Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: F.3 Emergency Response OrganizationsAppendix G 
 

G. Table of IP Services

Table G-1 lists the IP protocols that are commonly used on the Internet. For completeness, it also lists many protocols that are no longer used and are only of historic interest.

You can use this table to help you decide which protocols you do and do not wish to support on your UNIX computers. You can also use this table to help you decide which protocols to pass or block with a screening router, as described in Chapter 21, Firewalls. For example, at most sites you will wish to block protocols such as tftp, sunrpc, printer, rlogin and rexec. Most site administrators will probably wish to allow protocols such as ftp, smtp, domain, and nntp. Other protocols can be problematical.

The "Suggested Firewall Handling" column gives a sample firewall policy that should be sufficient for many sites; in some cases, footnotes provide additional explanation. We generally advise blocking all services that are not absolutely essential. The reason for this suggestion is that even simple services, such as TCP echo, can be used as a means for launching a denial of service attack against your network. These services can also be used by an attacker to learn about your internal network topology. Although these services are occasionally useful for debugging, we feel that their presence is, in general, a liability - an accident waiting to happen. Services which are not listed in this table should be blocked unless you have a specific reason for allowing them to cross your firewall. For detailed information about firewalls policy and filtering, we suggest that you consult Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky (O'Reilly & Associates, 1995).

The "Notes" section in this table contains a brief description of the service. If the word "Sniff" appears, then this protocol may involve programs that require passwords and may be vulnerable to password sniffing; you may wish to disable it on this basis, or only use it with a one-time password system. The word "Spoof" indicates that the usual programs that use the protocol depend on IP-based authentication for its security and can be compromised with a variety of spoofing attacks. The annotation "Obsolete" appears on protocols which may no longer be in general use. Note that the absence of a "Sniff" or "Spoof" annotation does not mean that the protocol is not vulnerable to such attacks.

The "Site Notes" column is a place where you can make your own notes about what you plan to do at your site.

NOTE: This is not a comprehensive list of TCP and UDP services; instead, it is a list of the services that are most commonly found on UNIX-based computers. If you have computers on your network that are running operating systems other than UNIX, you may wish to pass packets that use ports not discussed here. A complete list of all assigned port numbers can be found in RFC 1700 (or its successors)

In addition to the services noted in the table, you should block all IP addresses coming from outside your network which claim to come from inside your network. That is, any packet coming into your network with a source IP address that indicates it is from your network should be discarded.

IP packets with unusual option bits or invalid combinations of option bits should be blocked. This should probably include packets with source routing or record-route options set.

Fragmented packets should be blocked if the offset for reassembly specifies a zero offset (that would cause the reassembly to rewrite the IP header). [1]

[1] The idea for this table is based, in part, on Appendix B, Important Files from the book Firewalls and Internet Security, by William R. Cheswick and Steven M. Bellovin (Addison-Wesley, 1994).

Table G.1: Common TCP and UDP Services, by Port
PortProtocolNameNotesSuggested Firewall HandlingSite Notes
1TCPtcpmuxTCP port multiplexer. Rarely used.Block
7UDP, TCPecho

Echos UDP packets and characters sent down TCP streams.

Block[2]
9UDP, TCPdiscard

Accepts connections, but discards the data.

Block
11TCPsystat

System status - reports the active users on your system. Some systems connect this to who.

Block
13UDP, TCPdaytimeTime of day in human-readable form.Block[3]
15TCPnetstat

Network status, human-readable. Obsolete (officially unassigned as of 10/94).

Block
17UDPqotdQuote of the day.Block
19UDP, TCPchargenCharacter generator.Block
20TCPftp-data

Data and command ports for FTP. Sniff.

requires special handling.
21TCPftp
23TCPtelnetTelnet virtual terminal. Sniff.Be careful. [4]
24UDP, TCPFor use by private email systems.Block
25TCPsmtpEmail.

Allow to your firewall gate or bastion host.

37UDP, TCPtimeTime of day, in machine-readable form.Block
38UDP, TCPrapRoute Access Protocol.Block
42UDP, TCPnameHost Name Server. Obsolete.Block
43TCPwhoisNormally only run by NICs.Outbound only or Block.
48UDP, TCPauditd

Digital Equipment Corporation audit daemon.

Block
49UDPtacacsSniff. Spoof.

Block. You should place your tacacs authentication servers on the same side of your firewall as your terminal concentrators.

53UDP, TCPdomainDomain Name Service. Spoof.

Run separate nameservers for internal and external use. If you use firewall proxies, then you only need to provide DNS service on your firewall computer.

67, 68UDPbootpBoot protocol.Block
69UDPtftpTrivial FTP.Block
70TCP

gopher, gopher+

Text-based information service. Sniff.

Outbound access with proxies. Inbound connections only to an organizational gopher server running on a special host.

79TCPfinger

Return information about a particular user account or machine.

Outbound only. [5] (You may wish to refer inbound finger queries to a particular message.)

80TCPhttpWorld Wide Web. Sniff. Spoof.

Outbound access with proxies. Inbound connections only to an organizational WWW server running on a special host.

87TCPlinkBlock
88UDPkerberosDistributed authentication mechanism.

Block unless you need inter-realm authentication.

94UDP, TCPobjcallTivoli Object Dispatcher.Block
95TCPsupdup

Virtual terminal similar to Telnet, rarely used. Sniff.

Block
109TCPpop-2

Post Office Protocol, allows reading mail over Internet. Sniff.

Block unless there is a specific need to access email through firewall. Consider using APOP, which is not susceptible to password sniffing. If you do pass this service, pass inbound connections only to your email host.

110TCPpop-3Better Post Office Protocol. Sniff.
111UDP, TCPsunrpcSun RPC portmapper. Spoof. [6]Block
113TCPauth

TCP authentication service. Identifies the username belonging to a TCP connection.Spoof.

Limit or block incoming requests.[7]
119TCPnntpNetwork News Transport Protocol.Block with exceptions.[8]
121UDP, TCPerpc

Encore Expedited Remote Procedure Call.

Block
123UDP, TCPntpNetwork Time Protocol. Spoof.Block with exceptions.[9]
126UDP, TCPunitaryUnisys Unitary Login.Block
127UDP, TCPlocus-conLocus PC-Interface Conn Server.Block
130UDP, TCPcisco-fnaCisco FNATIV.Block with exceptions.
131UDP, TCPcisco-tnaCisco TNATIVE.Block with exceptions.
132UDP, TCPcisco-sysCisco SYSMAINT.Block with exceptions.
137UDP, TCPnetbios-nsNETBIOS Name Service.

Block NETBIOS unless there is a specific host with which you need to exchange NETBIOS information. NETBIOS over TCP/IP is best handled with encrypted tunneling.

138UDP, TCPnetbios-dgmNETBIOS Datagram Service.
139UDP, TCPnetbios-ssnNETBIOS Session Service.
144UDP, TCPnews

Sun NeWS (Network Window System). Possibly Sniff. Spoof. Obsolete.

Block
156UDP, TCPsqlsrvSQL Service. Sniff.Block
161UDP, TCPsnmp

Simple Network Management Protocol agents. Spoof. Sniff.

Block
162UDP, TCPsnmptrapSNMP traps.

Block under most circumstances, although you may wish to allow traps from an external gateway to reach your internal network monitors.

177UDP, TCPxdmcp

X Display Manager (XDM) Control Protocol. Sniff.Possibly Spoof.

Block. You may wish to allow outgoing connections in special circumstances.

178UDP, TCPNSWS

NEXTSTEP Window Server. Possibly Sniff.Spoof.

Block
194UDP, TCPircInternet Relay Chat Protocol.Block
199UDP, TCPsmuxSMUX (IBM).Block
200UDP, TCPsrcIBM System Resource Controller.Block
201UDP, TCPat-rtmpAppleTalk Routing Maintenance.

Block AppleTalk unless there is a specific host or network with which you need to exchange AppleTalk information. AppleTalk over TCP/IP is best handled through encrypted tunneling.

202UDP, TCPat-nbpAppleTalk Name Binding.
203UDP, TCPat-3AppleTalk Unused.
204UDP, TCPat-echoAppleTalk Echo.
205UDP, TCPat-5AppleTalk Unused.
206UDP, TCPat-zisAppleTalk Zone Information.
207UDP, TCPat-7AppleTalk Unused.
208UDP, TCPat-8AppleTalk Unused.
210TCPwaisWAIS server. Sniff.Block unless you run a server.
220TCPimapPOP replacement. Sniff.

Block unless there is a specific need to access email through the firewall. If you do pass this service, pass inbound connections only to your email host.

387TCPavrpAppleTalk Routing.Block
396UDP, TCPnetware-ipNovell Netware over IP. Sniff.Block
411UDP, TCPrmtRemote Tape.Block
512UDPbiffReal-time mail notification.Block
512TCPexec

Remote command execution. Sniff.Spoof.

Block
513UDPrwhoRemote who command.Block
513TCPloginRemote login. Sniff. Spoof.

These protocols are vulnerable to problems with "trusted hosts" and .rhost files. Block them if at all possible.

514TCPshellrsh. Sniff. Spoof.
514UDPsyslogsyslog logging.Block
515TCPprinterBerkeley lpr system. Spoof.Block
517UDPtalkInitiate talk requests.

You should probably block these protocols for incoming and outgoing use. If you wish to permit your users to receive talk requests from outside sites, then you must allow user machines to receive TCP connections on any TCP/IP port over 1024. The protocols further require that both hostnames and usernames of your internal users be made available to outsiders. talk can further be used to harass users.

518UDPntalkInitiate talk requests.
520UDProuteRouting control. Spoof.Block
523UDP, TCPtimedTime server daemon. Spoof.Block
532UDP, TCPnetnewsRemote readnews.Block
533UDP, TCPnetwallNetwork Write to all users.Block
540TCPuucp

Used mostly for sending batches of Usenet news. Sniff. Spoof.

Block unless there are specific hosts with which you wish to exchange UUCP information.

550UDP, TCPnrwhoNew rwho.Block
566UDP, TCPremotefsRFS remote filesystem. Sniff. Spoof.Block
666TCPmdqs

Replacement for Berkeley's printer system.

Block
666UDP, TCPdoomDoom game.Block
744TCPFLEXlmFLEX license manager.Block
754TCPtellUsed by sendBlock
755UDPsecurid

Security Dynamics ACE/Server. Sniff [10]

Block
765TCPwebsterDictionary service. Block
1025TCPlistenerSystem V Release 3 listener.Block
1352UDP, TCPlotusnotesLotus Notes mail system.Block
1525UDParchie

Tells you where things are on the Internet.

Block, except the specific archie servers you want to use.

2000TCPOpenWindowsSun proprietary window system.Block
2049UDP, TCPnfsSun NFS Server (usually). Spoof.Block
2766TCPlistenSystem V listener.Block
3264UDP, TCPccmailLotus cc:Mail.Block
5130UDPsgi-dogfightSilicon Graphics flight simulator.Block
5133UDPsgi-bznetSilicon Graphics tank demo.Block
5500UDPsecurid

Security Dynamics ACE/Server version 2. Sniff. [11]

Block
5510TCPsecuridprop

Security Dynamics ACE/Server slave. Sniff. [12]

Block
5701TCPxtrekX11 xtrek.Block

6000 thru 6063

TCPx-serverX11 server. Sniff. Spoof.Block
6667TCPircInternet Relay Chat.Block

7000 thru 7009

UDP, TCPafsAndrew File System. Spoof.Block
7100TCPfont-serviceX Server font service.Block

[2] Protocols such as echo can be used to probe the internal configuration of your network. They can also be used for creative denial of service attacks.

[3] As some programs use the system's real time clock as the basis of a cryptographic key, revealing this quantity on the Internet can lead to the compromise of some security-related protocols.

[4] Telnet Server. Conventional Telnet may result in passwords being sniffed on the network. You may wish to only allow specially encrypted or authenticated Telnet.

[5] The finger client program can be susceptible to certain kinds of data-driven attacks if you do not use a suitable finger wrapper.

[6] But note that a port scan can still find RPC servers even if portmapper is blocked.

[7] As discussed in the text, the values returned as part of this service are unreliable if the remote machine is not under your control.

[8] Outbound and inbound NNTP connections should only be allowed to the pre-established sites with which you exchange news.

[9] Allowing NTP from outside machines opens your site to time-spoofing attacks. If you must receive your time from outside your site via the Internet, only allow NTP packets from specified hosts.

[10] Traffic may be encrypted, but the administrator may decide not to turn this on. Export versions (non-U.S.) do not have encryption available.

[11] See note 10.

[12] See note 10.


Previous: F.3 Emergency Response OrganizationsPractical UNIX & Internet Security 
F.3 Emergency Response OrganizationsBook Index