19

What could be the threats of having the ports open, after performing a nmap scan and identifying the open ports?

I already searched for some answers for this question, but couldn't find anything specific. Is there any particular issue with each and every port or are those threats common for all of them?

Community
  • 1
Kulasangar
  • 339
  • 2
  • 5
  • 13
  • 7
    What happens if you leave your front door open at night? – jay_t55 Jan 09 '15 at 19:08
  • 3
    @jay_t55 and what if it's on purpose? http://portspoof.org – ǝɲǝɲbρɯͽ Jan 09 '15 at 22:39
  • 1
    @jay_t55 which you mean, open ports might be used by the attackers? – Kulasangar Jan 10 '15 at 03:21
  • @cmdqueue looks like security by obscurity. –  Jan 10 '15 at 04:19
  • It's not the open ports that are insecure, it's the services that are listening (and answering) on those ports. If those are known(!) not use any processing power and storage, to immediately discard the incoming data, and answer only with random (or meaningless(!)) bit sequences, then there is no security issue. – Bergi Jan 10 '15 at 17:49
  • 1
    @AndréDaniel That may be the author's intent, but I've seen it associated with potentially compromised systems. I was further startled by its ability to send data back to the scanner (imagine a security team doing legitimate recon inside a network). Though this is humorous: http://www.saltwaterc.eu/portspoof-trolling.html its ability to hide malware or respond with shellcode, depending on your hat, isn't as funny. – ǝɲǝɲbρɯͽ Jan 10 '15 at 22:04

3 Answers3

31

An open port is an attack surface. The daemon that is listing on a port, could be vulnerable to a buffer overflow, or another remotely exploitable vulnerability.

An important principle in security is reducing your attack surface, and ensure that servers have the minimum number of exposed services.

rook
  • 46,916
  • 10
  • 92
  • 181
  • But if a firewall blocks the service, then it's not usable. If it's not usable, why is it running? – Brandon Jan 10 '15 at 18:17
  • 1
    The port the application uses to connect to it's database must never be exposed to an attacker, and it is vital for the application to function. – rook Jan 10 '15 at 18:57
  • @Brandon because the need may be to render a local target unavailable to outside attackers, where the definition of outside (with rules) and inside (or local, where localhost is about as local as you can get), varies by security task. A NATing firewall may have a larger idea of what's inside than localhost, but a port can't always be moved behind such NATs or closed. – ǝɲǝɲbρɯͽ Jan 10 '15 at 23:06
  • @rook - if I connect to SQL Server via SSMS over the public internet, that would surely count as the database port open to the world? I can't imagine this is an unusual requirement, surely (barring an attacker having the correct username and password) the only potential problem with port 1433 open to the world would be a DOS attack? – Zach Smith Oct 24 '17 at 10:36
  • @Zach Smith That is putting a lot of faith in a daemon that gets hacked pretty often. More than just DoS, it is written in C/C++ and can suffer from common defects like buffer overflows, dangling pointers,and auth bypass. – rook Oct 24 '17 at 21:11
  • When a service requires an open port, whitelisting allowed IP addresses is one option to allow traffic over public internet, but not accessible from anywhere (unless the whitelist IP address is known and spoofed, in case response data may still be unavailable) – I'm Root James Sep 23 '18 at 05:05
7

In IP networks a network connection is established by creating a session between ports of two devices.

Generally speaking the connecting device will use a random 'high' port and connect to a well known port number on the destination device, for example a laptop running an Internet browser will normally connect to port 80 (HTTP) or port 443 (HTTPS) of a web server.

There are a large number of well known ports for common services in the lower range of port numbers.

When a scan has identified open ports it is the result of some sort of response from the scanned device resulting from attempts to connect (or similar) to a particular port. When a port is reported as open it is an indication that the scanned device has some sort of service which uses the port to communicate in some way.

Open ports are not always a security risk, for example a web server has to have 80 or 443 open otherwise users can not connect to use the web server.

However open ports associated with unecessary services can be a security risk if the software they are associated with has vulnerabilities or the component has not been configured securely.

R15
  • 2,923
  • 1
  • 11
  • 21
  • Why run services that you don't need? – Brandon Jan 10 '15 at 18:18
  • @Brandon ideally one wouldn't, but often people do a default install, which can result in installation of services that are not required and only identified as a result of a port scan by a testing team. – R15 Jan 10 '15 at 18:30
7

Some thoughts in C,I,A:

Confidentiality: Open ports (actually the programs listening and responding at them) may reveal information about the system or network architecture. They can leak banners, software versions, content, the fact a system is there at all (instead of dropping the packet) and what type of system it is (for example, nmap can fingerprint systems). Rook's answer got me thinking about this.

Integrity: Without open port controls, software can open any candidate port and immediately communicate unhindered. This is often relied upon by games, chat programs and other useful software, but is undesirable for malware.

Availability: The network stack and the programs at open ports, even if the requests are invalid, still process incoming traffic. Even if electricity isn't an issue, technological solutions still have limited resources: degraded or denial of service results from finding a way to commit a port, network stack, computer, its hardware, network, or the people so they can't do much else.

Related to integrity and availability, an overwhelming amount of events and their logs can hide malicious activity (such as exploiting something you aren't looking at, to gain access) and lead to administrative fatigue and error. Potential misuse of certain services, by forcing the system to participate in DDoSing someone else is also possible.

Returning to Rook's answer, the smaller your attack surface the less control of your resources (and possibly other people's) you give to potential attackers.

ǝɲǝɲbρɯͽ
  • 429
  • 2
  • 8