Exposing the wrong port on the open internet can be devastating for your organization's security. Detectify allows you to monitor this continuously across your full attack surface and to be notified as soon as something unwanted happens using Attack Surface Policies. In this article, we will explain some useful policies that cover open ports.
Monitor internal domains exposing open ports externally
Every organization has some domains that are not supposed to expose any open ports on the open internet, like if they are supposed to be behind a VPN. Detectify allows you to setup a policy to ensure that if any of these domains accidentally exposes an open port to the internet, you'll be the first to know about it. To create such a policy, simply set the scope of domains that should be covered with a filter on "Monitored domain", like in the example below, and then add a filter looking for any domain with the number of open ports being more than 0.
Monitor exposed open ports
The filter operators for open ports
There are five different filter operators to choose from when filtering on open ports. These are:
- contain any of (A ⋂ B != ∅)
- This one adds an or between each value added to the list of values. This means that, if a domain has any of the ports listed open it will match. Think of this as a disallowlist and it will match anything that is using these disallowed ports.
- This one adds an or between each value added to the list of values. This means that, if a domain has any of the ports listed open it will match. Think of this as a disallowlist and it will match anything that is using these disallowed ports.
- do not contain any of (A ⋂ B = ∅)
- This filter also adds ors between each value but it will match if not any of those ports are found open on a domain.
- contain all of (⊇)
- For this filter, an and is added between each value, such that it matches only if all ports listed are found to be open.
- do not contain all of (⊅)
- This filter still uses the and between values but it matches only if not all ports listed are found open.
- do not only contain (⊄)
- This one is a little special. It matches if a port is found open that is not listed in the values. You can think of this as an allowlist. It will match anything that is not using any of these allowed ports.
Examples of policies on open ports
Here's a list of ports from different categories that are good to consider monitoring as part of policies using the disallow list format of contain any of.
Routing:
- DNS: 53, 5353
- SMTP: 25, 465, 587, 2525
- BGP: 179
NetBIOS & CIFS:
- NBNS: 137, 138
- NetBIOS Session Service: 139
- SMB: 445
- NFS: 2049
VOIP:
- SIP: 5060, 5061
- Ventrilo: 3784
- Viber: 4244, 5242, 5243, 7985
- h323: 1720
- TeamSpeak: 9987
Remote management:
- FTP: 20, 21, 2121
- SSH: 22, 2022, 2122, 2222
- Telnet: 23, 107, 992
- RSH: 514
- RDP: 3388, 3389, 3390
- VNC: 5800, 5900, 5901, 10348
- SNMP: 161, 162
- Portmapper: 111
- Ident: 113
- MSRPC: 135, 445, 593
Databases:
- LDAP: 389, 636
- Aurora/MySQL/MariaDB: 3306, 33060
- PostgreSQL: 5432
- MSSQL: 1433, 1434
- MaxDB: 7210
- Oracle DB: 1830, 1521, 2483, 2484
- Pervasive SQL: 1583, 3351
- OrientDB: 2480
- SAP SQL Anywhere: 2638
- Firebase/Interbase: 3050
- Sybase: 4100, 5000
- CouchDB: 5984
- Redis: 6379
- Cassandra: 7000, 7001, 9042
- Neo4J: 7473, 7474
- Apache Solr: 8983
- Riak: 8087, 8098
- ArangoDB: 8529
- ElasticSearch: 9200, 9300
- Memcache: 11211
- MongoDB: 27017, 27018, 27019, 28015, 28017, 29015
Industrial Control Systems:
- Siemens S7: 102
- Modbus: 502
- Red Lion: 789
- Niagara/Tridium: 1911, 4911
- PCWorx: 1962
- IEC 60870-5-104: 2404
- CODESYS: 2455
- MELSEC-Q: 5006, 5007
- HART: 5094
- BACnet: 7808
- FINS: 9600
- GE-SRTP: 18245, 18246
- DNP3: 20000
- ProConOS: 20547
- EtherNet/IP: 44818
Sensitive (Risky) Ports:
- Java RMI: 1090, 1098, 1099, 4444, 10999, 11099, 11111, 47001, 47002
- Docker: 2375, 2376
- JBoss: 4445
- Cisco Smart Install: 4786
- Oracle GlassFish: 4848
- Atlassian Crowd: 4990
- Apache Spark: 5000, 6066
- HP Data Protector: 5555, 5556
- WebLogic: 7000, 7001, 7002, 7003, 7004, 7070, 7071, 8000, 8001, 8002, 8003, 9000, 9001, 9002, 9003, 9503
- Apache Hadoop: 8088
- Zoho Manageengine Desktop: 8383
- LDAP: 389, 636
- Consul: 8500, 8600
- JMX: 8686, 9012
- JDWP: 45000, 45001, 50500
Alternative Web:
- HTTP: 81, 82, 591, 3000, 5000, 7547, 8000, 8008, 8089, 8090, 8081, 8082, 8088
- HTTPS: 1443, 4433, 4443, 5443, 6443, 7443, 9443, 10443
Ephemeral ports:
- RFC6056: 1024, 1025, 1026
- RFC6335: 49152, 49153, 49154
- Linux: 32768, 32769, 32770