4

We have around one thousand machines on internet. We do port scanning with nmap, and find many ports open on these machines. Sometime we found administrative website using HTTP instead of HTTPS, we would block it.

But there are many other ports open, and we have no idea what services they are. Is there any way to figure out which are insecure?

GdD
  • 17,291
  • 2
  • 41
  • 63
user15580
  • 767
  • 3
  • 11
  • 15

3 Answers3

10

Step one - close all the ports you do not have an explicit business need for!

All open ports add potential insecurity - a closed port is a safe port.

If you don't know why a port is open, I would be worried - find out what service is running on it. If there is no business need, shut it down! If you can't find out what service it is, shut it down!

There are services lists for the most common services which run on particular ports, but really, anything can run on any port (pretty much) so you need to have a register detailing the port, the service, the business reason/function, the owner, the date it was implemented.

If you can't shut down services, use a firewall to explicitly block access to all but the services you do need.

Once you have done that, make sure that all your services are patched. One of the biggest sources of vulnerabilities is unpatched services/applications. Get yourself up to date now!

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 2
    Its scary that this isn't obvious to everyone. (+1) – rook Nov 20 '12 at 15:57
  • I would say by *default*, you should firewall off inbound access to any port. If there is a business need to provide remote access to a service (VPN, public website, etc.), then it should be whitelisted on an individual basis. Making the judgment call on port number alone is a poor idea. – Stephen Touset Nov 20 '12 at 19:39
  • I agree Stephen - this is why I have said you need to know what the service is! – Rory Alsop Nov 20 '12 at 20:54
4

Recurring, periodic vulnerability scanning ([Qualys][1] is generally considered as best of breed in the commercial vulnerability scanning space) and vigilant attention to relevant security mailing lists are your first line of defense. Once this is in place, "Is there any way to figure out which (ports) are insecure?" is actually the wrong question. Application security is an ephemeral thing. An application that listens on a port might be secure according to {vulnerability_scanner} today, but in-between your scanning cycle a 0day is released and that latest version of [BIND][2] is now insecure.

The best advice is to adhere to the concept of least privilege. As mentioned above, close down all applications that are not explicitly required. A list of well known and registered ports and their corresponding applications might help.

If it's not clear what application is holding open a port on your machine, the commands [lsof and netstat][5] can help.

Finally, if you have a large number of machines to administer, perhaps you should check out some centralized configuration management tools, like [Chef][6].

Mike Schiffman
  • 41
  • 3
2

I recommend using nessus or a vulnerability scanner. It uses a technique called banner grabbing to determine what version and service a machine is running on a port. It also knows what versions are vulnerable and will give you a nice report of each machine.

Warning...it does cost money depending on who you are and the setting you use it in. There may be other vulnerability scanners but nessus is kind of the biggest name out there. Hope I was helpful.

  • 1
    Nessus might tell you which versions of services have known vulnerabilities, but will not tell you which services are inherently insecure regardless of version. Open only the ports you need to function. – schroeder Nov 20 '12 at 15:26