enterprise security

SecurityTrails Blog · May 12 · by Esteban Borges

Detecting the Most Dangerous Ports with Attack Surface Intelligence

Reading time: 7 minutes
Listen to this article

Software ports are an essential component of any modern application. It’s because ports allow applications to communicate that your web browser has connected to a port on our web server, fetched the contents of this blog article, and shared it on your screen for you to read.

While ports aren’t dangerous on their own, a large part of your application’s overall security depends on their availability to the public. And while securing open ports like 80 (HTTP) or 443 (HTTPS) is nearly impossible for public-facing web applications, remembering to secure open database ports such as 3306 (MySQL) is a critical step in ensuring your web application’s safety and security.

Using external firewall solutions, whether software-based (like iptables, ufw, or firewalld) or hardware-based, has often been considered the best way to secure your application’s ports and keep it safe. Inbuilt application ACLs (access-control lists), on the other hand, are often subject to security flaws that can lead to unauthorized users being able to access private applications, like your databases.

Other solutions that protect your applications while allowing them to communicate with each other include using a VPN (Virtual Private Network) like WireGuard, commonly used as it allows setting up a private layer, within which trusted applications can communicate with each other without connections from the actual public internet.

Some of the most popular malicious ports used by bad actors

Hackers frequently target ports running services that, if compromised, can lead to a greater opportunity for access such as SSH/Telnet ports and/or ports that might hold valuable data behind them, such as open database ports.

Port# Most Commonly Seen Service Description
21 FTP Used for file transfers to or from a server. Can lead to theft of files from your server and/or uploading of malware/ransomware onto your server if publicly accessible with weak authentication credentials.
22 SSH The most commonly used way to administer a remote Linux server. Can lead to a compromised server if publicly accessible with weak authentication credentials.
23 Telnet Similar to SSH, but less secure due to its encryption design. Can lead to a compromised server if publicly accessible with weak authentication credentials.
25 SMTP SMTP (Simple Mail Transfer Protocol) is used to transfer emails to/from a server. If left unsecured on the public internet can lead to servers being used to send phishing/fraud/spam emails via your organization’s domains.
53 DNS DNS service on port 53 can be used for DNS amplification attacks if set up incorrectly without rate limits.
110 POP3 Used for emails, similar to the SMTP port. Can be used to send fraud/phishing emails from your server to others (including colleagues) if left unsecured or with a weak password.
143 IMAP Used to access email services, similar to SMTP and POP3. If left unsecured, can lead to your emails being accessible to anyone on the public internet.
3306 MySQL The standard port used by MySQL. Can lead to a greater risk of compromise if left open to the internet without firewalling, due to application vulnerabilities and/or weak username/password combinations.
3389 Windows RDP Default port used by Windows RDP. Can lead to compromise of Windows-powered devices if left open to the public internet with weak authentication credentials.
5432 PostgreSQL A popular database used by many commercial applications such as JIRA, Confluence, and other Atlassian applications. Can hold a lot of confidential information.
5900 VNC A similar service to Windows RDP, wherein you can connect to a remote server’s “desktop” GUI. Can lead to security issues if left open to the internet with its 8-character password limitation.
9200 ElasticSearch A popular search and analytics solution. Can lead to data theft and other security issues if left open and misconfigured.
11211 Memcached A popular caching service. Can be used to perform DoS attacks if left unsecured on the public internet.
27017 MongoDB High-performance database from the NoSQL family of databases. Used by large corporations for higher efficiency.

As seen in the table above, every single core component of an organization—from web servers to databases to remote access services such as VNC and RDP—relies on the use of network ports. Often these ports must be made available over the public internet to allow for remote access, but when every single port is made accessible, your organization’s attack surface grows that much more.

Effectively managing the various ports used by your organization begins with frequent scanning and ensuring you have only the required ports open and accessible over the public internet. This helps to reduce and manage your organization’s attack surface.

How does Attack Surface Intelligence help detect software running on popular ports?

Running software on default ports isn’t necessarily insecure. Certain setups, however, frequently require applications to be run on designated default ports due to application designs inherited from legacy applications. Running applications like SSH or databases without firewalls and/or ACLs while exposed to the public internet is the number-one source of entry for attackers preying on your devices.

Attack Surface Intelligence helps you to detect open ports belonging to your organization that are seen on the public internet, well before attackers can get to them.

Attack Surface Intelligence alerts

Databases are widely considered one of the most critical parts of an organization, where confidential information is stored and accessed. While maintaining a publicly-accessible database may be required in certain cases, it’s important to keep it firewalled and accessible only by certain IP addresses. This is because in-application ACLs (access-control lists) may present vulnerabilities that lead to unauthorized users and IP addresses gaining access to your database.

The SecurityTrails ASI platform alerts you to publicly-accessible database ports so that you know exactly which hosts need firewalling for greater database security.

In the screenshot above, for example, we see that various database vendor ports are detected, including MySQL, PostgreSQL, ElasticSearch, and the type of host operating system on which the database operates. Information such as IP address, port number, and the database’s hosting company is made available as well.

Looking beyond database ports, the SecurityTrails ASI platform also scans for various other ports, such as 80, 443, 21, 25, and much more.

SecurityTrails ASI platform ports scan

In the example above, we see the host and its various open ports listed. This provides a complete overview of ports that are open on a host, as well as the service name, software version, and even running protocols associated with the service.

Scanning of publicly available ports is addressed with a screenshot capture feature. The ASI platform takes a screenshot at the time of scanning, giving you a complete picture of what users see when they try to access your IP address or domain.

Scanning of web ports screenshot

As you can see from the previous screenshot, from the ASI Explorer interface you’ll also find additional information on technologies, and the total number of detected risks when clicking on a port. This makes your pre-visualization of risks even easier.

Wrapping up

While running services on default or standard defined ports is a frequent necessity due to application design (or even the simple need to keep things straightforward), it can lead to a high level of security risk—particularly if left unsecured and open to the public internet.

Consider, for example, port 22, one of the most important ports for Linux-based devices such as servers. This port is most commonly used by the SSH service that allows remote users to log in to a server, for performing actions like installing/removing packages and adjusting other system parameters and applications via the server’s command-line interface.

If left unsecured on the public internet, however, port 22 allows bots and attackers to keep trying different username and password combinations without restrictions or rate limits. This can lead to a potential compromise if the username/password combination has been previously compromised. Similarly, with modern web applications handling more and more users, keeping databases and other components such as frontends and load balancers separate is essential for improving user capacity.

This design structure itself requires databases to be accessible over the internet to and from the various frontends. And when it comes to allowing your application to scale, having these databases configured with ACLs on the public internet might be a quick solution, but can compromise if the database itself has security flaws within its ACL handling.

Using dedicated and external solutions such as firewalls (software or hardware) or VPNs is an important step towards securing the various services running within your web application.

Fortunately, the SecurityTrails ASI platform alerts you to ports that are visible on the public internet and detects any possible risks associated with those ports —before hackers can get to them.

Esteban Borges Blog Author

Esteban is a seasoned cybersecurity specialist, and marketing manager with nearly 20 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.