TCP/IP networks assign a port to each service, such as HTTP, Simple Mail Transfer Protocol (SMTP), and Post Office Protocol version 3 (POP3).This port is given a number, called a port number, used to link incoming data to the correct service. For example, if a client browser is requesting to view a server’s Web page, the request will be directed to port 80 on the server.The Web service receives the request and sends the Web page to the client. Each service is assigned a port number, and each port number has a TCP and UDP port. For example, port 53 is used for the Domain Name System (DNS) and has a TCP port and a UDP port. TCP port 53 is used for zone transfers between DNS servers; UDP port 53 is used for common DNS queries—resolving domain names to IP addresses.

Well-Known and Registered Ports There are two ranges of ports used for TCP/IP networks: well-known ports and registered ports.The well-known ports are the network services that have been assigned a specific port number (as defined by /etc/services). For example, SMTP is assigned port 25, and HTTP is assigned port 80. Servers listen on the network for requests at the well-known ports. Registered ports are temporary ports, usually used by clients, and will vary each time a service is used. Registered ports are also called ephemeral ports, because they last for only a brief time.The port is then abandoned and can be used by other services.

The port number ranges are classified, as shown in Table 2.1, according to Request for Comments (RFC) 1700.To access RFC 1700, go to ftp://ftp.isi.edu/ in-notes/rfc1700.txt.

Port Number Ranges for Various Types:

Well-known 1 to 1023 Registered 1024 to 65535

Connections to ports number 1023 and below are assumed to run with root-level privileges. This means that untrusted services should never be configured with a port number below 1024. You will see how well-known ports work with registered ports shortly.

Commonly Used Well-Known TCP/UDP Port Numbers

FTP (Default data): 20
FTP (Connection dialog, control): 21
Telnet: 23
SMTP: 25
DNS: 53
DHCP BOOTP Server: 67
DHCP BOOTP Client: 68
TFTP: 69
Gopher: 70
HTTP: 80
POP3: 110
NNTP: 119
NetBIOS Session Service: 139
Internet Message Access Protocol (IMAP), version 2: 143

To explain how well-known ports work with registered ports, let’s look at a typical Web site connection from a Web browser to a Web server.The client sends the HTTP request from a registered TCP port, such as port 1025.The request is routed across the network to the well-known TCP port 80 of a Web server. Once a session is established, the server continues to use port 80, and the client uses various registered ports, such as TCP port 1025 and 1026, to transfer the HTTP data. Figure 2.5 is a packet capture that displays the establishment of a TCP session between a client and server, and the transmission of HTTP data between them. In frame 2 of the packet capture, the source address (24.130.10.35) is the client computer requesting the Web page.The destination address (192.0.34.65) is the Web server, which hosts the Internet Corporation of Assigned Names and Numbers (ICANN) Web site. In the Info field, the 1025 > 80 indicates that the source TCP port is 1025.The 80 indicates that the destination TCP port is 80. The first three frames display the TCP handshake, which establishes a TCP connection between the client and server. In the frames that follow, the client requests HTTP data from the server.The request determines the HTTP version that the client and server will use.The client then requests and downloads the contents of the Web page.

Determining Ports to Block

When determining which ports to block on your server, you must first determine which services you require. In most cases, block all ports that are not exclusively required by these services.This is tricky, because you can easily block yourself from services you need, especially services that use ephemeral ports, as explained earlier.

If your server is an exclusive e-mail server running SMTP and IMAP, you can block all TCP ports except ports 25 and 143, respectively. If your server is an exclusive HTTP server, you can block all ports except TCP port 80. In both cases, you can block all UDP ports since SMTP and IMAP all use TCP services exclusively. However, if you want to use your server as an HTTP client (i.e., for accessing operating system updates) or as an e-mail client to a remote mail server, you will restrict the system. Clients require registered UDP ports for DNS, as well as registered TCP ports for establishing connections with Web servers. If you open only the corresponding UDP ports 25, 80, and 143, DNS requests are blocked because DNS queries use UDP port 53, and DNS answers use a UDP registered port (e.g., the response stating that www.syngress.com= 205.181.158.215). Even if you open port 53, a different registered port may be www.syngress.com

assigned each time for the answer. Attempting to allow access to a randomly assigned registered port is almost impossible and a waste of time.The same problem applies with TCP connections that require ephemeral ports. Therefore, you should either open all TCP/UDP registered ports (so you can use your server as a client), or block them (except for the services you require) and access resources, such as operating system updates, another way. Many administrators order the Red Hat Linux Update CDs, which are re-mastered every eight weeks, that contain all current updates (www.redhat.com/products/software/ linux/updatecd/).You can also simply download the updates from another computer.

Blocking Ports

To block TCP/UDP services in Linux, you must disable the service that uses the specific port.The following section discusses disabling ports using xinetd, and disabling ports assigned to stand-alone services.

Xinetd Services

Many services are disabled by their respective files in the /etc/xinetd.d directory by commenting out the service that uses the port.  For example, to disable port 79 (used for finger services, which gives out user data that can be used by malicious hackers), you would comment out the service finger entry in /etc/xinetd.d/ finger file. Refer to Table 2.2 to view other ports you may wish to block. It lists common ports blocked by firewalls. However, these ports can also be blocked at the server itself. Follow these steps to disable port 79:

1. To disable port 79, you must edit the /etc/xinetd.d/finger file. Open the finger file and locate the service finger line.

2. Comment out the finger service line, and then write and quit the file.

3. Next, you must restart xinetd by entering:

/etc/rc.d/init.d/xinetd restart

4. If you have a finger program installed on your system, or access to a finger gateway, attempt a finger request to your system.You should fail. Note that you can use xinetd to disable many other ports.

Stand-Alone Services

To disable ports whose corresponding services are not included in the /etc/xinetd.d directory, you must kill the service’s process and make sure that service does not automatically restart upon reboot.These services are called standalone services. For example, port 111 is assigned a stand-alone portmapper service not required for most e-mail servers.The portmapper service, which is technically part of the Sun Remote Procedure Call (RPC) service, runs on server machines and assigns port numbers to RPC packets, such as NIS and NFS packets. Because these RPC services are not used by most e-mail services, port 111 is not necessary. To disable port 111, you must disable the portmapper service as follows:

1. To disable the portmapper service, identify the process identifier (PID) for portmap by entering:

2. The second column lists the PID number.The last column lists the process using that PID.To stop the portmapper service, identify the PID number and enter:

kill –9 [PID NUMBER]

3. To make sure the service does not restart during reboot, enter: Ntsysv

4. Scroll down to the portmap service and uncheck the check box next to the service. Click OK.The portmap service will no longer restart at bootup.

Some ports, such as port 80, are not activated unless the service is installed. For example, if you have not installed Apache server, then port 80 is not used. There is no need to block the port because it is already disabled.