Hands on: All about ports

If you’re confused about network ports, you’ve come to the right place for help

In this month’s column I answer a query sent in by PCW reader Steven Parkes who, in common with several others, admits to being confused about network ports.

Here’s what Steven wrote: “Having grown up on the IBM XT and Dos, and learned all I know from magazines such as yours, I’m still confused about ports. Once there were about 6 (LPT1 & 2, and Com ports 1 to 4), now they seem to be numbered in their hundreds and unless we close them specifically, they seem to be wide open to any internet hacker.

“How many are there? Where are they? What do they consist of? Is there an accepted protocol for their use? If one is used for SMTP, for example (25 in my case), can it be specified for anything else? Can we close them ourselves without the help of firewalls? (A simple Dos command, or maybe a script, to shut them all, or all but those specified?).

“You can see I am in a muddle – I can’t believe that no-one else is!”

Where are the ports?
I’ll start with the easy stuff. The network ports that Steven talks about are nothing to do with the sockets or connectors found on the back of a PC, sometimes also referred to as ‘ports’.

It’s an easy mistake to make, especially as it’s usual to talk about them being open or closed and hackers getting ‘into’ a PC via open ports. However, to the question “where are they?” the answer is “not anywhere, really.” That’s because network ports are nothing more than labels that associate the network data packet contents with a particular application.

Think about it. You’ve got a server running several applications but it has only one network address. Each of these applications would have to look at every incoming network packet to determine whether or not it needs to do something with it.

It’s not impossible to do but it would require a lot of processing and really slow things down.

Tag each packet with a label saying which application it’s destined for and a lot less work is required. That’s exactly what a network port does, effectively extending the IP address to include not just the destination host but also a particular type of application or service running on it.

Applications can then be configured to respond only to the packets addressed to their specific port and they’re said to be ‘listening’ on that port. Most web servers listen on port 80, while most email servers listen on port 25 for SMTP traffic and 110 for Pop3.

So when you browse to a website, the packets will automatically have port 80 added to the end of the destination IP address by your browser software and when you send an email, the client software will append port 25 instead or port 110 when you retrieve messages with Pop3.

Are you listening?
It’s not just servers that work like this; many desktop PCs also run applications and services that listen for traffic. On your own PC, open a command window and type:
netstat –an

You should see a display similar to the one shown in the picture above, listing all the ports with associated applications that are actively listening for incoming packets.

Note that this screenshot was taken from a ‘clean’ installation of XP Pro running on a VMWare virtual machine. You’ll probably find a lot more active ports than are shown here and it may take a while for the whole list to be displayed. Also if you just type ‘netstat –a’ the software will resolve IP addresses to DNS names for you, which can be useful when troubleshooting port vulnerabilities.

Port assignment
The question “how many ports are there?” is also quite easy to answer, although it depends on how you’re counting. Ports are labelled using 16-bit numbers, which essentially means that there are up to 65,535 altogether. However, the true figure is double that as there are 65,535 ports that can be associated with TCP packets and the same number for use with UDP.

It’s also valuable to understand that there’s no hardwiring involved. Any application can be configured to listen on any port, with port assignment handled on a first come first served basis. Applications can also listen on more than one and it’s normal for an application to have a default port ‘binding’, but for you to be able to override this and use other ports if you prefer.

For example, you can instruct Apache and Microsoft IIS web servers to listen on ports other than 80 if you want. It’s common to assign additional ports to applications such as web and email servers to enable them to be managed remotely or to provide additional features and functionality.

I connected to an MDaemon mail server via a browser. If I had specified the IP address alone I would have been directed to the web server running on the same machine. However, MDaemon listens on port 3000 for users wanting to run the built-in Webmail client, while I’ve logged on to an otherwise hidden remote management interface by specifying port number 1000.

All this flexibility could be a recipe for chaos, so when Steven asks “Is there an accepted protocol for port use?” the answer is yes. It’s policed by the Internet Assigned Numbers Authority (IANA).

You can find an authoritative list of registered port numbers by going to the IANA website. Here you’ll discover that port numbers 0-1023 are referred to as ‘well-known ports’, reserved for use with the most common applications. Port 22 for example is reserved for use with Telnet, 23 for SSH, 25 for SMTP email, 80 for web servers, 110 for Pop3 email retrieval and so on.

IANA registration isn’t compulsory and there’s nothing to stop other applications listening on and using any port number they like – a situation virus writers and hackers exploit to their own ends.

Open or closed
For a would-be intruder to make use of a particular port the host IP address and port combination need to be accessible from the internet. There also needs to be an application listening on it. In those circumstances the port is said to be open and when Steven asks “Can we close them ourselves without the help of firewalls?” the answer is an equivocal “yes, but not easily”.

There are no commands or utilities to manage ports, but one sure way of closing a port yourself is to shut down the application listening on it. Indeed it’s good practice to make sure you have no unwanted programs sitting around waiting to be exploited this way, both on desktop PCs and any internet-accessible servers.

Of course, you need to know which programs are responsible, and there are a couple of ways you can do that. One is to grab a free tool such as Active Ports or Fport from the web to work it all out for you (both are available on freeware sites). The other is to use the netstat utility in Windows, this time using the command ‘netstat –o’ to see a list of both active ports and the Process ID (PID) numbers of the applications listening on them.

That’s of little value unless you can link PID numbers to applications. So you’ll also have to open the Windows Task Manager and click Processes to see what’s running. If there isn’t a column marked PID, click on the View menu and choose Select Columns to add it.

You might also want to try ‘netstat –ab’, which will list the executables responsible for active ports, although these are often shared DLLs, which are of little help when it comes to identifying the parent applications.

Firewalls are better
It’s crucial to understand that shutting down a listening application doesn’t provide complete protection from an attack on the port concerned. Viruses can install Trojan code designed to listen on ports you think are shut, which is where firewalls come in.

Firewalls close ports by filtering out packets addressed to specific port nu mbers or ranges, whether or not applications are actively listening on them. Even if a Trojan were to be installed, it couldn’t communicate with the outside world because a properly configured firewall would block any transmissions using its port number. Firewalls can also distinguish between TCP and UDP ports and forward port traffic to a specific server on a Nat-protected network. That’s useful if you want to host your own email or web server.

Most broadband routers come with built-in firewalls that can be configured to either block or allow traffic on a port-by-port basis. You can also filter this way using most desktop firewall products, including the firewall included in Windows XP.

And finally, if you want to check your PC and others on the network for port vulnerabilities there are lots of port scanners available. Some you have to pay for, often as part of a larger security suite, while others are available free of charge. You can also check for port vulnerabilities using internet-hosted port scanner services, such as Shields Up. That way you get a really objective view of how your PC looks from remote systems elsewhere on the internet.

Some care is needed here, though, as port scanning can be seen as a suspicious activity and some firewalls and ISPs will block it as a matter of course. So you could think you’re safe when, in fact, you still have ports open. Port scanners themselves are also sometimes identified as malware by anti-spyware programs and you may have to shop around to find one that works the way you want. PCW