Article
How to Close Exposed High-Risk Ports
Learn about the most commonly targeted ports and what you can do to help keep your business secure
What is a port?
A port enables different pieces of technology to share information. For many people, things like a USB port or headphone jack may come to mind. These are examples of a physical port, which directs the flow of information from one device to another.
Similarly, a network port enables devices to share information remotely over the internet — and network ports are the ones that often create the most cyber risk.
Ports function a lot like a door. When a port is open, information is allowed to flow in and out of a network. When a port is closed, the flow of information is restricted, and only those who are authorized can open the port.
Why is an exposed port considered high-risk?
There are numerous types of ports, each with a purpose and dedicated function. Most businesses have dozens, if not hundreds, of ports within their technologies that are used regularly. The problem is that, when a port is not properly closed after being used, the port can be accessed and exploited by cyber attackers.
Attackers routinely scan the internet looking for exposed ports, and a port that is open externally to the public internet signals easy access. An exposed port can allow attackers to gain access to your business network and perform malicious actions, including encrypting and stealing sensitive data and launching a ransomware attack.
However, not all ports are considered “high-risk,” and some ports can remain open and in use, without significant risk, as long as they are properly monitored and maintained. (Scroll down for a list of high-risk ports that are frequently targeted by attackers.)
How can I make high-risk ports more secure?
1. Identify your exposed ports
Figure out which of your network ports are exposed to the public internet by scanning your IT stack. However, if you’re considering a cyber insurance policy with At-Bay, we’ll do this for you.
At the time of quoting a policy, we conduct a non-invasive perimeter security scan of your business to assess your cyber risk. Our proprietary technology scans for dozens of known vulnerabilities, and the findings are compiled into a security report that lists your exposed high-risk ports.
2. Determine how your ports are used
Many businesses have ports that do not need to be open. Our security scan can help you determine how your ports are being used and, more importantly, if they need to be open.
Different ports on your network are connected to different services. Before you close an open port, make sure you understand the services to which it’s connected. If an open port is deemed necessary for business operations, we recommend reinforcing it with additional security measures so it is not exposed to the public internet.
3. Close your exposed high-risk ports
There are several ways to close a specific port. You can close the actual application or service that is using the high-risk port, or you can change the settings on that application or service to make it more secure.
If your business has firewalls in place, you can also close or set specific traffic rules for high-risk ports to ensure they are not abusable by attackers.
Please note: Even if your business is not managed by a central firewall, servers (Windows and Linux alike) have their own, built-in firewalls that can be configured manually.
To prevent misconfigurations, At-Bay recommends that any changes to security settings for network protocols be performed by an IT professional. If you do not have the in-house technical resources to implement these changes, please contact your IT provider.
Which ports should I focus on?
The following ports are considered “high-risk” because they are commonly targeted by attackers. These ports should not be exposed to the public internet.
- RDP Ports
- VNC Ports
- Telnet Ports
- ICS Ports
- Database Ports
- LDAP Ports
- UPnP Ports
- X11 Ports
To learn more about what you can do to help keep your business secure, scroll down to the ports that are most relevant to you.
RDP Ports
What is RDP?
Remote Desktop Protocol (RDP) is a protocol that allows you to remotely connect to other computers over a network. An RDP port that is open externally to the public internet signals easy access to attackers.
Why is it important to close an exposed RDP port?
An exposed RDP port is the fastest way for attackers to gain access to your network. That’s why it’s the most popular method used among attackers, and why compromised RDP is the leading cause of ransomware attacks.
If your organization has an exposed RDP port, it immediately indicates poor security and raises your chances of experiencing a cyber attack. The easiest way to address this issue is to close your RDP port.
Can I safely use RDP without exposing the vulnerable protocol on Port 3389?
Yes, you may run the Remote Desktop Gateway traffic over SSL on Port 443, while keeping Port 3389 closed. An example of this implementation is Duo Authentication: duo.com/docs/rdw-rdg
Common RDP ports: 3389, 3391 (User Datagram Protocol)
VNC Ports
What is VNC?
Virtual Network Computing (VNC) is a desktop sharing system that allows you to remotely view and control another computer over a network connection. VNC is often used for IT support and frequently targeted by attackers looking for full access to a computer. Some popular options for VNC software are AnyDesk, TeamViewer, and Chrome Remote Desktop.
Why is it important to close an exposed VNC port?
Attackers commonly use VNC ports to gain access to business networks. Once access is gained, attackers can remotely control a computer to steal, encrypt, or destroy your business data.
Common VNC ports: 5800, 5900 (Transmission Control Protocol)
Telnet Ports
What is Telnet?
Telnet (historically called Teletype Over Network Protocol) is an application protocol that allows you to remotely connect over a network.
Why is it important to close an exposed Telnet port?
Telnet is considered to be a highly insecure and outdated protocol and should not be used for outward facing servers. Telnet does not encrypt traffic, which means attackers can access your business’ servers, steal passwords, and attack your network.
Common Telnet ports: 23 (TCP)
ICS Ports
What is ICS?
Industrial Control System (ICS) is a group of protocols that allows you to see or control physical devices through a network. The devices and protocols used in an ICS can be seen in many industries, including manufacturing, transportation, energy, and water treatment.
Why is it important to close an exposed ICS port?
When exposed, an ICS device can be accessed and controlled by an attacker who can disrupt the devices connected to the network. When an ICS port is targeted in a cyber attack, the results can include business interruption, damaged equipment, data theft, and significant financial loss.
ICS ports are very broad and, if closed without careful consideration, can cause disruption to your business.
Common ICS ports: Numerous options, highly dependent on product.
Database Ports
What is a database?
A database is used to store organizational data, and that data is often highly sensitive. Sensitive data is more likely to be exfiltrated when a port to a database is open. Some popular database options include MySQL, Oracle, and Microsoft SQL.
Why is it important to close an exposed database port?
Attackers routinely scan the internet looking for exposed database ports, and a port that is open externally can expose your data to theft and threaten critical operations. Leaving an open database port shows a very weak point in a network and makes an attractive target for attackers.
Common database ports: 3306: ‘MySQL’; 1434: ‘Microsoft SQL ‘; 5984: ‘Couch DataBase; 6379: ‘Redis’ (TCP)
LDAP Ports
What is LDAP?
Lightweight Directory Access Protocol (LDAP) is a cross-platform protocol used for directory services authentication. LDAP authenticates Active Directory, which contains user credentials, computers, servers, and other network information.
Why is it important to close an exposed LDAP port?
Using LDAP to gain access to the Active Directory can allow an attacker to steal, encrypt, or destroy business data.
Common LDAP ports: 389 (TCP and UDP); 636 (TCP)
UPnP Ports
What is UPnP?
Universal Plug and Play (UPnP) is a set of protocols that allows physical devices like routers, personal computers, mobile devices and printers to discover each other on a network and interact.
Why is it important to close an exposed UPnP port?
IT vendors often leave UPnP ports open, which creates an opportunity for attackers to take control of the devices, gain access to a network, and deploy malware.
Common UPnP ports: 5000, 1900 (UDP)
Anonymous FTP Ports
What Is FTP?
File Transfer Protocol (FTP) is a method of transmitting files over the internet, and an FTP server is where files are stored.
Why is it important to remove anonymous permissions for FTP?
If anonymous users are allowed to access an FTP server, an attacker can read the data and upload malicious files. FTP with anonymous permissions is considered to be a highly insecure practice and should not be used for outward-facing servers.
Common FTP ports: 21, 2121 (TCP)
Visit our Knowledge Center to learn more about ransomware attack vectors