Ever since computers are able to run more programs at the same time and can connect to modern networks, ports became important.
3 things are needed for the communication between two machines:
A port number is a 16-bit number between 0 and 65535. There are some specific ports which identify some exact services, e.g. port 80 is used for HTTP communication.
If we send a request to a port, we can get 3 types of results:
The aim of the port scanning is to find open ports by sending requests to one or more ports. With this technique, administrators can check their network’s security policies. But it can be used for malicious purposes as well, that’s why this is one of the best „toys” of the hackers.
If they can find an open port, that makes it very easy for them to exploit the vulnerabilities of that service.
It’s like when a burglar wants to break into a house. What will s/he do first? Go around the house to check if there are any open windows or doors. If he finds one, of course, he’ll go into the house there and won’t try to open a closed door. Once he is inside, he can steal whatever he wants.
So port scanning means shortly: find the weakest point on the system.
Since the 1.18.8. agent version of BitNinja, we log which port has been scanned.
According to our statistics* the Top5 scanned ports are the following:
*Between 2017.11.22. and 2017.12.19.
As you can see, the 23 Telnet port is the leader of this „competition”. BitNinja detected more than 5 million port scan attempts on it in only 1 week (2017.12.12-2017.12.19).
It shows us that the most port scans are coming from Japan. If you’d like to find out more about the port scan attacks on your server, go to the Dashboard / Network attacks and choose the BL_PORT_HONEYPOT_BADPORT incident type.
You can set additional details like date range, country, IP address, and server.
The most important is to filter those ports which you don’t use. For example, if you don’t use Telnet, you can close the port 23 and port 2323.
Also, keep the services up-to-date on those ports that you actually use, and make sure to use a secure password, not just an admin-admin pair. 🙂
Our concept is that prevention is always better than fixing a problem afterward. Our Port Honeypot module is created to identify port scans. If you want to read more about how honeypots work, check out our previous article.
Here is a real example how BitNinja caught a Telnet port scanning:
If you haven’t installed BitNinja on your servers yet, let’s try the Port Honeypot (and all the other modules) with our 7-day free trial.
Got a question or feedback? Tell us under the article!
Start the 7-day free trial with full functionality without spending a cent.
After the “Hello, Peppa!” zero-day botnet, our Attack Vector Miner detected another zero-day...
At the end of the last year, we made...