On the Internet, each host sends and receives datagrams through the TCP/TP protocol. Each datagram is routed in the Internet based on the IP address of its destination host. It can be seen that there is no problem in successfully transmitting the datagram to the destination host. Where does the problem lie? We know that most operating systems support multiple programs (processes) running at the same time, so which one of the many processes running at the same time should the destination host transfer the received datagram to? Obviously this problem needs to be solved, and the port mechanism is introduced.

The local operating system will allocate protocol ports (protocal ports, which we often call ports) to those processes that require them. Each protocol port is identified by a positive integer, such as: 80, 139, 445, etc. When the destination host receives the datagram, it will send the data to the corresponding port based on the destination port number in the header of the message, and the process corresponding to this port will receive the data and wait for the arrival of the next set of data. At this point, the concept of ports still seems abstract, so keep following me and don't walk away.

Ports are actually queues. The operating system assigns different queues to each process. Datagrams are pushed into the corresponding queues according to the destination port, waiting to be taken by the process. In very special circumstances, this It is also possible for a queue to overflow, but the operating system allows each process to specify and adjust the size of its own queue.

Not only does the process that receives the datagram need to open its own port, but the process that sends the datagram also needs to open the port. In this way, the active port will be identified in the datagram so that the receiver can return it smoothly. Data reports arrive on this port.

Port classification:

On the Internet, according to the protocol type, ports are divided into two categories: TCP ports and UDP ports. Although they are all identified by positive integers, this does not mean It will not cause ambiguity, such as TCP port 80 and UDP port 80, because the datagram will also indicate the port type while indicating the port.

From the perspective of port allocation, ports are divided into two categories: fixed ports and dynamic ports (some tutorials also divide rarely used high ports into a third category: private ports): < /p>

Fixed port (0-1023):

Use a centralized management mechanism, that is, obey the assignment of ports by a management organization, which is responsible for issuing these assignments. Since these ports are tightly bound to some services, we will often scan these ports to determine whether the other party has opened these services, such as TCP 21 (ftp), 80 (bios), UDP 7 (echo), 69 (tftp), etc. Wait for some well-known ports;

Dynamic ports (1024-49151):

These ports are not fixedly bound to a certain service, and the operating system dynamically allocates these ports To each process, the same process may be allocated to different ports twice. However, some applications are not willing to use the dynamic ports assigned by the operating system. They have their own "trademark" ports, such as port 4000 of the oicq client, port 7626 of Trojan Glacier, etc., which are all fixed and famous.

The role of ports in intrusion:

Someone once compared the server to a house and the ports to doors leading to different rooms (services). If you do not consider the details, This is a good metaphor. If an intruder wants to occupy this house, he must break in (physical intrusion is another matter). So for the intruder, it is important to know how many doors are opened in the house, what kind of doors they are, and what is behind the door. It's important.

The intruder usually uses a scanner to scan the ports of the target host to determine which ports are open. From the open ports, the intruder can know roughly what services the target host provides, and then guess the possible There are existing vulnerabilities, so port scanning can help us better understand the target host. For administrators, scanning the open ports of the local machine is also the first step to take security precautions.

Introduction to common ports

Due to my limited knowledge, I only introduce some simple content here.

1) 21 ftp

Opening this port means that the server provides FTP service. Intruders usually scan this port and determine whether to allow anonymous login. If a writable directory can be found, they can also You can upload some hacker programs for further intrusion. To close this port, you need to turn off the FTP service.

2) 23 Telnet

Opening this port means that the server provides a remote login service. If you have the administrator’s username and password, you can fully control the host through this service (but you need Get NTLM authentication first) and get a shell on the command line. Many intruders like to open this service as a backdoor. To close this port, you need to close the Telnet service.

3) 25 smtp

Opening this port means that the server provides SMTP services. Some servers that do not support authentication allow intruders to send emails to any location. SMTP servers (especially sendmail ) is also one of the most common ways to enter the system. To close this port, you need to close the SMTP service.

4) 69 TFTP (UDP)

Opening this port means that the server provides a TFTP service, which allows downloading files from the server and writing files. If the administrator configures it incorrectly, Intruders can even download password files. Many intruders run this service on their own machines to transfer files to the target machine, thereby realizing file transfer. To close this port, you need to close the TFTP service.

5) 79 finger

Used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from your own machine to other machines.

6) 80 stat -an

Indeed, this is not a tool, but it is the most convenient way to check the ports you have opened. Just enter this command in cmd. . As follows:

C:\>netstat -an

Active Connections

Proto Local Address Foreign Address State

TCP 0.0.0.0: 135 0.0.0.0:0 LISTENING

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING

TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING

TCP 0.0.0.0:3372 0.0.0.0: 0 LISTENING

UDP 0.0.0.0:135 *:*

UDP 0.0.0.0:445 *:*

UDP 0.0.0.0:1027 *:*

UDP 127.0.0.1:1029 *:*

UDP 127.0.0.1:1030 *:*

This is what the machine opened when I was not online Ports, two 135 and 445 are fixed ports, and the remaining ports are dynamic ports.

2 fport.exe and mport.exe

These are also two small programs for viewing the open ports of the local machine under the command line. In fact, they are similar to the netstat -an command, except that it It can display the process of opening the port and has more information. If you suspect that your strange port may be a Trojan, then use them to check.

3 activeport.exe (also called aports.exe)

It is also used to view the open ports of the local machine. In addition to having all the functions of the above two programs, it also There are two more attractive features: the graphical interface and the ability to close ports.

This is an absolutely useful tool for novices, and it is recommended to use it.

4 superscan3.0

Have you not heard of its name? It is the No.1 pure port scanning software. It is fast and can specify the port to be scanned. Not much to say, it’s an absolute must-have tool.

Protect your own ports:

Friends who are new to the Internet are generally very sensitive to their own ports. They are always afraid that their computer will open too many ports, and they are even more afraid that one of them will The port of the backdoor program, but because I am not very familiar with the port, there is no solution, so I am very nervous when I go online. In fact, it is not that difficult to protect your own ports. Just do the following points:

1 Check: often use commands or software to check the locally open ports to see if there are any suspicious ports;

2 Judgment: If there are open ports that you are not familiar with, you should immediately look up the port encyclopedia or common Trojan ports and other information (there are many on the Internet) to see the description of the function of your suspicious port, or use the software to Check the process of opening this port to judge;

3 Close: If it is really a Trojan port or there is no description of this port in the information, then this port should be closed. You can use a firewall to block this port, or you can Use Local Connection-TCP/IP-Advanced-Options-TCP/IP Filtering to enable the filtering mechanism to filter ports;