TR Forums

Just doing some reading on firewalls, and I grew curious about the sheer number of ports that can be open, and the average user not know. So, i used nmapwin to find my own open ports, and I noticed an interesting one: "445/tcp microsoft-ds" was the tag... is that for windows update? also, which ports should be kept open (ie, internet, intra-network file sharing) and which of the 1700 available should be kept closed?

Thanks!

Terra_Nocuus wrote:

Just doing some reading on firewalls, and I grew curious about the sheer number of ports that can be open, and the average user not know. So, i used nmapwin to find my own open ports, and I noticed an interesting one: "445/tcp microsoft-ds" was the tag... is that for windows update? also, which ports should be kept open (ie, internet, intra-network file sharing) and which of the 1700 available should be kept closed?

Thanks!

Unless you are running a publicly accessible server (web, ftp, etc.), all ports should be closed, as seen from the Internet side of your connection. If you have multiple machines on a LAN that share a broadband connection, that means a dedicated firewall (either stand-alone, or a Linux/FreeBSD system with two NICs that has been configured to act as a firewall/router) between the LAN and your broadband modem.

445 is microsoft directory services (ie - Active Directory). you can safely block this port if your computer is running the firewall and is directly connected to the internet.

as for what you should turn off - everything. just block it all at the beginning. as you go on, you'll find out which ports your computer wants to use by checking your firewall logs whenever you fire up a program and it doesn't work correctly. ;)

if the firewall software you want to use allows you to turn ports on and off dynamically and quickly, i'd recommend setting up some profiles for your favorite programs, and then leaving them off unless you're using them.

just remember: firewalls typically block unrequested incoming connections. you'll still be able to browse & ftp & such because those are all outgoing connections. however, some parts of chat clients (file transfer in AIM, for example) require some ports be opened for their use.

thanks! i also wondered if 445 was sending info to microsoft.... lol

if you want to see what information is coming out of and going into your computer, you can use a packet sniffer.

I like the Coke sniffer, but everyone has their preferences. whatever sniffer you use, you might not be able to determine what data is stored in the packet, but often they'll support reverse lookup on IPs, so you'll be able to see the computer + domain for the source or destination of a packet.

if you want to learn about TCP/IP, you can check google, or check out a few of these slides.

For packet capturing I like ethereal and for port scanning I normally using Nmap:

http://www.ethereal.com/
http://www.insecure.org/nmap/

Terra_Nocuus wrote:

Just doing some reading on firewalls, and I grew curious about the sheer number of ports that can be open, and the average user not know. So, i used nmapwin to find my own open ports, and I noticed an interesting one: "445/tcp microsoft-ds" was the tag... is that for windows update? also, which ports should be kept open (ie, internet, intra-network file sharing) and which of the 1700 available should be kept closed?

Thanks!

1) There are more then 1700 available ports - the numbering starts at 0, and goes to 65,535. 0 to 1023 is registered services, anything above 1023 is unregistered. The differenciation between registered and unregistered only means that a service is reliably known to use that port by default. For example, 80 is for a webserver but I can set a webserver to use 8080 or whatever I choose.

The unregistered ports are difficult to screen - these are the ports that clients use to establish connections. For example, starting IE will bind it to an unregistered port - you are connecting to the server on the servers' port 80, NOT yours. Same when using FTP - your client is using a port above 1023 and connecting to an FTP server on the server's port 20/21.

2) Poster #2 is incorrect that EVERY port will be closed unless running a server - such is ONLY the case when using a firewall and/or router that has not be set properly. Turning on file & printer sharing will open ports 137 to 139 for NetBIOS, *nix systems will have port 514 open by default for syslog... Use the netstat command to see what your system has active - this is how you find trojans, by noticing an IP address outside your network.

Thanks for the good info Canuckle.

"microsoft-ds" is used when you are running multiple Windows computers on a network that are coordinated with a Domain Controller.

Canuckle wrote:

The unregistered ports are difficult to screen - these are the ports that clients use to establish connections. For example, starting IE will bind it to an unregistered port - you are connecting to the server on the servers' port 80, NOT yours. Same when using FTP - your client is using a port above 1023 and connecting to an FTP server on the server's port 20/21.

This is the issue that a "stateful firewall" is designed to address. It actually monitors the outgoing connections, and only allows incoming traffic that has specifically been requested by something behind the firewall.

just brew it! wrote:

This is the issue that a "stateful firewall" is designed to address. It actually monitors the outgoing connections, and only allows incoming traffic that has specifically been requested by something behind the firewall.

However, even that can be spoofed which is why I prefer actual stateful packet inspection (SPI) - the actual inspection of packets rather if the connection had been initiated from inside the network or not.

Hmmm... just ran netstat and I noticed some... interesting connections.

(I've snipped the ones I've been able to identify.)

Anyone know what the last one might be? And why my computer is connecting to itself like that (the first two)? (I don't really think it's dangerous, but I was wondering if it's possible to spoof that field, in which case it could be something suspect masquerading as my computer.)

have you looked at this site lately?

http://www.jiscorp.com/ports/ports.asp

also, i wouldnt be so anal in looking at yer netstat -an all the time...

stuff happens A LOT behind the scenes when you use many programs
and surf many websites... mostly ads..

thegleek wrote:

have you looked at this site lately?

http://www.jiscorp.com/ports/ports.asp

No, but this one is more complete anyway.

thegleek wrote:

stuff happens A LOT behind the scenes when you use many programs
and surf many websites... mostly ads..

Like I said, I snipped several other connections after managing to identify and classify them as harmless. I was wondering what those two things might be, since they're the ones I couldn't identify, and since we were on the subject I thought I might as well ask.

You might want to check this:

http://www.google.com/search?hl=en&lr=& ... .%2Bcom%22

I guess Akamai is some sort of network security/software company(?). I'm not sure why it was showing up unless someone is using them as a proxy but it did show https so maybe it was through a website you went to.

http://www.akamai.com/index.html

BigMadDrongo wrote:

Hmmm... just ran netstat and I noticed some... interesting connections.

Code: Select all

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    myhostname:1058        myhostname.domain:1059  ESTABLISHED
  TCP    myhostname:1059        myhostname.domain:1058  ESTABLISHED
  TCP    myhostname:1110        ip-like-number.deploy.akamaitechnologies.com:https  ESTABLISHED

(I've snipped the ones I've been able to identify.)

Anyone know what the last one might be? And why my computer is connecting to itself like that (the first two)? (I don't really think it's dangerous, but I was wondering if it's possible to spoof that field, in which case it could be something suspect masquerading as my computer.)

To answer your first question, Akamai is a company that provides load balancing to it's customers by pinging you (unless they've changed recently) to establish your geographic location and load balance by using the closest server. Sufficed to say, nothing to worry about.

To your second, something looks be resolving myhostname.domain to localhost - something that requires a domain name. Don't happen to remember anything that you would have installed that would require this? It's resolving back to your computer so I wouldn't worry about it though.

thegleek wrote:

also, i wouldnt be so anal in looking at yer netstat -an all the time...

Where do you get "anal" - the person posted one result and was curious.

thegleek wrote:

stuff happens A LOT behind the scenes when you use many programs
and surf many websites... mostly ads..

Thanks Tips.

Why not post something supportive rather then moderately demeaning and unsupportive?

Can I ask what you do Canuckle? You seem to know your stuff.

Canuckle wrote:

To your second, something looks be resolving myhostname.domain to localhost - something that requires a domain name. Don't happen to remember anything that you would have installed that would require this? It's resolving back to your computer so I wouldn't worry about it though.

Thanks for the help (yeah, I should have thought of google too ). myhostname.domain is an edit - I didn't post the actual one since that would have all but given away my one remaining spam-free (so far!) email address on a public forum. Not that I think anyone on the TR forums would spam, but I'm just protective of this address I have the domain name set up for my uni network. No idea what that self-connection is, but since I'm guessing something eating its own tail can't really harm me I may as well just live in blissful ignorance

dolemitecomputers wrote:

Can I ask what you do Canuckle? You seem to know your stuff.

Thnx - I volunteer to help staff http://www.dalantech.com, a site focused on computer networking.

BigMadDrongo wrote:

Thanks for the help (yeah, I should have thought of google too ). myhostname.domain is an edit - I didn't post the actual one since that would have all but given away my one remaining spam-free (so far!) email address on a public forum. Not that I think anyone on the TR forums would spam, but I'm just protective of this address I have the domain name set up for my uni network.

No worries - completely understandable.

BigMadDrongo wrote:

No idea what that self-connection is, but since I'm guessing something eating its own tail can't really harm me I may as well just live in blissful ignorance

lol - sounds like a plan