Router Security: Close Unnecessary Ports
Are your virtual hatches battened down? In this article, we will examine one type of router vulnerability and learn how to protect your system from hackers and malware that seek to exploit it. Our subject today is, “unnecessary open ports,” a very common vulnerability. Read on, and find out if your router passes the Looney Tunes test... |
Batten Down The Hatches!
I grew up watching Bugs Bunny and other "Looney Tunes" cartoons. One bit I always remember is this sequence: "Batten down the hatches!" -- "I did batten them down!" -- "Well, batten them down again! We'll teach those hatches!"
Why do I mention this? You might think you've already battened down your router hatches, but you may still be exposed to attacks. So let's batten 'em down again! And when I say hatches, I mean ports.
“What is a port?” is a good place to start. Simplified for our purposes, a port is a place in your network’s secured perimeter through which programs running on your network can communicate with the outside world, and vice versa. (Don't look for physical ports on your router; the ports we're talking about here are implemented in software.) An open port allows such two-way communication, and a closed port does not.
Any open port is a potential security vulnerability, just as any open window or door on your home would be. It behooves us to keep ports closed when we are not using them. Ideally, an external entity should not even be able to detect a port’s existence, and that sort of “stealth” status is achievable.
Also, through an open port an external entity can discern what software you are running that uses the port, right down to that software’s version number. That knowledge can be exploited by hackers who have vast knowledge of vulnerabilities in specific versions of popular programs.
Knowing what software you are running enables a hacker to choose his best weapons for an attack on your system. Closing unnecessary ports deprives attackers of such useful intelligence, and minimizes the “attack surface” of your system – that is, the number of points at which an attacker might find a vulnerability.
Open Ports: An Example
Here is an example of ports in action: suppose that on your computer you are running an FTP (File Transfer Protocol) server, a program whose functions include “listening” for requests from remote computers – called “clients” - to deliver (serve) to them specified files that are stored on your computer.
When the FTP server program is started, it opens port 21 and “listens” on it for incoming requests. FTP client programs send their requests for file transfers to port 21. Port 20 is also brought into play; it is the port through which the requested file is transmitted, while port 21 is used for command-and-control messages. Port 20 is closed when a file transfer is completed. When the FTP server program shuts down, it closes port 21. At least, that is how things are supposed to work.
A bug in an FTP server may leave port 20 or 21 open continually, offering a would-be attacker an opportunity to send malware to the buggy system or download files without permission. Many a computer owner has found his system hosting a bootleg file exchange created by hackers who exploited these open ports. Some of these victims had to answer awkward legal questions about copyrighted materials, child pxrnography, and so on. A seemingly trivial bug like an open port 21 can have major consequences.
FTP is just one service running on a well-known port that hackers can exploit. Telnet, which “listens” for clients’ requests on port 23, effectively grants a remote client command-line control of the computer and all other devices to which that computer has access. Hackers are very interested in IP addresses that are running open telnet services! Other ports, when left open, can give hackers equally threatening powers.
What is Port Scanning?
Hackers are constantly scanning the Internet, one IP address at a time, looking for IP addresses that have open ports and exploitable services. This port scanning takes very little time or resources, so hackers can afford to knock on millions of locked doors to find a handful of open ones.
You can scan your own home network from a hacker’s perspective to see what ports are open to exploitation, if any. Then you can close these vulnerabilities, and create rules that allow ports to be opened only by your programs and only when the ports are needed for your purposes.
Security researcher Steve Gibson has provided the free ShieldsUp port-scanning service for longer than I can remember. It scans your router for vulnerabilities, including open ports. It reports the status of all 65,000+ ports, and offers advice on how to fix vulnerabilities. It is a great security checkup for every user!
How to Close Open Ports
Suppose a scan of your router reveals that port 21 is open unnecessarily. If your router has built-in firewall software, you can use it to close port 21; instructions for doing so will vary depending on your router. But you can also close ports using Windows’ built-in firewall, and the process is very similar no matter what firewall software you use. So here is how to close a port using Windows Firewall. (I will be using Windows 10; minor adjustments these instructions may be necessary if you are still using Windows 7 or 8.1.)
Type “firewall” in the Start menu’s search box and click on the Windows Defender Firewall app when it appears in the results. Click “Advanced Settings” in the left sidebar. On that page, highlight “Inbound rules” in the left pane. Over in the right-hand pane, click on “New rule.”
In the “new rule” window, darken the radio button next to “Port” and click Next. Now we have to specify the port and the protocol that it uses. We are going to block port 21, which is used by FTP, which employs the TCP protocol. So darken the radio button next to “TCP” and the radio button next to “specific local port,” then enter “21” in the text box, and click Next.
Darken the radio button next to “block the connection” and click Next.
On the “Where will this apply” page, check the areas in which you want port 21 to be blocked. All of them will be fine. Then click Next.
Give your new rule a name, such as “Block Port 21,” and click Finish.
Reboot your PC and the new rule will take effect; port 21 is blocked to incoming requests from remote clients. Port 21 is also now in “stealth mode,” invisible to entities that are scanning ports. Here is why:
When a remote client sends a request to a service that is running on a port, that service usually acknowledges the request by sending back a “request accepted” or “request rejected” message. But with the port blocked, the service running on it receives no requests, so it sends no response. The remote client gets no clue as to whether there is a port and service at that IP address or not. The less strangers on the Internet know about your home network, the better. In the physical world, it would appear to a burglar as if your house had no windows or doors at all.
So now you understand what ports are; why unnecessarily open ports are usually bad; how to identify open ports on your network; and how to close an open port. That’s quite a bit for one lesson!
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 13 Aug 2020
For Fun: Buy Bob a Snickers. |
Prev Article: [PHONE SCAMS] Who Are the Most Gullible? |
The Top Twenty |
Next Article: Why Do Doctors Dislike Electronic Health Records? |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Router Security: Close Unnecessary Ports (Posted: 13 Aug 2020)
Source: https://askbobrankin.com/router_security_close_unnecessary_ports.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Router Security: Close Unnecessary Ports"
Posted by:
Nightwish Fan
13 Aug 2020
Can I close ports on my computer?
I have no control over my Landlord's router; I don't even know where it is. I use a Hawking extender and a switch. Can I close ports on my computer or the extender?
Tenants are very vulnerable, but respectfully, we always seem to be overlooked by tech people.
Posted by:
Nightwish Fan
13 Aug 2020
Never mind; i see now; I will give it a try and report back. Thanks Bob.
Posted by:
Will
13 Aug 2020
I'm living in a complex that maintains the WiFi internet access for everyone. We all get our own access code. Does this process change something in the in the complex infrastructure or does it change something in my pc and then will have not affect on anyone else? Initial discussion was w/r/t router but I think the latter was strictly within one's pc and therefore could be done without affecting anyone else.
Thanks for any clarification.
Posted by:
Nightwish Fan
13 Aug 2020
Ok, I followed the instructions. I hope I closed Port 21 just on MY computer, and not my Landlord's router. Thanks for your time.
Newbs. It's fun to watch us poke around in the dark, isn't it? Ha-ha!! And to those whom I annoyed, my sincere apologies.
Posted by:
john
13 Aug 2020
Bob. This is a great 'How to close ports' article, but I am puzzled about 'What ports to close'.
Presumably we want some ports to be open. If we closed all ports, how would we access the internet at all? For example, my secure email uses ports 465 and 995 and I want to keep receiving your articles by email. So I probably shouldn't close those ports.
So, what (or where) is a good guide on what ports to keep open, and what to close?
Posted by:
Ernest N. Wilcox Jr.
13 Aug 2020
If I recall correctly, I have already set my Router / Internet Gateway up in setalth mode but I still took a trip to GRC's Shields Up Web site to perform an out-of-schedule test (I run the 1056 ports scan monthly) and all the ports tested are running in Stealth mode. This means that I am effectively 'invisible' to port scanners on the Internet. Unless h*ckers have found a new way to detect the presence of my home network, I should be safe unless I do something stupid like succumbing to a social engineering atack.
To set up this level of security for your own home network, you should read the documentation for your router, or if your router is provided by your ISP, contact them to learn if you can taks this step, and if so, how.
If not, your next best step may be to use the ZoneAlarm free firewall because it watches both incomming and outgoing connections to stop outbond (aka phone home) connections from untrusted applications or services. It does have a 'training' period during which you may be bothered with requests about what to do about software that is attempting to establish outgoing connections - add to the 'trusted' list or block it, but after a relatively short time, based on my personal experience with it you will hardly know it is there.
During the 'training' period, I suggest that you take some time to understand what apps are trying to make outbound connections, and why they may need to do so. Putting in this effort will result in greater security and privacy for you and your computer. The only reason I mentioned the Zone Alarm firewall is that it may provide a much easier way to set yourself up with a stealth mode Internet connection than to block all 1056 ports manually (one at a time) in the Windows firewall.
That makes me think of a good syggestion for the Windows 10 FeedBack Hub - add a stealth-mode setting for the Windows 10 firewall.
Sorry I have rambled on so long, but I hope this helps someone,
Ernie
Posted by:
Tom
13 Aug 2020
I've used Gibson Research's ShieldsUp! for at least 20 years. Easy to use and gives useful information on port vulnerabilities and how to resolve any issues. A very helpful free service.
Posted by:
Ernest N. Wilcox Jr.
13 Aug 2020
This is in reply to the post by John on August 13, 2020:
John, when you block a port, you are blocking it from responding to incomming connection requests. You will still be able to use your email client and Web Browser as usual.
When you start yopur email client, it opens the required port(s) to establish a connection with your email account's server for the duration of any transaction it needs to make with the server to send or receive email messages, then when you are finished, and you close your email client, IT closes any ports it opened. The same is true for your Web Browser or any other applications you use on the Internet.
The purpose of 'blocking' an Internet port is to make it effectively invisible to port scanners that 'h*ckers' use to find vulnerable computers (or servers) on the Internet.
For better information, read all the information you see on the Shields Up web site after running the port scans offered - there are several available in the table listing below the uPnP scan - you should run the 'All Service Ports' scan to ensure you are 'invisible' on the Internet to h*cker's port scanners.
Hope this helps,
Ernie
Posted by:
JimM
13 Aug 2020
My question would be if I close Port 21 will I still be able to download things or will I have to go open it each time. Thanks
Posted by:
Fred
13 Aug 2020
How will this affect me contacting my banking, credit cards, medical info etc.? All my sensitive info when I try to contact them or vice-versa?
Posted by:
gene
13 Aug 2020
There are sites that will scan your system for open ports. Some are from people who have been around for decades and they're free. Gibson, Finney and others. I've run their tests against my system and they all show that my Linksys router is invisible. A good router is key to internet security, mine has a built in firewall and I run Windows software firewall as well. Can't be too safe these days.
Posted by:
Bob
14 Aug 2020
We are running Win 10, IOS and Linux but all from cellular direct or hotspot. I understand that is safer. Also, I’m new to IOS but my IPad can be set to VPN. Is that a better option?
Posted by:
Stuart Berg
14 Aug 2020
If you happen to see that Port 0 is Closed but not Stealth it is probably because you are using the Brave or Firefox browsers. That's because those two browsers use their own builtin VPN. If you use Google Chrome or Microsoft Edge, you should be able to see all ports are Stealth.
Posted by:
Rosemary F.
14 Aug 2020
If maintaining your car was as complicated, time consuming and arduous as all the things Bob suggests to do, we'd all be riding bicycles. I thought "computers" were supposed to free up our time from all the "drudge" work. Instead we've become slaves to these mind numbing hideous machines.
Posted by:
Citellus
15 Aug 2020
I ran the Shields Up program and found zero vulnerabilities in file sharing,common ports, and all service ports. But I have not done anything except I never use the administrators account online unless required by what I know I am doing. Is using a non-administrator's account the reason no vulnerabilities were found?
Posted by:
George White
16 Aug 2020
When I run a scan on my own IP address, my hostname level that is returned, is high enough, where I don't see any apparent personal vulnerability. But because I am not very technically savvy, I am unsure how I would know if the stream of numbers makes me vulnerable or not. So, should it be obvious to someone with 'less than technical' ability, what would or would not be an indication of vulnerability? Thanks for the heads-up.
Posted by:
Ray T Konko
17 Aug 2020
Bob, wondering about open ports with use of a VPN. All ports in stealth when disconnected, but 4 are open when VPN icon shows connected.
Posted by:
John Harris
28 Aug 2020
The scan of ports shows that port 443 is open and it says "This is a VERY bad port to have open unless you are actually conducting secure web commerce!" I have followed the instructions for closing the port, but subsequent scans all come back showing the port open. Help??
Posted by:
liz
19 May 2022
Your link only goes to the page that checks for:
Universal Plug n'Play (UPnP) vulnerabilities
I see no other tests there, and as I understand the above test is not all there is to it
years ago I used this site and it gave me a list of all my ports
what's the matter ???