Router Security: Closing Unnecessary Ports

Category: Security

This article is part of a series on the subject of router security. In this article, we will examine one type of router vulnerability and learn how to protect your system from hackers and malware that seek to exploit this type of vulnerability. Our subject today is, “unnecessary open ports,” a very common vulnerability. Read on...

Batten Down The Hatches!

I grew up watching Bugs Bunny and other "Looney Tunes" cartoons. One bit I always remember is this sequence: "Batten down the hatches!" -- "I did batten them down!" -- "Well, batten them down again! We'll teach those hatches!"

Why do I mention this? Well, as I mentioned at the start of this article, it's part of a continuing series on securing your internet router. If you missed earlier installments, see [HOWTO] Protect Your Router Now and UPnP - The (almost) Forgotten Vulnerability. The point is, you might think you've already battened down your router hatches, but you may still be exposed to attacks. So let's batten 'em down again!

“What is a port?” is a good place to start. Simplified for our purposes, a port is a place in your network’s secured perimeter through which programs running on your network can communicate with the outside world, and vice versa. (Don't look for physical ports on your router; the ports we're talking about here are implemented in software.) An open port allows such two-way communication, and a closed port does not.

How to detect and close open ports on your router

Any open port is a potential security vulnerability, just as any open window or door on your home would be. It behooves us to keep ports closed when we are not using them. Ideally, an external entity should not even be able to detect a port’s existence, and that sort of “stealth” status is achievable.

Also, through an open port an external entity can discern what software you are running that uses the port, right down to that software’s version number. That knowledge can be exploited by hackers who have vast knowledge of vulnerabilities in specific versions of popular programs.

Knowing what software you are running enables a hacker to choose his best weapons for an attack on your system. Closing unnecessary ports deprives attackers of such useful intelligence, and minimizes the “attack surface” of your system – that is, the number of points at which an attacker might find a vulnerability.

Open Ports: An Example

Here is an example of ports in action: suppose that on your computer you are running an FTP (File Transfer Protocol) server, a program whose functions include “listening” for requests from remote computers – called “clients” - to deliver (serve) to them specified files that are stored on your computer.

When the FTP server program is started, it opens port 21 and “listens” on it for incoming requests. FTP client programs send their requests for file transfers to port 21. Port 20 is also brought into play; it is the port through which the requested file is transmitted, while port 21 is used for command-and-control messages. Port 20 is closed when a file transfer is completed. When the FTP server program shuts down, it closes port 21. At least, that is how things are supposed to work.

A bug in an FTP server may leave port 20 or 21 open continually, offering a would-be attacker an opportunity to send malware to the buggy system or download files without permission. Many a computer owner has found his system hosting a bootleg file exchange created by hackers who exploited these open ports. Some of these victims had to answer awkward legal questions about copyrighted materials, child pxrnography, and so on. A seemingly trivial bug like an open port 21 can have major consequences.

FTP is just one service running on a well-known port that hackers can exploit. Telnet, which “listens” for clients’ requests on port 23, effectively grants a remote client command-line control of the computer and all other devices to which that computer has access. Hackers are very interested in IP addresses that are running open telnet services! Other ports, when left open, can give hackers equally threatening powers.

What is Port Scanning?

Hackers are constantly scanning the Internet, one IP address at a time, looking for IP addresses that have open ports and exploitable services. This port scanning takes very little time or resources, so hackers can afford to knock on millions of locked doors to find a handful of open ones.

You can scan your own home network from a hacker’s perspective to see what ports are open to exploitation, if any. Then you can close these vulnerabilities, and create rules that allow ports to be opened only by your programs and only when the ports are needed for your purposes.

Security researcher Steve Gibson has provided the free ShieldsUp port-scanning service for longer than I can remember. It scans your router for vulnerabilities, including open ports. It reports the status of all 65,000+ ports, and offers advice on how to fix vulnerabilities. It is a great security checkup for every user!

How to Close Open Ports

Suppose a scan of your router reveals that port 21 is open unnecessarily. If your router has built-in firewall software, you can use it to close port 21; instructions for doing so will vary depending on your router. But you can also close ports using Windows’ built-in firewall, and the process is very similar no matter what firewall software you use. So here is how to close a port using Windows Firewall. (I will be using Windows 10; minor adjustments these instructions may be necessary if you are still using Windows 7 or 8.1.)

Type “firewall” in the Start menu’s search box and click on the Windows Defender Firewall app when it appears in the results. Click “Advanced Settings” in the left sidebar. On that page, highlight “Inbound rules” in the left pane. Over in the right-hand pane, click on “New rule.”

In the “new rule” window, darken the radio button next to “Port” and click Next. Now we have to specify the port and the protocol that it uses. We are going to block port 21, which is used by FTP, which employs the TCP protocol. So darken the radio button next to “TCP” and the radio button next to “specific local port,” then enter “21” in the text box, and click Next.

Darken the radio button next to “block the connection” and click Next.

On the “Where will this apply” page, check the areas in which you want port 21 to be blocked. All of them will be fine. Then click Next.

Give your new rule a name, such as “Block Port 21,” and click Finish.

Reboot your PC and the new rule will take effect; port 21 is blocked to incoming requests from remote clients. Port 21 is also now in “stealth mode,” invisible to entities that are scanning ports. Here is why:

When a remote client sends a request to a service that is running on a port, that service usually acknowledges the request by sending back a “request accepted” or “request rejected” message. But with the port blocked, the service running on it receives no requests, so it sends no response. The remote client gets no clue as to whether there is a port and service at that IP address or not. The less strangers on the Internet know about your home network, the better. In the physical world, it would appear to a burglar as if your house had no windows or doors at all.

So now you understand what ports are; why unnecessarily open ports are usually bad; how to identify open ports on your network; and how to close an open port. That’s quite a bit for one lesson!

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 27 Jun 2018

For Fun: Buy Bob a Snickers.

Prev Article:
[PRO/CON] Paid Subscriptions to Online Content

The Top Twenty
Next Article:
Geekly Update - 28 June 2018

Most recent comments on "Router Security: Closing Unnecessary Ports"

Posted by:

27 Jun 2018

Do you recommend blocking ports 20 and 23 also?

Posted by:

27 Jun 2018

You certainly know how to make a concept such as "
ports" and make them easily understandable. Thanks for all that you do and the info you impart.

Posted by:

Patrick McDonald
27 Jun 2018

Didn't even know this issue existed. Thank you Mr. Rankin!

Posted by:

Mike Appleton
27 Jun 2018

Bob, I have been a faithful reader of your newsletter for a number of years. You have a wonderful ability to impart technical information in a way that is informative, highly readable and often humorous. On the other hand, it is a bit like being addicted to horror novels. I know that on every other page I will encounter a new source of terror whose previous existence was completely unknown to me. Keep up the great work, I guess.

Posted by:

Thomas Weybrew
27 Jun 2018

Following your advice about blocking open ports, I ran ShieldsUP! and it showing 4 open ports. Using your instructions I created 4 new port blocking rules for Win 10 Firewall. After rebooting, all the new rules were showing but only 2 were working! What's up?

Posted by:

28 Jun 2018

Thomas W: note that ShieldsUp! tests your *router*, not directly your computer. Closing ports on your computer can help, but it's your router that is responding to the ShieldsUp requests.

Posted by:

28 Jun 2018

Nice one Bob, ran the test passed not visible.
A print out of your instructions and cold boot, re-test still not visible. Thanks.

Posted by:

01 Jul 2018

bb you are not exactly correct on Shield's Up only responding to your router. It really is responding to your Firewall and Windows 10's has a Firewall and Windows 10 is not part of your router.

I have known about Shield's Up on Steve Gibson's website, since he design it. This was after Steve Gibson found that Real Player was "spying" on it's own customers. Shield's Up is for everyone to use, so they know what Ports are open and what Ports are not.

If, all of your Port's are open, then you must close them down on your Firewall. If, only 2 are open, it means that you need to close them.

I have disabled Windows Defender, because I want my Router to do it's job and Bitdefender software allows my Router to do what it is suppose to do, keep all Ports closed. When you are Stealth on Shield's Up, these means that all of your Ports are closed and NO ONE can see you on the Internet through your Router or Firewall.

Windows Defender does have a Firewall and if you do use Windows Defender, you need to close all of your Ports in the Firewall settings.That is the true purpose of a Firewall, to protect your computer. If, what I say is true, then it behooves you to close all ports.

My PC is Stealth and has been for years. I rarely get any infections, but do occasionally from time to time. By having an excellent Anti-Virus/Malware program, I am well protected. Because, when something is detected with one of my scans on my PC, and a virus/malware is captured, it or they are sent to the Quarantine part of my Anti-Virus/Malware program. This way I can see if it really is a Virus/Malware or just something crazy that all Anti-Virus/Malware programs get once in awhile.

So, for those who have found that a Port or two or three or whatever is open, close it through the Firewall of either Windows Defender or your Router's Firewall

Using Shield's Up was one of the first things that I learned about Firewalls and how they protect my PC. Yes, I made mistakes, but to me, that is how you learn. I remember when I was using AOL and did not have a Router, since all I was doing then was Dial-Up. I had to completely re-format my Hard Drive, to get rid of it. At that time, back in early 1997, I didn't have DSL or a router. I had a simple 33.6 Modem, that I dearly hated.

When I finally got my DSL in March 2000, I had to install my DSL PCI Card, to get 1.5 mbps. Oh, I thought that I was flying on the Internet with that DSL PCI Card. That was the fastest speed you could get at that time. Instead of it taking 8 hours to download any major Microsoft updates or added stuff, it took only 3 hours. Now, that was true progress.

Now, I have 24 Mbps. I can't go any higher, where I live with DSL, since my "office" for higher speeds is too far away. That is the limitation of DSL, not living close to the "office" that supports higher and faster downloads, like 45 Mbps or 75 Mbps or the speeds of Fiber Optic lines.
AT&T is still working with copper wiring in many of their areas of coverage.

But in all honesty, I am NOT complaining. I can download over a GB of a causal game in about 5 mins or less. When years ago it took me almost 3 hours to download a 500MB program. Today, I can easily download a movie unto my PC in the matter of minutes, as opposed to hours.

Shield's Up is my go to place, when I want to check to see if my PC is Stealth or not.

Posted by:

07 Jul 2018

...still running XP without an anti-virus (just useless bloatware) and without the dumb windows firewall enabled.
Been doing this since ~2001. No hassles yet.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- Router Security: Closing Unnecessary Ports (Posted: 27 Jun 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved