According to the port number can be divided into three categories:
(1) Well-known ports: from 0 to 1023, which are closely bound with some services. Usually, the communication of these ports clearly indicates the protocol of a certain service. For example, port 80 has always been HTTP communication.
(2) Registration port: from 1024 to 49 15 1. They are loosely bound to some services. In other words, many services are bound to these ports, and these ports are also used for many other purposes. For example, many systems handle a dynamic port of about 1024.
(3) Dynamic and/or dedicated ports: from 49 152 to 65535. Theoretically, these ports should not be assigned to services. In fact, machines usually allocate dynamic ports from 1024. But there are exceptions: SUN's RPC port starts at 32768.
Some ports are often used by hackers and Trojan viruses to attack computer systems. The following is the introduction of computer ports and the brief methods to prevent being attacked by hackers.
World Wide Web publishing service
Port description: Port 8080, like port 80, is used for WWW proxy service, which can realize web browsing. When visiting a website or using a proxy server, the port number ":8080" is often added, for example: 8080.
Port vulnerability: Port 8080 can be used by various virus programs. For example, the BrOwn Hole (Bro) Trojan virus can completely remotely control an infected computer using port 8080. In addition, RemoConChubo and RingZero trojans can also use this port to attack.
Operation suggestion: Generally, we use port 80 for web browsing. In order to avoid virus attacks, we can close this port.
Port: 2 1
Service: FTP
Description: FTP server opens ports for uploading and downloading. The most common attacker is to find a way to open anonymous's FTP server. These servers have read-write directories. Trojan Doly Trojan, Fore, Stealth FTP, WebEx, WinCrash and blade runner open ports.
Port: 22
Service: Ssh
Description: The connection between TCP established by PcAnywhere and this port may be to find ssh. This service has many weaknesses. If configured in a specific mode, many versions that use the RSAREF library will have many loopholes.
Port: 23
Service: Telnet
Description: Remote login, the intruder is searching for the service of remote login UNIX. In most cases, scanning this port is to find the operating system running on the machine. And using other technologies, intruders will also find the password. Trojan mini Telnet server opens this port.
Port: 25
Service: SMTP
Description: The port opened by SMTP server is used to send mail. Intruders are looking for SMTP servers to send their spam. The intruder's account is closed, and they need to connect to a high-bandwidth email server and send simple information to different addresses. Trojan horse antigen, e-mail password sender, Haebu Coceda, Shtrilitz Stealth, WinPC and WinSpy all open this port.
Port: 80
Service: HTTP
Description: used for web browsing. The Trojan Executor opened the port.
Port: 102
Service: Message Transfer Agent (MTA)-x.400 over TCP/IP.
Description: Message Transfer Agent.
Port: 109
Service: post office protocol-Version 3
Description: The POP3 server opens this port to receive mail, and the client accesses the mail service on the server side. POP3 services have many recognized weaknesses. There are at least 20 weaknesses about user name and password exchange buffer overflow, which means that intruders can enter the system before actually logging in. There are other buffer overflow errors after successful login.
Port: 1 10
Service: all ports of SUN's RPC service.
Description: Common RPC services include rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc.
Port: 1 19
Service: network news transfer protocol.
Description: news newsgroup transport protocol, which carries USENET communication. The connection of this port is usually when people are looking for a USENET server. Most ISPs only allow their customers to access their newsgroup servers. Opening the newsgroup server will allow anyone to post/read, access restricted newsgroup servers, post anonymously or send spam.
Port: 135
Services: Location Services
Description: Microsoft runs DCE RPC endpoint mapper on this port as its DCOM service. This is similar to the function of UNIX11port. Services using DCOM and RPC register their locations with the endpoint mapper on the computer. When remote customers connect to their computers, they will look for the location where the endpoint mapper finds the service. Will a hacker scan this port of a computer to find the Exchange Server running on this computer? What version? There are also some DOS attacks on this port.
Ports: 137, 138, 139
Service: NETBIOS name service
Note: Among them, 137 and 138 are UDP ports, which are used when transmitting files through network neighbors. And port 139: the connection coming through this port attempts to obtain NetBIOS/SMB service. This protocol is used for windows file and printer sharing and SAMBA. WINS Regisrtation also uses it.
Port: 16 1
Service: SNMP
Description: SNMP allows remote management of devices. All configuration and operation information is stored in the database and can be obtained through SNMP. Many administrators' misconfigurations will be exposed online. Cackers will try to access the system using the default passwords public and private. They will try all possible combinations. SNMP packets may be misdirected to the user's network.
What is a port?
Before we begin to discuss what a port is, let's discuss what a port is. I often hear on the Internet, "How many ports does my host have? Will it be invaded? " ! ? Or "Is it safer to open that port? In addition, what port should my service correspond to? "Ha ha! Isn't it amazing? Why are there so many strange ports on the host? What is the function of this port? !
Because the service function of each network is different, different data packets need to be sent to different services for processing, so when your host starts FTP and WWW services at the same time, the data packets sent by others will be processed by FTP or WWW services according to the port number on TCP, and there will be no confusion! (Note: Hehe! Some friends who have little contact with the internet often ask, "Hey! Why does your computer have so many services such as FTP, WWW and E-Mail at the same time, but how does your computer know how to judge when people send data? Does the computer really not misjudge? ! "Do you know why now? ! Yes, because the port is different! You can think of it this way. One day, if you want to deposit money in a bank, that bank can be considered as a "mainframe". Then, of course, a bank can't have only one kind of business, and there are quite a few windows inside. Then as soon as you enter the gate, the service staff at the door will ask you, "Hello! Hello! what are you going to do? You tell him, "I want to save money! ",the waiter will then tell you:" Drink! Then please go to window three! The staff over there will help you! " You shouldn't run to other windows at this time, should you? ! ""These windows can be considered as "ports"! So! Every service has a specific listening port! You don't have to worry about computer misjudgment! )
Every TCP connection must be initiated by one end (usually the client). This port is usually carried out by randomly selecting a port number greater than 1024! Its TCP packet will set (and only set) the SYN flag! This is the first packet of the whole connection;
If the other end (usually the server) accepts this request (of course, special services need to be carried out with special ports, such as 2 1 port of FTP), then the second package of the whole connection will be sent back to the requester! In addition to the SYN flag, the ACK flag is also set, and resources are established at the local side for connection.
Then, after the requester obtains the first response packet from the server, it must respond to the other party with an acknowledgement packet, which only carries the ACK flag (in fact, all packets in subsequent connections must carry the ACK flag);
Only when the server receives the acknowledgement (ACK) packet of the requester (that is, the third packet of the whole connection) can the connection between the two ends be formally established. This is the so-called three-way handshake principle of TCP online.
After three-way handshake, hehe! The port of the client is usually a randomly obtained port larger than 1024. As for the host side, it depends on which port was opened at that time. For example, WWW chooses 80, and FTP takes 2 1 as the normal access channel!
In a word, the port we are talking about here is not the I/O port of computer hardware, but the concept of software form. There are two kinds of ports, one is TCP port and the other is UDP port, depending on the service type provided by the tool. When computers communicate with each other, there are two ways: one is to confirm whether the information has arrived after sending, that is, to reply, mostly using TCP protocol; One is to leave it alone after sending it, and not confirm whether the information has arrived. Most of these methods use UDP protocol. The ports provided by services corresponding to these two protocols are also divided into TCP ports and UDP ports.
Then, if the attacker uses software to scan the target computer and gets the port opened by the target computer, he will know what services the target computer provides. As we all know, there must be loopholes in service software when providing services. According to these, the attacker can get a preliminary understanding of the target computer. If the port of the computer is too big for the administrator to know, there are two situations: one is that the service is provided and the administrator does not pay attention. For example, when installing IIS, the software will automatically add a lot of services, which administrators may not notice; One is that the server is installed by the attacker and communicates through a special port. Both situations are very dangerous. In the final analysis, the administrator does not understand the services provided by the server, which reduces the safety factor of the system.
//////////////////////////////////////////////////////////////////////////////////
What is a "port"?
In network technology, ports have several meanings. The ports of hubs, switches and routers refer to the interfaces connecting other network devices, such as RJ-45 port and serial port. The port we are talking about here is not a physical port, but a port in TCP/IP protocol, which is a logical port.
So what does the port in TCP/IP protocol mean? If the IP address is compared to a house, the port is the door of the house. A real house has only a few doors, but an IP address can have 65536 ports! Ports are marked by port numbers, which are only integers from 0 to 65535.
What's the use of ports? As we know, a host with an IP address can provide many services, such as Web services, FTP services, SMTP services and so on. These services can be completely realized through 1 IP address. So, how does the host distinguish different network services? Obviously, you can't just rely on ip addresses, because IP addresses and network services have a one-to-many relationship. In fact, different services are distinguished by "IP address+port number".
It should be noted that the ports are not in one-to-one correspondence. For example, when your computer accesses a WWW server as a client, the WWW server uses "80" port to communicate with your computer, but your computer may use "3457" port, as shown in figure 1.
According to the corresponding protocol type, there are two kinds of ports: TCP port and UDP port. Because TCP and UDP are independent, their respective port numbers are also independent of each other. For example, TCP has 235 ports, and UDP can also have 235 ports. There is no conflict between them.
1. well-known port
Well-known ports are well-known port numbers ranging from 0 to 1023, of which 80 ports are allocated to W WW service and 2 1 ports are allocated to FTP service. We don't need to specify the port number when we enter a website (such as www.cce.com.cn) in the address bar of IE, because the port number of WWW service is "80" by default.
Network services can use other port numbers. If it is not the default port number, you should specify the port number in the address bar by adding a colon ":"(half angle) after the address and then adding the port number. For example, if you use "8080" as the port of WWW service, you need to enter "www.cce.com.cn:8080" in the address bar.
However, some system protocols use fixed port numbers and cannot be changed. For example, port 139 is specially used for communication between NetBIOS and TCP/IP and cannot be changed manually.
2. Dynamic port
Dynamic ports range from 1024 to 65535. It is called a dynamic port because it generally does not allocate a service fixedly, but dynamically. Dynamic allocation means that when a system process or an application process needs network communication, it applies for a port from the host, and the host allocates an available port number for it to use. When this process is shut down, it also releases the occupied port number.
How to view ports
A server has a large number of ports in use. How to check the ports? There are two ways: one is to use the commands built into the system, and the other is to use the third-party port scanning software.
1. Use "netstat -an" to check the port status.
In Windows 2000/XP, you can use "netstat -an" at the command prompt to check the port status of the system, and you can list the port numbers that the system is opening and their status.
2. Use third-party port scanning software.
There are many third-party port scanning software. Although the interfaces are quite different, their functions are similar. Use "Fport" here (go to /tools/index.php? Type_t=7 or /soft/cce download) as an example. Using "Fport" at the command prompt, the running result is similar to "netstat -an", but it can not only list the port number and type being used, but also list which application is using the port.