 at 21:47
  • 1
    As far as remote attacks are concerned then sure. Whether or not you're safe heavily depends on which programs are listening on those ports and whether they are properly secured. – MonkeyZeus Apr 20 '20 at 14:04
  • You probably also want 443. – Joel Coehoorn Apr 21 '20 at 19:14

5 Answers5

75

Not really. I'd say it depends on your threat model. There might be other threats that don't need to use those ports in order to compromise your server. The first example that I can think of right now is a supply-chain attack. When you update any software on your server, if the updated software has been compromised by a supply-chain attack, your server will get infected. Or if you install example-program by mistake instead of example_program (note the hyphen instead of the underscore), and example-program was malicious and had been given that name on purpose to confuse you, then your server will be compromised. I think something like this happened recently... oh, yesterday (Bitcoin stealing apps in Ruby repository). Other examples? Maybe some MITM in the outgoing connections from your server. Then let's not forget about phishing, or anything involving social engineer.

So to be precise, if you asked me "in general, can I only be hacked by a remote threat through open ports?", my answer would be no. Whether some threats are likely or not though, depends on your threat model, which in turn depends on what your server does, how you are managing it, who you are, etc.

reed
  • 15,398
  • 6
  • 43
  • 64
  • 1
    But, to be clear, even if the server compromised with such an attack, the incoming / outgoing communication between the server and the attacker would be through either port 22 or port 80, right? – Our Apr 20 '20 at 09:52
  • 3
    @onurcanbektas Nope, open ports generally mean listening ports, so only incoming connections use those. Outgoing connections generally use a random port (with some restrictions). Unless by "open ports" you mean that everything else is blocked by a firewall. But in that case the server probably wouldn't be able to make outgoing connections, such as one needed to download the update mentioned in this answer. – Tomeamis Apr 20 '20 at 10:11
  • @Tomeamis So, unless it is blocked by a firewall, an application can use any random port for outgoing connects? – Our Apr 20 '20 at 10:38
  • 5
    @onurcanbektas Yup. You can check for yourself (you can run `netstat -a` to see active connections, and most will have some high port number with the local address). Port 80 being assigned to HTTP is for destination. So when you want to connect to server example.com over HTTP, you connect to example.com at port 80, but the connection can come from any port. And given that low port numbers are generally assigned, high ports are usually used for outgoing connections. – Tomeamis Apr 20 '20 at 10:55
  • @Tomeamis oh I see; thanks for the answer. – Our Apr 20 '20 at 11:01
  • 3
    @onurcanbektas just for completeness, not *any* random port. You can't use ports already in use (e.g. port 80 in this case), and usually OSs restrict you to ports above 1024 or above a higher number (the exact number depends on the OS, and you can probably change this with some effort). – Blueriver Apr 20 '20 at 19:33
36

No.

There are multiple things which can be attacked on a target computer, and a serving application (httpd or sshd for example) is just one of those things.

Remember, there is an entire network stack between the physical network port on the network card and the application handling the actual traffic (ie sshd) - in this stack there includes things like kernel functionality such as firewalls, network drivers etc all of which can be attacked separately to the handling application.

See the number of Linux kernel remote execution vulnerabilities highlighted here which require no handling application to exploit, and instead allow an attacker to execute code just by crafting a bad network packet.

Of course, its easier to attack the application rather than the kernel, because the kernel tends to be much more heavily inspected.

Moo
  • 542
  • 3
  • 6
13

An attempt to list some ways to hack into a server without using http or ssh:

  1. Using a vulnerability in Management Engine
  2. Using a bug in a network board firmware or driver
  3. Using something not very secure in the virtualization platform, having a legitimate access to (or hacking into) a neighbouring virtual machine
  4. Exploiting some bug in the IP or TCP driver in the OS
  5. Making use of some network interaction where your server acts as a client (DNS queries, automatic updates, database access), spoofing or hacking into the legitimate server of these services.

Example for 4. : Long ago, there was a ping of death attack exploiting a bug in the IP layer driver, no open port needed at all.

fraxinus
  • 3,425
  • 5
  • 20
5

Closing ports is one very early line of defence.

When a port is open, there will be some piece of software running which handled the data entering on that port. That software can have bugs that allow an attack to succeed. If you open 100 ports, there are 100 pieces of software that are potentially insecure. With two open ports only, there are only two pieces of software that are potentially vulnerable. Obviously making sure that 100 pieces are not vulnerable is much harder than two pieces.

But an attacker can try to get in through another route. Your server should receive blocks of data containing a port number, and your software should direct the block to the right port or throw it away, possibly log it. If the software sending incoming blocks to ports has bugs, an attacker might exploit those bugs, and such an exploit could be independent of which ports are open.

schroeder
  • 123,438
  • 55
  • 284
  • 319
gnasher729
  • 1,823
  • 10
  • 14
  • This is inaccurate. Ports that are not closed are not open: https://security.stackexchange.com/questions/96568/open-ports-with-no-services-bound-to-them – Peter W. Apr 19 '20 at 01:01
  • 6
    "If you open 100 ports, there are 100 pieces of software that are potentially insecure. " <-- Why do you assume a 1-on-1 mapping between ports and "pieces of software"? A single program can easily listen on a hundred different ports. Sure, that would be a weird thing to do, but there are many programs that listen on more than one port at least. (And the converse is true too, it's possible to share a single listening port between multiple processes.) – Will Apr 19 '20 at 03:24
  • @PeterW. What are you trying to say? Nobody even made any claim regarding filtered vs unfiltered ports. An open port is not merely an unfiltered port, it's a port that you can actually successfully connect() to. – Will Apr 19 '20 at 03:29
-3

If the server has only ssh and http services open, then you will have to exploit possible vulnerabilities related to one or both services, to hack into the server.

One other way would be physical access to the server keyboard, but I think, you meant just attacking through network. (remember to scan all 1-65535 ports)

PaHa
  • 29
  • 6
  • 17
    Remember that theres an entire network stack between the physical network port and the receiving application, including kernel functionality and drivers that can all be attacked as well. This can be done even on closed ports - just because nothing is listening on those ports doesnt mean the system isnt handling them, for example in the firewall rules system etc. Ample opportunity there for an attack vector. – Moo Apr 19 '20 at 01:59
  • 6
    -1. OP, you are encouraged to wait at least a day or two before accepting an answer, to give the community and yourself a chance to judge the quality of a selection of answers before choosing one (if any at all!). – Jon Bentley Apr 19 '20 at 03:57
  • The only answer so far to mention physical attack. – mckenzm Apr 20 '20 at 19:07
  • @mckenzm True, but the question says _from the internet_ which seems to exclude physical attacks. – poolie Apr 21 '20 at 05:10
  • I'll pay that, it precludes even compromised appliance on the local network. (Peers). – mckenzm Apr 21 '20 at 07:05