Detected Services
Detected services with open ports are observed using information returned by the port itself. The header that's returned from the server is analyzed, and then we look for attributes that identify the service.
| Message | Description | Remediation Instructions |
|---|---|---|
| Detected service: ZooKeeper |
This port was observed running Apache ZooKeeper, which is an open-source coordination service for distributed systems. It has had vulnerabilities in the past and it and its developers recommend that it should not be deployed on the public Internet. See the Apache ZooKeeper recommendations. Port: |
Block the port in the company edge network infrastructure. |
Detected Services: GOOD
| Message | Description |
|---|---|
| Detected service: FTP with AUTH TLS | This port was observed running File Transfer Protocol (FTP) with AUTH TLS (encryption), which is used for securing FTP communications. |
| Detected service: HTTPS | This port was observed running Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic. |
| Detected service: HTTPS/Cisco RV | This port was observed running a Cisco RV device, which is a VPN router. |
| Detected service: IMAP with STARTTLS | This port was observed running Internet Message Access Protocol (IMAP) with STARTTLS, which is used for securing IMAP mail servers. |
| Detected service: IMAPS | This port was observed running Internet Message Access Protocol (IMAP) over Secure Sockets Layer (SSL). |
| Detected service: IPSec NAT Traversal | This port was observed running IPSec services over Network Address Translation (NAT) Traversal, which allows end-to-end encrypted communications across the Internet from computers sharing the same public IP address. |
| Detected service: ISAKMP (Cisco-ASA) | This port was observed running Internet Security Association and Key Management Protocol (ISAKMP), which is a framework for authentication and key exchange, using a Cisco ASA device. Cisco ASA v1 and v2 devices have known vulnerabilities. |
| Detected service: ISAKMP NAT-T | This port was observed running Internet Security Association and Key Management Protocol (ISAKMP) over Network Address Translator (NAT) Traversal, which allows authentication and key exchange across connections that gateways that implement network address translation. |
| Detected service: ISAKMP NAT-T (Cisco-ASA) | This port was observed running Internet Security Association and Key Management Protocol (ISAKMP) over Network Address Translator (NAT) Traversal, using a Cisco ASA device. Cisco ASA v1 and v2 devices have known vulnerabilities. |
| Detected service: POP3 with STARTTLS | This port was observed running Post Office Protocol version 3 (POP3) with STARTTLS, which is used for securing POP3 mail. |
| Detected service: POP3S | This port was observed using a secure Post Office Protocol version 3 (POP3S), which is used for securing POP3 email. |
| Detected service: SFTP | This port was observed running Secure File Transfer Protocol (SFTP), which is used for securing FTP communications. |
| Detected service: SMTPS | This port was observed running Simple Mail Transfer Protocol (SMTP) with Transport Layer Security (TLS). |
| Detected service: SMTP with STARTTLS | This port was observed running Simple Mail Transfer Protocol (SMTP) with STARTTLS, which is used for securing SMTP mail servers. |
| Detected service: SSH | This port was observed running Secure Shell (SSH), which is used for sending and receiving secure communication. |
| Detected service: Telnet over SSL/TLS | This port was observed running Telnet over Transport Layer Security (TLS)/Secure Sockets Layer (SSL) encryption layers. |
Detected Services: NEUTRAL
| Message | Description | Remediation Instructions |
|---|---|---|
| Detected service: BGP | This port was observed running Border Gateway Protocol (BGP), which is used to exchange routing and reachability information between networks and systems on the Internet. | Create a company firewall filter that blocks all connection attempts to this port except from specified BGP peers, since there are no mechanisms internal to BGP that protect against attacks that modify, delete, forge, or replay data, any of which has the potential to disrupt overall network routing behavior. |
| Detected service: CouchDB | This port was observed running CouchDB, which is a document-oriented NoSQL database. Unlike a relational database that stores data and relationships in tables, CouchDB is self-contained in a collection of independent documents that can be accessed offline, such as a mobile device or server. | - |
| Detected service: DNS | This port was observed running a Domain Name System (DNS) service, which is used to direct requests for domain names to their assigned IP addresses. | - |
| Detected service: FTP | This port was observed running File Transfer Protocol (FTP), which is used to transfer files over a network. | - |
| Detected service: HTTP | This port was observed running Hypertext Transfer Protocol (HTTP), which used for sending and receiving internet traffic. | - |
| Detected service: HTTP/Cisco RV | This port was observed running a Cisco RV device, which is a VPN router. | - |
| Detected service: IMAP | This port was observed running Internet Message Access Protocol (IMAP), which is a commonly used mail protocol. | - |
| Detected service: ISAKMP | This port was observed running Internet Security Association and Key Management Protocol (ISAKMP), which is a framework for authentication and key exchange. | - |
| Detected service: Kubernetes API | This port was observed running Kubernetes, which is an open source platform that automates Linux container operations. In versions prior to v1.10.11, the incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection between the Kubernetes API server to backend servers. The Kubernetes API server's TLS credentials is used to authenticate and establish the backend connection. It then proceeds to send arbitrary requests directly to the backend over the same connection. | Update to a more recent version of Kubernetes. Refer to CVE-2018-1002105. |
| Detected service: LDAPS | This port was observed running a Lightweight Directory Access Protocol (LDAP) server, over TLS/SSL (LDAPS). It's used to maintain directory information service and can be used to gather information about a company's network infrastructure. | - |
| Detected service: ManageSieve | This port was observed running a ManageSieve server, which is used to manage filtering of server-side email messages. | - |
| Detected service: MySQL (connection refused) | This port was observed running MySQL, but is properly secured. | - |
| Detected service: NTP | This port was observed running Network Time Protocol (NTP), which is a common way for systems to keep their local time in sync with current time. | - |
| Detected service: Onvif | This port was observed running Open Network Video Interface Forum (ONVIF), which is an industry forum that provides and promotes standardized interfaces for effective interoperability of IP-based physical security products. | - |
| Detected service: POP | This port was observed running Post Office Protocol (POP), which is a commonly used mail protocol. | - |
| Detected service: PPTP | This port was observed running the Point-to-Point Tunneling Protocol (PPTP), which is a method for implementing Virtual Private Networks (VPN). | - |
| Detected service: SIP | This port was observed running Session Initiation Protocol (SIP), which is widely used for internet telephony and video services. | - |
| Detected service: SMTP | This port was observed running Simple Mail Transfer Protocol (SMTP) without STARTTLS, which is a commonly used mail protocol. | - |
| Detected service: SMTP with access control | This port was observed running Simple Mail Transfer Protocol (SMTP) with restrictive access controls. Bitsight could not gather additional information as a result. | - |
| Detected service: XMPP | This port was observed running Extensible Messaging and Presence Protocol (XMPP), which is a way to send Extensible Markup Language (XML)-based communications. | - |
| Detected service: XServer | This port was observed running an X Windows server, which is used to allow remote users to log in to a graphical desktop and use server resources to perform tasks. | - |
Detected Services: WARN
| Message | Description | Remediation Instructions |
|---|---|---|
| Detected service: AMQP | This port was observed running the Advanced Messaging Queuing Protocol (AMQP), which is used for sending messages between distributed systems. | Create company firewall rules to only allow approved AQMP destinations or block the port entirely in the company edge network infrastructure and tunnel AQMP requests through a Virtual Private Network (VPN). |
| Detected service: Apple Airport Administration | This port was observed running Apple Airport Administration software, which can be used to modify and access connections on the machine or an attached network. | These devices should not be exposed to the Internet. Block the port in the company edge network infrastructure. Ensure the machine receives a thorough administrative security review. |
| Detected service: BitTorrent Tracker | This port was observed running a BitTorrent Tracker, which is used to help BitTorrent clients find each other and share files. File sharing is a known vector for malware to enter otherwise secure systems. | If there is no reason to legitimately share files over BitTorrent as a legal software distribution channel, block the port in the company edge network infrastructure. |
| Detected service: CouchDB (unauthenticated) | This port was observed running CouchDB, which is a document-oriented NoSQL database. It has known vulnerabilities due to insufficient validation of administrator-supplied configuration settings via the HTTP API. It may escalate a CouchDB administrator’s privileges to that of the operating system's user and gain arbitrary remote code execution capabilities. Resources: CVE-2018-11769, CVE-2018-8007 | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries instead of exposing the database server to the Internet. |
| Detected service: Distributed Hash Table | This port was observed running a Distributed Hash Table, which is used to help BitTorrent nodes find each other and connect peers for file sharing. | If there is no reason to legitimately share files over BitTorrent as a legal software distribution channel, block the port in the company edge network infrastructure. |
| Detected service: Erlang Port Mapper Daemon | This port was observed running Erlang Port Mapper Daemon, which facilitates communications between Erlang nodes. | If there is no reason for the Erlang Port Matter Daemon to be running, block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. |
| Detected service: FTP without AUTH TLS | This port was observed running a File Transfer Protocol (FTP) service, without AUTH TLS (encryption). | Insecure FTP poses many risks as it is also common vector for trojans and other malware. Blocking port 21 bidirectionally on routers, hardware, and software firewalls. Switch to the Secure File Transfer Protocol (SFTP) - SSH File Transfer Protocol. |
| Detected service: GPRS Tunneling | This port was observed running a General Packet Radio Service (GPRS) Tunneling service, which is used to carry network packets for cellular networks. It allows cellular customers to stay connected to the Internet while roaming. | Implement a company firewall to ensure that only traffic from the mobile station to the Internet is allowed and not the other way around, in order to diminish the possibilities of GPRS protocol-based attacks. Consider using secure Virtual Private Network (VPN) services between your GPRS network elements. Read more in Vulnerabilities and Possible Attacks Against the GPRS Backbone Network. |
| Detected service: HP Data | This port was observed running an HP Data service, which is used for backing up single and enterprise systems data. | Block this port in the company edge network infrastructure. If remote access is required, tunnel any connections through a secure Virtual Private Network (VPN). |
| Detected service: HP OpenView | This port was observed running an HP OpenView service, which is used to manage systems and networks for an organization's IT infrastructure. It is based on Simple Network Management Protocol (SNMP). | Block this port in the company edge network infrastructure. If remote access is required, tunnel any connections through a secure Virtual Private Network (VPN). |
| Detected service: IMAP without STARTTLS | This port was observed running Internet Message Access Protocol (IMAP) without STARTTLS, which is an unsecured mail protocol. | Configure your mail server software to use STARTTLS for IMAP and Post Office Protocol version 3 (POP3) as defined in RFC-2595. Unencrypted mail activity may also be a sign of malware activity. Consider blocking plain IMAP (port 143) and plain POP (port 110) after the transition to secure IMAP transmission. |
| Detected service: IRC | This port was observed running Internet Relay Chat (IRC), which is used for centralized communications. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. |
| Detected service: Java RMI | This port was observed running Java Remote Method Invocation (Java RMI) or a Java RMI Server, which is the equivalent of Remote Procedure Calls (RPC) for the Java language. | The default configuration of Java RMI servers allow loading classes from any remote Hypertext Transfer Protocol (HTTP) URL, which is considered insecure. Implement Java RMI over Transport Layer Security (TLS)/Secure Sockets Layer (SSL). |
| Detected service: Lantronix | This port was observed running from a Lantronix device, which may be an Internet-of-Things (IoT) device or an IoT gateway. | Some serial-to-internet devices are known to expose Simple Network Management Protocol (SNMP) ports for serial devices1 which is a security issue, since SNMP has known vulnerabilities. Additionally, some serial-to-ethernet devices permit unauthenticated access to the device over the network2. Consider blocking the port in the company edge network infrastructure, connect any serial devices to machines that requires authentication, instead of directly exposing it to the internet, and utilize secure VPN connections to the machine in order to access the devices. |
| Detected service: LDAP | This port was observed running a Lightweight Directory Access Protocol (LDAP) server, which is used to maintain directory information service and can be used to gather information about a company's network infrastructure. | Block this port in the company edge network infrastructure. Use LDAP over TLS/SSL (LDAPS). See implementation guides for Microsoft servers and OpenLDAP. |
| Detected service: Minecraft | This port was observed running Minecraft, which is a computer game. | Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Detected service: Moxa Nport device | This port was observed running a Moxa Nport device, which is used to make certain hardware and devices internet-accessible. | Some of these devices contain a flaw that can be exploited by attackers to brute force logins and obtain access to the vulnerable system. Block this port in the company edge network infrastructure. If remote access is required, tunnel connections over a secure Virtual Private Network (VPN). Ensure the machine receives a thorough security review. |
| Detected service: MQTT | This port was observed running MQ Telemetry Transport (MQTT), which is a subscription-based messaging protocol. It's used by some Internet-of-Things (IoT) services and devices. | Create company firewall rules to only permit connections with approved servers/clients, or block the port in the company edge network infrastructure and tunnel any MQTT connections through a secure Virtual Private Network (VPN). |
| Detected service: MS RDP with screen capture | This port was observed running Microsoft Remote Desktop Protocol (MS RDP) with screen capture enabled, which allows a user's actions and possibly sensitive data to be captured when connecting to another computer over a network connection. It can be vulnerable to man-in-the-middle (MITM) attacks. | Ensure RDP sessions are over a secure Virtual Private Network (VPN). Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: MS SQL Server | This port was observed running Microsoft SQL Server, which has many known vulnerabilities. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. |
| Detected service: Multicast DNS | This port was observed running Multicast Domain Name System (DNS) services, which is a network protocol for dynamic registration of devices. | Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Detected service: MySQL | This port was observed running MySQL Server, which is a common database server. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: MySQL (connection not refused) | This port was observed running MySQL, which is a common database system. Anonymous connections are not refused. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. |
| Detected service: NNTP | This port was observed running Network News Transfer Protocol (NNTP), which is used to transport Usenet articles. It has known vulnerabilities. | Use Transport Layer Security (TLS) via NNTP over STARTTLS for improved security, as specified in RFC-4642. |
| Detected service: POP without STARTTLS | This port was observed running Post Office Protocol (POP) without STARTTLS, which is an unsecured mail protocol. | Configure your mail server software to use STARTTLS for Internet Message Access Protocol (IMAP) and POP3 as defined in RFC-2595. Unencrypted mail activity may also be a sign of malware activity. Consider blocking plain IMAP (port 143) and plain POP (port 110) after the transition to secure IMAP transmission. |
| Detected service: PostgreSQL | This port was observed running PostgreSQL, which is an object-relational database management system. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries instead of directly exposing the service to the Internet. |
| Detected service: RMCP | This port was observed running Remote Management and Control Protocol (RMCP), which can be used to obtain password hash information. | Configure your Active Directory servers to implement RCMP over Secure Sockets Layer/Transport Layer Security (SSL/TLS). |
| Detected service: RSYNC | This port was observed running RSYNC, which is software designed to keep copies of files synchronised on the same or multiple computers. This service should not be exposed to the Internet. | Use RSYNC with SSH and block this port in the company edge network infrastructure. |
| Detected service: RTSP | This port was observed running the Real Time Streaming Protocol (RTSP) service, which is used to control streaming media servers. | Unsecured RTSP is vulnerable to compromise. Use Secure RTSP (RTSPS) or use a secure Virtual Private Network (VPN) to tunnel streaming media connections. Block the port in the company edge network infrastructure. |
| Detected service: SMB | This port was observed running Server Message Block (SMB), which is used to share files, devices, printers, and other communications between machines. | Block the port in the company edge network infrastructure. If remote access is required, use a secure Virtual Private Network (VPN) to tunnel inbound connections to the SMB server. |
| Detected service: SMB (Anonymous login) | This port was observed running Server Message Block (SMB), which is used to share files, devices, printers, and other communications between machines. This machine is accepting anonymous logins. | Allowing anonymous logins is a security risk. Ensure proper authentication controls are in place. Block the port in the company edge network infrastructure. If remote access is required, use a secure Virtual Private Network (VPN) to tunnel inbound connections to the SMB server. |
| Detected service: SMTP without STARTTLS | This port was observed running Simple Mail Transfer Protocol (SMTP) without STARTTLS, which is an unsecured mail protocol. | Configure your mail server software to use Secure SMTP over Transport Layer Security (TLS), according to the RFC-3207 specification. |
| Detected service: SNMP | This port was observed running Simple Network Management Protocol (SNMP), which is a protocol for managing devices on IP networks. It has known security vulnerabilities. | Use SNMP over Transport Layer Security (TLS) or Datagram TLS, as specified in RFC-5953. Implement and cease use of the unencrypted SNMP protocol. |
| Detected service: SNMP (Insecure Older [V1]) | An insecure version (v1) of Simple Network Management Protocol (SNMP) is used on the same server. | Update SNMP to the latest version. |
| Detected service: SNMP (Insecure Older [V1,V2]) | An insecure version (v1 or v2) of Simple Network Management Protocol (SNMP) is used on the same server. | Update SNMP to the latest version. |
| Detected service: SNMP (Insecure Older [V2]) | An insecure version (v1) of Simple Network Management Protocol (SNMP) is used on the same server. | Update SNMP to the latest version. |
| Detected service: SNMP (Insecure V3) | A later, secure version of the Simple Network Management Protocol (SNMP) is being used – SNMPv3 – but no SNMPReport with authPriv and AES encryption is received. | Set up the SNMPReport response to have authPriv and AES encryption. Refer to Cisco, "SNMPv3 Groups" for more information. |
| Detected service: Steam | This port was observed running Steam™, which is a computer game distribution platform. | Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Detected service: TACACS+ | This port was observed running Terminal Access Controller Access-Control System (TACACS), which is used for remote authentication and access control through a central server. TACACS+ is known to be vulnerable to certain attacks. | Block the port in the company edge network infrastructure. If remote access is required, consider using a secure Virtual Private Network (VPN) to access local resources or employ a comparable alternative enterprise solution. |
| Detected service: Time protocol | This port was observed running the Time protocol (RFC-868), but the reported time is incorrect, which can be exploited by attackers to break secure connections and encryption certificates. The Time daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly. | We strongly encourage switching to the Network Time Protocol (NTP), which is more robust and provides greater accuracy. Ensure all affected machines have the NTP package up-to-date (4.2.8p4 or higher) and ensure any NTP clients do not run with the -g option. Refer to the NIST Internet time service and NIST Special Publication 250-59 for additional recommendations on hardening NTP servers and clients. |
| Detected service: Time protocol (incorrect clock) | This port was observed running the Time protocol (RFC-868), but the reported time is incorrect; which can be exploited by attackers to break secure connections and encryption certificates, and may cause problems with security protocols (like TLS) that rely on having both ends of the connection to roughly have the same idea of the current time. The Time daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly. | We strongly encourage switching to the Network Time Protocol (NTP), which is more robust and provides greater accuracy. Ensure all affected machines have the NTP package up-to-date (4.2.8p4 or higher) and ensure any NTP clients do not run with the -g option. Refer to the NIST Internet time service and NIST Special Publication 250-59 for additional recommendations on hardening NTP servers and clients. |
| Detected service: Ventrilo | This port was observed running Ventrilo, which is a voice-over-IP (VoIP) and text chat software. The service should not be visible to unauthorized clients. | Use access control lists to permit authorized users to access the service. |
| Detected service: VMWare Authentication Daemon | This port was observed running a VMWare authentication daemon, which allows remote users to connect to the console of a VMWare virtual machine. | Unsecured authentication daemons may lead to compromise by attackers. Consider blocking the port in the company edge network infrastructure. If remote connections are required, utilize secure Virtual Private Network (VPN) connections to the machine in order to access the console. |
Detected Services: BAD
| Message | Description | Remediation Instructions |
|---|---|---|
| Detected service: Adtran Gen3 | This port was observed running Adtran Gen3, which is a business network gateway and should not be exposed to the Internet. | If remote access functionality is mandatory, tunnel any connections to the device through a secure Virtual Private Network (VPN) connection. Ensure management interfaces are not publicly accessible to the Internet and are accessible only to local machines. |
| Detected service: BACnet | This port was observed running BACNet, which is a communications protocol for building automation. These devices should not be exposed to the Internet. | Create private networks for these devices and secure gateways for intranet use. If this activity is not coming from an industrial process or is behind a network that does not use industrial processes, block the port in the company edge network infrastructure. Ensure the machine receives a thorough administrative security review. |
| Detected service: BGP (ASN ) | This port was observed running Border Gateway Protocol (BGP) Autonomous System Number (ASN), which is used to exchange routing and reachability information between networks on the Internet. It is advertising an Autonomous System (AS). | Create a company firewall filter that blocks all connection attempts to this port except from specific BGP peers. Any BGP router can advertise routes with any AS number and may perform man-in-the-middle (MITM) attacks. |
| Detected service: Cassandra {} | This port was observed running Cassandra, which is a NoSQL database. | Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: Cisco SMI | This port was observed running Cisco Smart Install, which is a protocol that can be used to access and install new firmware on Cisco IOS devices. This protocol should not be exposed to the Internet. Attackers can take advantage of this service to install malicious files on Cisco devices and run privileged commands. | If remote access is required, use a secure VPN to access required resources. |
| Detected service: Citrix Applications | This port was observed running Citrix, which delivers applications to enterprise systems. | Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: Dahua DVR | This port was observed running a Dahua DVR, which is used to digitally record video from cameras. Exposing this port to the Internet may allow the data and privacy of the cameras to be compromised by attackers. | Block the port in the company edge network infrastructure. If remote access is required, use a secure Virtual Private Network (VPN) to access required resources. Ensure the machine receives a thorough security review. |
| Detected service: ElasticSearch | This port was observed running ElasticSearch, which is a search-optimized database. | Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: fuel tank monitor | This port was observed running a fuel tank monitor, which shouldn't be exposed to the Internet. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Consider using a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: Hadoop/HDFS | This port was observed running Hadoop/Hadoop Distributed File System, which is used for distributed databases. Attackers can collect information about this database and try to remotely attack it. | Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: HTTPS/Cisco {{RV320}} (config disclosure) | This port was observed running a Cisco RV320 device, where the firewall security is vulnerable to remote attackers who may gain access and obtain complete device configuration information (CVE-2019-1653). | Update the device firmware to version 1.4.2.19 or later. |
| Detected service: HTTPS/Cisco {{RV325}} (config disclosure) | This port was observed running a Cisco RV325 device, where the firewall security is vulnerable to remote attackers who may gain access and obtain complete device configuration information (CVE-2019-1653). | Update the device firmware to version 1.4.2.19 or later. |
| Detected service: HTTP CVE-2017-7269 | A buffer overflow in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 with WebDAV and PROPFIND enabled allows remote attackers to execute arbitrary code. | Update to a more recent version of Microsoft Windows Server (2015, 2016), disable WebDAV on the affected 2003 server, or manually apply a patch. |
| Detected service: HTTP (Open Webcam) | This port was observed running a webcam with no authentication. This can expose private information to the general public. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. |
| Detected service: Intel-AMT | This port was observed running Intel-AMT services, which is used to manage system hardware and firmware. Some Intel-AMT devices contain vulnerabilities that can be used by attackers to gain access to those systems. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure these managed systems receive all available vendor updates. |
| Detected service: Kerberos | This port was observed running Kerberos, which is used to authenticate users and services. | Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Detected service: memcached | This port was observed running Memcached, which is a memory caching system. It has known security vulnerabilities. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. |
| Detected service: MongoDB | This port was observed running MongoDB, which is a document-oriented database. | Block the port in the company edge network infrastructure and ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local database queries instead of directly exposing the database server to the Internet. |
| Detected service: Moxa Nport device (no auth) | This port was observed running a Moxa Nport device, which is used to make certain hardware and devices internet-accessible, and does not have a password set. These devices can be easily exploited by attackers. | Set an administrative password on the device. Block this port in the company edge network infrastructure. If remote access is required, tunnel connections over a secure Virtual Private Network (VPN). Ensure the machine receives a thorough security review. |
| Detected service: MS RDP | This port was observed running Microsoft Remote Desktop Protocol (MS RDP) without screen capture, which allows a user to connect to another computer over a network connection. It can be vulnerable to man-in-the-middle (MITM) attacks. | Ensure RDP sessions are over a secure Virtual Private Network (VPN). Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: NetBIOS | This port was observed running NetBIOS, which allows applications on different computers to communicate over a Local-area Network (LAN). It has known security vulnerabilities and is a common attack target. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If NetBIOS connectivity is required, tunnel any connections through a secure Virtual Private Network (VPN) connection. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: Netstat | This port was detected running Netstat, which is a deprecated tool used to monitor network performance. | Block the port in the company edge network infrastructure. |
| Detected service: Niagara Fox | This port was observed running Niagara Fox with or without SSL. Niagara Fox is a software platform for Internet-of-Things (IoT) devices. | Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Detected service: ONC RPC (Portmapper) | This port was observed running Open Network Computing (ONC) Remote Procedure Call (RPC) port mapper, which maps RPC service numbers to network port numbers. Malicious actors can use Portmapper requests for Distributed Denial of Service (DDoS) attacks because the service runs on Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port 111. Since UDP allows IP spoofing, attackers can send small requests to Portmapper using the target’s IP address and the server sends a larger response to the victim1. | Block the port in the company edge network infrastructure, as well as within the machine itself. If the service is required, set up a company firewall to only allow connections from approved IP addresses, and disable UDP access to the service. |
| Detected service: Open XServer | This port was observed running an X11 Server with open authentication (no access controls). Open authentication is enabled, which allows anonymous attackers to capture all activity of the logged-on user. | Enable access controls on the X Server machine (run “xhost -” as the X server user) and replace any instances of “xhost +” in your config files with “xhost -.” Use “man xinit” to find locations of your config files. Block the port in the company edge network infrastructure. If remote access is required, tunnel any inbound connections to the machine through a Virtual Private Network (VPN) tunnel. Ensure the machine receives a thorough administrative security review. |
| Detected service: pcAnywhere | This port was observed running pcAnywhere, which allows a user to connect to another computer over a network connection. It has known vulnerabilities and is no longer supported. Symantec recommends users disable PC Anywhere and use Bomgar as the replacement. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. |
| Detected service: POP3 without STARTTLS | POP3 is a way for email clients to access their mailbox from different systems. STARTTLS is a protocol extension that allows the client and the server to negotiate upgrading the connection to use TLS. Without STARTTLS, a man-in-the-middle (MITM) can read all the email that are being received by the client. | Configure your mail server software to use STARTTLS for Internet Message Access Protocol (IMAP) and POP3 as defined in RFC-2595. |
| Detected service: Portmapper with services | This port was observed running Portmapper with services, which is used to assign services to ports for communication over the Internet. | Block the port in the company edge network infrastructure. If the service is required, disable User Datagram Protocol (UDP) access to the service and require Transmission Control Protocol (TCP)-only connections in order to avoid denial-of-service reflection attacks. |
| Detected service: Printer | This port was observed running printer services. | Block the port in the company edge network infrastructure and disable any Universal Plug-n-Play features (UPnP) on the printer to prevent future unwanted exposure to the Internet. If remote access is required, tunnel any printer connections through a secure Virtual Private Network (VPN). Ensure that the machine receives a thorough administrative security review. |
| Detected service: Quote of the day | This port was observed running the Quote of the Day service, which distributes philosophical statements and quotations. | Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Detected service: Recursive DNS | This port was observed running a recursive Domain Name Server (DNS) service, which is used for finding IP addresses associated with domain names. A DNS server that supports recursive resolution is vulnerable to an array of attacks and compromises, and may be blocked by other DNS servers as a result. | Disable recursive DNS lookups on the server. Lookup requests will still be served to clients, but the DNS server will no longer be vulnerable to recursive exploits. |
| Detected service: Redis | This port was observed running Redis, which is a data structure server. | Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries instead of being exposed directly to the Internet. |
| Detected service: RIP | This port was observed running the Routing Information Protocol service (RIP), which is used to select network routes between computers. This routing protocol is vulnerable to redirection attacks. Although RIP supports password authentication, it is sent in clear text. | Block the port in the company edge network infrastructure. If IP routing services are required, consider transitioning to Open Shortest Path First. |
| Detected service: Samsung TV | This port was observed providing remote access to Samsung TV devices. Leaving this port open may allow remote attackers to gain administrative privileges on the device. | Block the port in the company edge network infrastructure. |
| Detected service: SSH version 1.5 | This port was observed running Secure Shell (SSH) version 1.5, which is outdated and vulnerable to exploits. | Update your server's version of SSH immediately, as well as conduct a thorough administrative security review of the machine. Ensure SSL and TLS libraries are up to date and the operating system of the machine is also fully updated. If an up-to-date version of SSH is not available for your system (SSH version 2), consider upgrading to a modern operating system or take the machine offline until it can be properly administered. |
| Detected service: Telnet | This port was observed running Telnet, a communication protocol which does not encrypt traffic and has known security vulnerabilities. | Block the port in the company edge network infrastructure. Replace any operational uses of Telnet with Secure Shell (SSH) connections. If Telnet is required, mandate that Telnet connections require SSL/TLS encryption. |
| Detected service: TFTP | This port was observed running Trivial File Transfer Protocol (TFTP), which is used to get or put files to a server or for network booting. This port should not be exposed to the Internet. | Block the port in the company edge network infrastructure. If remote access is required, use a secure Virtual Private Network (VPN) to access TFTP services. |
| Detected service: Ubiquiti | This port was observed running a Ubiquiti network device, where the management interface is publicly accessible. | Update the device in question to the latest revision of its management software. There may also be firmware updates available. Ensure the device is enrolled in a company-wide program which tracks device updates. Block the port in the company edge network infrastructure. |
| Detected service: Unauthenticated RTSP | This port was observed running a Real Time Streaming Protocol (RTSP) service, which is used to control streaming media servers. This server allows unauthenticated access. While convenient, unauthenticated (anonymous) connections may compromise your data, devices, and privacy. | Ensure your server implements Basic or Digest authentication and refuses anonymous connections. |
| Detected service: Unauthenticated VNC | This port was observed running a Virtual Network Computing (VNC) service, which allows a remote user to control a graphical desktop on the server. This server has not implemented authentication. | Ensure passwords are implemented at all levels of the VNC server, including administrative access and service access. Block the port in the company edge network infrastructure. If remote access is required, tunnel any VNC connections through a secure Virtual Private Network (VPN). |
| Detected service: Unsecured Lantronix | This port was observed running from a Lantronix device, which may be an Internet-of-Things (IoT) device or an IoT gateway. It allows unsecured access. | Consider blocking the port in the company edge network infrastructure, connect any serial devices to machines that require authentication instead of directly exposing the device to the Internet, and utilize secure Virtual Private Network (VPN) connections to the machine to access the devices. |
| Detected service: VNC | This port was observed running Virtual Network Computing (VNC), which is a graphical desktop sharing system. It is not a secure protocol. | Block the port in the company edge network infrastructure. Tunnel any VNC connections through a secure Virtual Private Network (VPN) or secure shell (SSH) connection. |
Typical Services
A typical service is the most likely service to be running on a specific port number. We use many resources, to determine the typical service running on a port, including the IANA Service Name and Transport Protocol Port Number Registry.
Typical Services: GOOD
| Message | Description |
|---|---|
| Typical service: HTTPS |
This port is typically used for Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic. Ports:
|
| Typical service: IMAPS |
This port is typically used for Internet Message Access Protocol Secure (IMAPS), which is used for securing IMAP. Port: |
| Typical service: IPSec NAT traversal |
This port is typically used for IPSec, which is used for securing IP communications. Port: |
| Typical service: POP3S |
This port is typically used for Post Office Protocol version 3 secure (POP3S), which is used for securing POP3. Port: |
| Typical service: SMTPS |
This port is typically used for Simple Mail Transfer Protocol Secure (SMTPS), which is used for securing SMTP. Port: |
| Typical service: SSH |
This port is typically used for Secure Shell (SSH), which is used for sending and receiving secure communication. Port: |
| Typical service: telnet over TLS/SSL |
This port is typically used for Telnet over Transport Layer Security (TLS)/Secure Sockets Layer (SSL), which is used for securing Telnet. Port: |
Typical Services: NEUTRAL
Neutral-graded records don't impact Security Ratings. In some cases, remediation is provided if it benefits an organization to do so. However, remediating Neutral-graded records will not improve security ratings.
| Message | Description | Remediation Instructions |
|---|---|---|
| Typical service: Active Directory |
This port is typically used for Active Directory, which is a directory service for Windows domain networks. Port: |
- |
| Typical service: AMQP |
This port is typically used for the Advanced Messaging Queuing Protocol (AMQP), which is used for sending messages between distributed systems. Port: |
Configure your AQMP servers to implement AQMP over Transport Layer Security (TLS). |
| Typical service: ASF-RMCP |
This port is typically used for Alert Standard Format-Remote Management and Control Protocol (ASF-RMCP), which can be used to obtain password hash information. Port: |
Implement ASF Secure RMCP (port 664). Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Typical service: BACNet |
This port is typically used for Building Automation and Control Networks (BACNet), which is a communications protocol for building automation. These devices should not be exposed to the Internet. Port: |
Create private networks for these devices and secure gateways for intranet use. If this activity is not coming from an industrial process or is behind a network that does not use industrial processes, block the port in the company edge network infrastructure. Ensure the machine receives a thorough administrative security review. |
| Typical service: Bandwidth Test |
This port is typically used for the Bandwidth Test service, which is used to measure packet throughput on certain network routers. Port: |
- |
| Typical service: Bittorrent Tracker |
This port is typically used for BitTorrent Tracker, which is used to help BitTorrent clients find each other and share files. File sharing is a known vector for malware to enter otherwise secure systems. Port: |
If there is no reason to legitimately share files over BitTorrent as a legal software distribution channel, block the port in the company edge network infrastructure. |
| Typical service: Bootstrap protocol |
This port is typically used for the Bootstrap protocol, which is used to automatically assign IP addresses to devices on a network. Port: |
- |
| Typical service: chargen |
This port is typically used for Chargen, which returns arbitrary characters until the connection is closed. This protocol has known design flaws and is commonly used in Distributed Denial of Service (DDoS) attacks. This protocol should not be exposed to the Internet. Port: |
Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Typical service: CouchDB |
This port is typically used for CouchDB, which is a document-oriented NoSQL database. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries instead of exposing the database server to the Internet. |
| Typical service: cPanel |
This port is typically used for cPanel, which is a web hosting control panel. Ports:
|
- |
| Typical service: cPanel Web Host Manager |
This port is typically used for cPanel, which is a web hosting control panel. Ports:
|
- |
| Typical service: daytime |
This port is typically used for the Daytime protocol (RFC-867), which returns the current date and time. It can be used for “pingpong” attacks. This protocol should not be exposed to the Internet. If the time is incorrect, it can be exploited by attackers to break secure connections and encryption certificates. The Daytime daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly. Port: |
Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. We strongly encourage switching to the Network Time Protocol (NTP), which is more robust and provides greater accuracy. Ensure that all affected machines have the NTP package up-to-date (4.2.8p4 or higher) and ensure any NTP clients do not run with the -g option. Refer to the NIST Internet time service and NIST Special Publication 250-59 for additional recommendations on hardening NTP servers and clients. |
| Typical service: DHT |
This port was observed running a Distributed Hash Table (DHT), which is used to help BitTorrent nodes find each other and connect peers for file sharing. Port: |
- |
| Typical service: Dictionary service |
This port is typically used for the Dictionary network protocol, which returns dictionary definitions of words. It can be used maliciously for Distributed Denial of Service (DDoS) attacks. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. |
| Typical service: DNS |
This port is typically used for Domain Name System (DNS), which is necessary for accessing websites. Port: |
- |
| Typical service: echo |
This port is typically used for the Echo protocol, which measures the round trip times in networks. This protocol should not be exposed to the Internet. It is superseded by the Internet Control Message Protocol (ICMP) and the Ping Software Utility. Port: |
Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Typical service: Erlang Port Mapper Daemon |
This port is typically used for Erlang Port Mapper Daemon, which facilitates communications between Erlang nodes. Port: |
- |
| Typical service: EtherNet/IP |
This port is typically used for EtherNet/IP, which in an industrial Ethernet network. It has known vulnerabilities. These devices should not be exposed to the Internet. Port: |
Create private networks for these devices and secure gateways for intranet use. If this activity is not coming from an industrial process or is behind a network that does not use industrial processes, block the port in the company edge network infrastructure. Ensure the machine receives a thorough administrative security review. |
| Typical service: ETL service manager |
This port is typically used for the Extract, Transform, Load (ETL) Service Manager. Port: |
- |
| Typical service: Finger protocol |
This port is typically used for the Finger protocol, which returns status reports about systems or users and can be used to gather information for social engineering attacks. This protocol should not be exposed to the Internet. Port: |
Replace the use of Finger systems with secure, encrypted personnel/employee information systems or databases. Disable public internet access to the machines and networks in question. Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Typical service: Flux-led |
This port is typically used for Flux LED internet-connected light bulbs. Internet-of-Things (IoT) devices may leak sensitive information such as wireless network passwords or lead to other compromises. Port: |
Block this port in the company edge network infrastructure. |
| Typical service: FTP |
This port is typically used for File Transfer Protocol (FTP), which is used to transfer files over a network. Port: |
- |
| Typical service: GPRS Tunneling Protocol |
This port is typically used for the General Packet Radio Service (GPRS) Tunneling protocol, which is used to carry general packet radio services. Port: |
- |
| Typical service: HTTP |
This port is typically used for Hypertext Transfer Protocol (HTTP), which is used for sending and receiving internet traffic. Ports:
|
- |
| Typical service: IBM NJE |
This port is typically used for IBM Network Job Entry (NJE), which is used to send work to machines over a network. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. |
| Typical service: IEC 60870-5-104 |
This port is typically used for International Electrotechnical Commission (IEC) 60870-5-104, which enables communication between control stations and substations via a Transmission Control Protocol (TCP)/Internet Protocol (IP) network. It can be used maliciously for man-in-the-middle (MITM) attacks. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Typical service: IMAP |
This port is typically used for Internet Message Access Protocol (IMAP), which is a commonly used mail protocol. Port: |
Configure your mail server software to use STARTTLS for IMAP and Post Office Protocol version 3 (POP3) as defined in RFC-2595. Unencrypted mail activity may also be a sign of malware activity. Consider blocking plain IMAP (port 143) and plain POP (port 110) after the transition to secure IMAP transmission. |
| Typical service: Internet Printing Protocol |
This port is typically used for the Internet Printing Protocol (IPP), which allows for remote printing. This protocol has known vulnerabilities. Port: |
Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Typical service: IRC |
This port is typically used for Internet Relay Chat (IRC), which is a chat protocol. Port: |
- |
| Typical service: ISAKMP |
This port is typically used for Internet Security Association and Key Management Protocol (ISAKMP), which is used for establishing Security Associations and cryptographic keys. Port: |
- |
| Typical service: ISO-TSAP |
This port is typically used for ISO-Transport Services Access Point (ISO-TSAP), which does not encrypt traffic. This protocol should not be exposed to the Internet. Port: |
Disable public internet access to the machines and networks in question. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. Alternately, build a communications server that can respond to queries. |
| Typical service: Java RMI |
This port is typically used for Java Remote Method Invocation (RMI) or a Java RMI Server, which is the equivalent of Remote Procedure Calls (RPC) for the Java language. The default configuration of Java RMI servers allow loading classes from any remote Hypertext Transfer Protocol (HTTP) URL, which is considered insecure. Port: |
Implement Java RMI over Transport Layer Security (TLS)/Secure Sockets Layer (SSL). |
| Typical service: Kerberos |
This port is typically used for the Kerberos protocol, which is used for secure authentication. Port: |
- |
| Typical service: LDAP |
This port is typically used for Lightweight Directory Access Protocol (LDAP), which is used to maintain directory information service and can be used to gather information about a company's network infrastructure. Port: |
Cease use of the unencrypted LDAP protocol. Instead, use LDAP over TLS/SSL (LDAPS). See implementation guides for Microsoft servers and OpenLDAP. |
| Typical service: LDAPS |
This port is running an Lightweight Directory Access Protocol (LDAP) server. This can be exploited to harvest directory information. Port: |
Block the LDAPS port in the company edge network infrastructure. |
| Typical service: line printer daemon |
This port is typically used for line printer daemon, which is a protocol for submitting print jobs to remote printers. This service should not be exposed to the Internet. Port: |
Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Typical service: memcached |
This port is typically used for Memcached, which is a memory caching system. It has known security vulnerabilities. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. |
| Typical service: Modbus |
This port is typically used for Modbus, which is a protocol used for communication between devices on the same network. It does not provide security against unauthorized commands or interception of data. Port: |
Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Typical service: MS SSDP |
This port is typically used for Microsoft Simple Service Discovery Protocol (SSDP), which is a network protocol for the advertisement and discovery of network services and presence information. It can be used maliciously for Distributed Denial of Service (DDoS) attacks. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. |
| Typical service: MS SSDP/UPnP | This port was observed running Universal Plug and Play (UPnP), which allows devices on your home network to discover each other and may be vulnerable to certain attacks. | Ensure UPnP port forwarding is properly configured and is set to “Off.” |
| Typical service: MySQL |
This port is typically used for MySQL, which is an open source Structured Query Language (SQL) database. It has many known security vulnerabilities. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Typical service: MS SQL Server |
This port is typically used for Microsoft Structured Query Language (SQL) Server, which has many known vulnerabilities. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. |
| Typical service: Mumble VOIP |
This port is typically used for Mumble, which is an encrypted voice-over-IP (VoIP) application. Port: |
- |
| Typical service: Munin Graphing Framework |
This port is typically used for the Munin Graphing framework, which monitors networks and issues alerts. Port: |
- |
| Typical service: Nessus |
This port is typically used for Nessus, which is a vulnerability scanner. Port: |
- |
| Typical service: NetBIOS |
This port is typically used for Network Basic Input/Output System (NetBIOS), which allows applications on different computers to communicate over a Local Area Network (LAN). It has known security vulnerabilities and is a common attack target. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If NetBIOS connectivity is required, tunnel any connections through a secure Virtual Private Network (VPN) connection. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Typical service: netstat |
This port is typically used for Netstat, which is a deprecated tool used to monitor network performance. Port: |
Block the port in the company edge network infrastructure and uninstall Netstat from the machine in question. Netstat is superseded by ss. |
| Typical service: NDMP |
This port is typically used for Network Data Management Protocol (NDMP), which transports data between network attached storage devices and backup devices. It does not encrypt traffic. These devices should not be exposed to the Internet. Port: |
Use a protocol or method of encrypted data transport between devices; such as tunneled Secure Shell (SSH), Virtual Private Network (VPN) connections, or SSH File Transfer Protocol (SFTP). Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. |
| Typical service: NNTP |
This port is typically used for Network News Transfer Protocol (NNTP), which is used to transport Usenet articles and has known vulnerabilities. Port: |
Use Transport Layer Security (TLS) via NNTP over STARTTLS for improved security, as specified in RFC-4642. |
| Typical service: NTP |
This port is typically used for Network Time Protocol (NTP), which is used for clock synchronization. Port: |
- |
| Typical service: ONC RPC |
This port is typically used for Open Network Computing (ONC) Remote Procedure Call (RPC), which allows programmers to execute code on remote machines. Port: |
Establish a server on the remote machine that can respond to queries. Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Typical service: Oracle SQL web |
This port is typically used for Oracle Structured Query Language (SQL), which has many known security vulnerabilities. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. |
| Typical service: pcAnywhere |
This port is typically used for pcAnywhere, which allows a user to connect to another computer over a network connection. It has known vulnerabilities and is no longer supported. Port: |
Symantec recommends users disable PC Anywhere and use Bomgar as the replacement. Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. |
| Typical service: POP |
This port is typically used for Post Office Protocol (POP), which is a commonly used mail protocol. Port: |
- |
| Typical service: PostgreSQL |
This port is typically used for PostgreSQL, which is an object-relational database management system. It has known security vulnerabilities. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. |
| Typical service: PPTP |
This port is typically used for the Point-to-Point Tunneling Protocol (PPTP), which is a method for implementing Virtual Private Networks (VPN). Port: |
- |
| Typical service: printer PDL |
This port is typically used for Printer Page Description Language (PDL), which communicates the layout of a page for printing. This service should not be exposed to the Internet. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. If remote access is required, use a secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
| Typical service: quote of the day |
This port is typically used for Quote of the Day, which returns a short message to the user. It can be used for “pingpong” attacks. This protocol should not be exposed to the Internet. Port: |
Ensure the machine receives a thorough administrative security review. Block the port in the company edge network infrastructure, as well as within the machine itself. |
| Typical service: Redis |
This port is typically used for Redis, which is a data structure server and should not be accessible from the Internet. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Build or utilize existing communications servers that can respond to local queries. |
| Typical service: RSYNC |
This port is typically used for RSYNC, which is software designed to keep copies of files synchronized on the same or across multiple computers. This service should not be exposed to the Internet. Port: |
Use RSYNC with Secure Shell (SSH) or RSYNC through a secure Virtual Private Network (VPN). Block the port in the company edge network infrastructure. |
| Typical service: RTSP |
This port is typically used for the Real Time Streaming Protocol (RTSP) service, which is used to control streaming media servers. Port: |
- |
| Typical service: SCADA |
This port is typically used for Supervisory Control and Data Acquisition (SCADA) systems and shouldn't be exposed to the Internet. Port: |
Block the port in the company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. |
| Typical service: SIP |
This port is typically used for Session Initiation Protocol (SIP), which is a widely-used communication protocol. Port: |
- |
| Typical service: SMB |
This port is typically used for Server Message Block (SMB), which is used to share files, devices, printers, and other communications between machines. Port: |
- |
| Typical service: SMTP |
This port is typically used for Simple Mail Transfer Protocol (SMTP), which is a commonly used mail protocol. Port: |
- |
| Typical service: SMTP submission |
This port is typically used for Simple Mail Transfer Protocol (SMTP) submission, which specifically supports authentication to Mail Transfer Agents (MTA). Port: |
- |
| Typical service: SNMP |
This port is typically used for Simple Network Management Protocol (SNMP), which is a protocol for managing devices on IP networks. It has known security vulnerabilities. Port: |
Use SNMP over TLS or Datagram TLS, as specified in RFC-5953; implementation is described here. Cease use of the unencrypted SNMP protocol. |
| Detected service: SNMP (Secure V3) | A later, secure version of the Simple Network Management Protocol (SNMP) is being used – SNMPv3 – and the response has authPriv and AES encryption. | - |
| Typical service: SNPP |
This port is typically used for Simple Network Paging Protocol (SNPP), which allows pagers to receive messages over the Internet. Port: |
- |
| Typical service: systat |
This port is typically used for Systat, which returns a list of users logged into the system and is typically considered a security vulnerability. Port: |
If its use is not legitimate, block the port in the company edge network infrastructure and block Systat on the machine in question. |
| Typical service: TACACS |
This port is typically used by a Terminal Access Controller Access-Control System (TACACS), which is used for remote authentication and access control through a central server. Port: |
Block the port in the company edge network infrastructure. If remote access is required, consider using a secure Virtual Private Network (VPN) to access local resources. |
| Typical service: telnet |
This port is typically used for Telnet, a communication protocol that does not encrypt traffic and has known security vulnerabilities. Port: |
Block the port on company edge network infrastructure, as well as within the machine itself. Ensure the machine receives a thorough administrative security review. Replace any operational uses of Telnet with Secure Shell (SSH) connections. |
| Typical service: TIME protocol |
This port is typically used for the Time protocol (RFC-868), which returns the current date and time. This protocol has known security vulnerabilities. If the time is incorrect, it can be exploited by attackers to break secure connections and encryption certificates. The Time daemon is also not recommended for new users. Its format is backwards compatible, but does not support robust error detection or correction and has poor error-handling capabilities. Many of the client programs that use this format are poorly written and may not handle network errors properly. Port: |
Block the port in the company edge network infrastructure and disable the Time protocol on the machine that's attempting to utilize it. We strongly encourage switching to the Network Time Protocol (NTP), which is more robust and provides greater accuracy. Refer to the NIST Internet time service and NIST Special Publication 250-59 for additional recommendations on hardening NTP servers and clients. |
| Typical service: TR-069 CWMP |
This port is typically used for Technical Report 069 (TR-069) CPE WAN Management Protocol (CWMP), which is a protocol for remote management of end-user devices. Port: |
- |
| Typical service: UPnP |
This port is typically used for the Universal Plug-n-Play features (UPnP) protocol, which allows devices to discover each other's presence over a network. It does not implement authentication by default. Port: |
Disable UPnP access on all network routers and UPnP-enabled switches and hardware. If port forwarding is required, implement it manually. |
| Typical service: Ventrilo |
This port is typically used for Ventrilo, which is a voice-over-IP (VoIP) and text chat software. Port: |
- |
| Typical service: VNC |
This port is typically used for Virtual Network Computing (VNC) system, which is a graphical desktop sharing system. It is not a secure protocol. Ports:
|
Block the port in the company edge network infrastructure. Tunnel any VNC connections through a secure Virtual Private Network (VPN) or Secure Shell (SSH) connection. |
| Typical service: WS-Management |
This port is typically used for Web Services-Management (WS-Management), which is a Simple Object Access Protocol (SOAP)-based protocol for managing devices and web services. Ports:
|
- |
| Typical service: XMPP |
This port is typically used for Extensible Messaging and Presence Protocol (XMPP), which is an instant messaging protocol. Port: |
- |
Typical Services: BAD
| Message | Description | Remediation Instructions |
|---|---|---|
| Typical service: MS RDP |
This port is typically used for the Microsoft Remote Desktop Protocol (MS RDP), which allows a user to connect to another computer over a network connection. It can be vulnerable to man-in-the-middle (MITM) attacks. Port: |
Discontinue use of the RDP and use alternative remote access tools via secure Virtual Private Network (VPN) to access required local resources. Implement strong passwords and either strong password handling protocols or a key authentication system. |
Potentially Vulnerable Ports
Potentially vulnerable open ports are observed for informational purposes only. Even if these ports are observed to be open, their level of risk may vary. Therefore, these open ports do not have a set impact on the Open Ports letter grade.
| Message | Description | Remediation Instructions |
|---|---|---|
| Chunking Potential | Chunking is an extension that allows large amounts of email to be sent in chunks. It has known vulnerabilities that allows a remote attacker to execute arbitrary code or cause a DoS condition using specially crafted BDAT commands. | Disable chunking in your mail transfer agent (MTA). |
| CVE‑2018‑10933 |
LibSSH versions 0.6 and above have an authentication bypass vulnerability in the server code, which allows attackers to steal encryption keys, access user data, install rootkits, and erase logs that recorded the unauthorized access. Learn more about CVE-2018-10933. If observed from October 23, 2018 and onward, this is assessed as “BAD.” |
If you have LibSSH installed and you are using the server component, you are encouraged to conduct a thorough audit of your network and to apply these patches. If patches are unavailable, limiting exposure as a temporary workaround is recommended. |
| Detected service: HTTP (potential ROBOT vulnerability) | ROBOT is an RSA vulnerability which enables attackers to passively record traffic and later decrypt it. | Update all affected hardware and software packages that are vulnerable to this exploit. See the list of affected enterprise vendors that have released updates that fix this vulnerability. If patches are not available for the organization's hardware, disable ciphers that start with TLS_RSA. |
| Detected service: HTTP (potential VPNFilter) | The VPNFilter malware targets small office and home office routers. The malware can collect information passing through the router (such as website credentials), can render an infected device unusable, can be triggered on individual machines or en masse, block network traffic, and has the potential of cutting off internet access worldwide. | - |
| Detected service: HTTPS (potential ROBOT vulnerability) | ROBOT is an RSA vulnerability which enables attackers to passively record traffic and later decrypt it. | Update all affected hardware and software packages that are vulnerable to this exploit. See the list of affected enterprise vendors that have released updates that fix this vulnerability. If patches are not available for the organization's hardware, disable ciphers that start with TLS_RSA. |
| Detected service: HTTPS (potential VPNFilter) | The VPNFilter malware targets small office and home office routers. The malware can collect information passing through the router (such as website credentials), can render an infected device unusable, can be triggered on individual machines or en masse, block network traffic, and has the potential of cutting off internet access worldwide. | - |
| Detected service: SNMP (potential VPNFilter) | This port was observed running SNMP, which is a protocol for managing devices on IP networks. It has known security vulnerabilities, including the VPNFilter malware, which targets small office and home office routers. The malware can collect information passing through the router (such as website credentials), can render an infected device unusable, can be triggered on individual machines or en masse, block network traffic, and has the potential of cutting off internet access worldwide. | Use SNMP over TLS or Datagram TLS, as specified in RFC-5953. Implement and cease use of the unencrypted SNMP protocol. |
| Detected service: Ubiquiti (potential VPNFilter) | This port was observed running Ubiquiti, which provides a platform for internet access, enterprise, and smart home applications. It has known security vulnerabilities, including the VPNFilter malware, which targets small office and home office routers. The malware can collect information passing through the router (such as website credentials), can render an infected device unusable, can be triggered on individual machines or en masse, block network traffic, and has the potential of cutting off internet access worldwide. | - |
| VPNFilter Malware |
The VPNFilter malware targets small office and home office routers. The malware can collect information passing through the router (such as website credentials), can render an infected device unusable, can be triggered on individual machines or en masse, block network traffic, and has the potential of cutting off internet access worldwide. Ports:
|
Reboot the devices to temporarily disrupt the malware. Consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware. |
- April 16, 2024: Niagara Fox with or without SSL.
- December 14, 2023: SNMP findings; Detected service: NetBIOS moved from WARN to BAD.
- December 4, 2023: ZooKeeper.
Feedback
0 comments
Please sign in to leave a comment.