This page should be useful for most computers providing IP-based
network services. There are, however, some site- and platform-
dependent comments and attitudes expressed.
This document was originated in concept and form by Larry Doolittle
with contributions by Steve Wood.
The concept of "ports", or "network services" is given in the basic
TCP and UDP specifications (RFC 793, RFC 768) which in turn are based
on IP (RFC 791). Many of these of these services are covered by IETF
STD documents, indexed by the IETF at http://www.rfc-editor.org/rfc.html
as well as in this document.
A mapping from protocol and port number to short descriptive
text is found in the file /etc/services. This file forms the
database for library calls
getservbyname,
getservbyport,
getservent,
setservent, and
endservent.
The condensed recommendation for all these ports is,
"If you don't use it, turn it off!" There is no reason to
have extra open ports enabled in inetd, or extra daemon processes
lying around. Any enabled, unattended program provides an attacker
with a potential means of entry. Every disabled program gives you
a chance to snicker nonchalantly at every security bulletin involving
that program.
echo
Ports: TCP and UDP port 7
Function:
Advantages:
Disadvantages: UDP echo can be used in denial of service attacks.
Recommendation: Leave it off unless you are actively debugging networks.
References: RFC 862
Ports:
Function:
Advantages:
Disadvantages:
Recommendation:
References:
ftp
Ports: TCP port 21 for control, higher numbered ports dynamically
assigned for data transfer.
Function: File Transfer Protocol
Advantages: Old enough to be (nearly) universally accessible
Disadvantages: Heavy reliance on privileged port concept,
many implementations have run as root and had serious security flaws.
Modern implementations are easy to misconfigure to be weak.
Recommendation: Replace function with scp (ssh)
If that is impractical, use a recent wu-ftpd with anonymous feature disabled.
In that case, remove the entry for 'ftp' from /etc/passwd.
References: RFC 959
ssh
Ports: TCP port 22
Function: secure shell access, file transfer, and more
Advantages: cryoptographically secure rplacement for telnet,
rsh, ftp.
Disadvantages: Cryptographic software is tied up in knots
over patents and international law. Only one implementation,
which is only free for unix - Windows clients are available
but commercial.
Recommendation: Far better than anything else. ssh
on unix is legal at no charge for JLab, if built with
--with-rsaref --without-idea.
References: http://www.cs.hut.fi/ssh/
telnet
Ports: TCP port 23
Function: Network access to the machine, usually to provide
access to user commands from a shell.
Advantages: Univeral and useful.
Disadvantages: Replayable passwords are sent cleartext over the net.
Recommendation: Migrate to ssh as rapidly as possible, especially
for off-site access.
Do not use for root access, either directly or by su'ing from a user telnet
session.
References: RFC 854, RFC 855
smtp
Ports: TCP port 25
Function: Mail Transfer
Advantages: Simple, widely used. RedHat installations
practically demand that a Mail Transfer Agent (MTA) be installed.
Disadvantages: Standards must have been written badly - most
implementations are demonstrably substandard. The classic unix
implementation (sendmail) has a horrible history of security problems.
Recommendation: Under consideration. Either
disable network port of sendmail (change the options invoking sendmail
in /etc/rc.d/init.d/sendmail from "-bd -q1h" to "-q30m"),
or switch to qmail.
References: RFC 821, RFC 822, www.qmail.org
http
Ports: TCP port 80 is default, but can be used on any port.
TCP ports 81, 8000, and 8080 are commonplace for testing purposes or
to run multiple servers on a single machine.
Function: Lightweight document transfer, primarily used
for the World-Wide-Web.
Advantages: Simple and effective for making documents
publicly available. Expandable to give access to programmatic
data and upload of data.
Disadvantages: Authentication of the user is awkward
and/or unreliable.
Recommendation: To post a few documents to the web, it
makes more sense to upload them to CUE, in your public_html directory.
If you have a larger scale use in mind, or one that involves CGI
programming, you can run a server if you register it. Apache, WN, and
Boa all have good security histories.
Function: Retrieve mail from a server to typically PC based clients
such as Eudora, Netscape, etc.
Advantages: Users can read mail from multiple locations, works with
modern browsers and mail clients.
Disadvantages: Password is clear text over network.
Typical sniffers look for POP passwords.
Recommendation: ?? Perhaps restrict pop to unix servers
with a ssh wrapper.
imap
Ports: TCP (and UDP?) port 143
Advantages: Keeps mail folders on central server, so multiple
location reading of mail is even more convenient. Is some talk of better
authentication, but unknown if this is part of current implementations.
ntp
Ports: TCP and UDP 123
Functions: Synchronization of time between unix machines.
Recommendations: Install on all unix machines. Would help
to have good time on machines when analyzing logs for hacker activity.
X
Ports: TCP port 6000, or 6001 and up when multiple servers
run on a single machine.
Function: Drawing and reading pixels from the video screen,
montoring and configuring the keyboard and pointing device
Advantages: Standardized means of allowing a graphical
program on one computer to interact with a user stationed at
aonther computer or terminal. In many cases this is the primary
motivation to have the computer in the first place.
Disadvantages: Security is notoriously weak
Recommendation: If you need it, use it. Keep authorization
in check: no "xhost +". Secure operation is usually possible with
the combination of MIT-MAGIC-COOKIE1 (see man xauth) and ssh.
References: http://www.xfree86.org/
Created: 28 August, 1997
Original Authors:
Larry Doolittle,
Steve Wood
