Listen to this Post
Introduction:
Network ports are logical endpoints that enable devices to communicate over TCP/IP, but they also serve as the primary attack surface for threat actors. Understanding which ports correspond to which services—and how to monitor, filter, or exploit them—is a foundational skill for SOC analysts, ethical hackers, and system administrators who need to detect anomalies, harden firewalls, and investigate incidents before they escalate.
Learning Objectives:
- Identify the 15 most common network ports, their associated protocols, and legitimate service functions.
- Execute hands-on commands (Linux/Windows) to enumerate open ports, monitor traffic, and apply firewall rules.
- Recognize attack vectors tied to insecure ports (e.g., Telnet, FTP, SMB) and implement mitigation strategies.
You Should Know
- Scanning and Enumerating Open Ports with `nmap` and `netstat`
Understanding what ports are listening on your system or across a network is the first step in vulnerability assessment. `nmap` (Network Mapper) is the industry standard for port scanning, while `netstat` helps locally.
Step‑by‑step guide for Linux:
Install nmap if not present (Debian/Ubuntu: sudo apt install nmap, RHEL: sudo yum install nmap) Scan localhost for all open TCP ports sudo nmap -sT -p- localhost Scan a remote target for common ports only (top 1000) nmap -F 192.168.1.1 Detect service versions and OS fingerprinting sudo nmap -sV -O 192.168.1.1 List all listening ports locally using netstat netstat -tulpn
Step‑by‑step guide for Windows (PowerShell and CMD):
Built-in: show listening ports and associated processes netstat -anob Using PowerShell to filter specific port (e.g., port 445) Get-1etTCPConnection | Where-Object LocalPort -eq 445 Install Test-1etConnection (similar to telnet) to test connectivity Test-1etConnection -ComputerName 192.168.1.1 -Port 22
What this does: These commands reveal active services, their PIDs, and potential misconfigurations. A malicious actor scanning open ports (e.g., 22 SSH or 3389 RDP) may attempt brute‑force attacks if no rate limiting or MFA is enforced.
- Hardening Insecure Protocols: Replacing Telnet (Port 23) and FTP (Ports 20/21)
Telnet transmits credentials and data in cleartext; FTP does the same for file transfers. Attackers can sniff packets on the same subnet to capture passwords. Replace them with SSH (port 22) and SFTP/FTPS.
Linux hardening steps:
Disable Telnet service sudo systemctl stop telnet.socket sudo systemctl disable telnet.socket Remove telnet client and server packages sudo apt remove telnetd telnet Debian/Ubuntu sudo yum remove telnet-server telnet RHEL/CentOS Ensure SSH is enabled and key‑based authentication only sudo systemctl enable ssh sudo systemctl start ssh Edit /etc/ssh/sshd_config to disable password auth and root login PasswordAuthentication no PermitRootLogin no
Windows hardening (disable insecure services):
Disable Telnet Server (if installed) Disable-WindowsOptionalFeature -Online -FeatureName TelnetServer Block FTP and Telnet via Windows Defender Firewall New-1etFirewallRule -DisplayName "Block FTP" -Direction Inbound -Protocol TCP -LocalPort 20,21 -Action Block New-1etFirewallRule -DisplayName "Block Telnet" -Direction Inbound -Protocol TCP -LocalPort 23 -Action Block
Why this matters: Eliminating outdated protocols reduces the attack surface and ensures compliance with standards like PCI‑DSS and NIST.
3. Monitoring DNS (Port 53) for Malicious Queries
DNS is often abused for data exfiltration (DNS tunneling) or command‑and‑control (C2) traffic. Security teams must monitor outbound DNS requests for anomalies.
Step‑by‑step guide for Linux:
Capture all DNS traffic on interface eth0 (requires tcpdump)
sudo tcpdump -i eth0 -1 port 53
Log DNS queries using systemd‑resolved or bind
For bind, enable query logging in /etc/named.conf:
logging {
channel default_debug {
file "/var/log/named/dns.log";
severity dynamic;
};
category queries { default_debug; };
};
Use `dnstap` or `dnstop` for real‑time analysis
sudo apt install dnstop
sudo dnstop -l 3 eth0
Windows command to filter DNS events:
Show DNS cache and resolution history ipconfig /displaydns | findstr "Record" Enable DNS debug logging on Windows Server DNS role via dnscmd: dnscmd /config /loglevel 0x10001
Pro tip: Use `dig` or `nslookup` to test DNS resolution; unexpected responses (NXDOMAIN floods or long TXT records) may indicate tunneling.
- Securing SMB (Port 445) Against Ransomware and Lateral Movement
Port 445 (SMB) is a prime target for WannaCry‑style attacks and pass‑the‑hash techniques. Disable SMBv1, apply strict network segmentation, and monitor for abnormal SMB connections.
Linux commands to check SMB (Samba) status:
Check if Samba is listening on port 445 sudo netstat -tulpn | grep :445 Disable SMBv1 in /etc/samba/smb.conf by adding: server min protocol = SMB2 ntlm auth = no Block SMB traffic temporarily with iptables sudo iptables -A INPUT -p tcp --dport 445 -j DROP
Windows PowerShell (disable SMBv1 and audit connections):
Disable SMBv1 permanently (run as Admin) Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force Enable SMB auditing to log successful/failed connections Set-SmbServerConfiguration -AuditSmb1Access $true -AuditSmb2Access $true Block SMB inbound on all profiles New-1etFirewallRule -DisplayName "Block SMB 445" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
If SMB must remain open (e.g., for file shares), enforce SMB signing, use hardened UNC paths, and monitor Event IDs 5140 and 5145 in Windows Security logs.
- RDP (Port 3389) Security: Brute‑Force Mitigation and Network Level Authentication
RDP is a frequent vector for credential stuffing and BlueKeep‑type vulnerabilities. Lock down access.
Windows Group Policy / Registry hardening:
Enable Network Level Authentication (NLA) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -1ame UserAuthentication -Value 1 Limit RDP users to specific groups net localgroup "Remote Desktop Users" "Domain\AllowedGroup" /add Set account lockout threshold after 5 failed attempts Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -1ame "MaxBadPasswordAttempts" -Value 5 Change RDP default port for obscurity (not a true security control, but reduces automated scans) Under HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp, modify PortNumber
Linux RDP client (Remmina) and gateway hardening:
Install xrdp if you need RDP server on Linux (rare, use SSH instead) sudo apt install xrdp Restrict xrdp to localhost only and use SSH tunnel sudo sed -i 's/^port=3389/port=127.0.0.1:3389/' /etc/xrdp/xrdp.ini
Best practice: Deploy Remote Desktop Gateway (RDG) and require MFA via Duo or Microsoft Authenticator. Monitor logs for Event ID 4625 (failed logons) with TargetUserName containing many attempts.
- Firewall Rule Analysis with `iptables` (Linux) and `netsh` (Windows)
Knowing which ports are allowed through the firewall is as important as scanning open ports. Misconfigured rules often leave ports like 161 (SNMP) or 69 (TFTP) exposed.
Linux – list and analyze iptables rules:
View current rules with line numbers sudo iptables -L -1 -v --line-1umbers Check default policy (DROP or ACCEPT) sudo iptables -L INPUT Log dropped packets on port 161 (SNMP) for debugging sudo iptables -A INPUT -p udp --dport 161 -j LOG --log-prefix "SNMP BLOCKED: " Save rules permanently (Debian/Ubuntu) sudo netfilter-persistent save
Windows – manage firewall rules via netsh and PowerShell:
List all inbound rules that allow port 445
netsh advfirewall firewall show rule name=all | findstr "445" /i
Export all firewall rules to CSV
netsh advfirewall export "C:\fw_backup.wfw"
PowerShell: Show rules allowing SMB
Get-1etFirewallRule | Where-Object {$<em>.Action -eq "Allow" -and $</em>.Direction -eq "Inbound"} | Get-1etFirewallPortFilter | Where-Object {$_.LocalPort -eq 445}
Regular audits of firewall rules help identify shadow rules (unused allow rules) that create false security.
- Detecting Port Scanning in Logs and with
snort/suricata
Attackers often scan ports 22, 443, 3389, and 445 before launching exploits. Using IDS/IPS signatures and log monitoring can flag reconnaissance.
Step‑by‑step: monitor `/var/log/auth.log` for SSH scans:
Count unique IPs that attempted SSH connections (port 22)
sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -1r
Real‑time tail of connection attempts
sudo tail -f /var/log/auth.log | grep "port 22"
Suricata rule example (detect port scan):
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NMAP TCP scan"; threshold: type both, track by_src, count 10, seconds 5; sid:1000001;)
Windows – detect port scans via PowerShell and event logs:
Look for many failed RDP connections (Event ID 4625) across Logon Type 10
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Where-Object {$<em>.Properties[bash].Value -eq 10} | Group-Object -Property {$</em>.Properties[bash].Value} | Sort-Object Count -Descending
If you see dozens of connection attempts from a single IP across multiple ports, immediate blocking via firewall or fail2ban is warranted.
What Undercode Say
- Key Takeaway 1: Ports are not just numbers—they reveal service fingerprints. An open port 445 without SMB signing is a lateral movement goldmine for attackers; an open port 161 (SNMP) with default community strings leaks network topology.
- Key Takeaway 2: Memorizing ports (22=SSH, 3389=RDP, 443=HTTPS) is necessary but insufficient. Real security comes from disciplined monitoring, applying the principle of least privilege, and replacing legacy protocols even when they seem “convenient.”
Analysis: The original post correctly emphasizes that ports tell a story. However, many beginners stop at memorization without learning how to actively scan, block, or investigate them. The provided commands and hardening steps bridge that gap—turning passive knowledge into actionable defense. As SOC teams face increasing scan‑and‑exploit automation (e.g., Mirai botnets targeting telnet, LockBit leveraging SMB), the ability to quickly enumerate open ports and correlate them with threat intelligence is what separates reactive from proactive security.
Prediction
- +1 Increased adoption of zero‑trust port access models – Instead of relying on traditional port blocking, more organizations will implement per‑session authentication and micro‑segmentation (e.g., using Tailscale or Zscaler), rendering open ports less relevant for lateral movement.
- -1 Rise in DNS‑over‑HTTPS (DoH) abuse – As port 53 becomes monitored for tunneling, attackers will pivot to encrypted DNS (port 443 with DoH) for C2 traffic, bypassing traditional DNS inspection tools.
- -1 RDP brute‑force attacks will intensify with AI‑generated password lists – Port 3389 will remain a top target, but adaptive lockout policies and MFA adoption will lag in small businesses, leading to more ransomware incidents via RDP compromise.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Cybersecurity Networking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
