Top 10 TCP Ports for Border Policy Review

Information Security guidance sometimes strikes practitioners as impractical. Many of us have more on our ‘to do’ list than we ever will complete.

With that in mind, we put together our list of the Top 10 TCP Ports for Border Policy Review. Here, we use global counts of open ports and known security impacts to create our Top 10.

This report uses 45 days of scanning-based data to summarize the global state of port usage. This scanning data provides a representative sample of global port states. All data used in this report is available in our Augury global insight tool.

Please do review these ports!  This is not a Top 10 TCP Ports to kill list, these ports all need review in light of your network policy, posture, and goals.

What are the Top 20 listening TCP Ports on the Internet?

In Aristotle’s Politics, he quotes a famous ancient proverb: “well begun is half done.”  This task is no exception to that rule! Looking at the Top 20 Listening TCP Ports open to the Internet gets us off to a good start!

Top 20 Open TCP Listeners

And here is our Top 10…

(This list is ordered by Open Global Listeners)

#1 – Telnet (TCP 23)

Global TCP Listeners: over 9,000,000

The telnet protocol served as a useful protocol for remote management many years ago.  Today, this port is likely a bigger liability than it is a utility.  Embedded systems, IoT devices, and old network equipment often have this port open.  Do you intend to expose this service to the world?

#2 – RTSP (TCP 554)

Global TCP Listeners: about 9,000,000

The Real Time Streaming Protocol offers streaming video services from RealNetworks. Cameras, Digital Video Recorders (DVRs), and streaming video servers use this protocol to serve videos. Does your network need to expose these services to the Internet? 

#3 – MySQL (TCP 3306)

Global TCP Listeners: over 8,000,000

MySQL is a popular database server, but do organizations need this exposed to the world? ACLs and/or host routes with no default routes might be best on database servers.

#4 – BGP (TCP 179)

Global TCP Listeners: about 6,000,000

The BGP (Border Gateway Protocol) is the heartbeat of the Internet. It is the single most important application protocol for Internet operations. Almost all traffic depends on BGP to get to the proper destination. BGP needs to be open between routers speaking BGP, but most of the time it does not need to be open elsewhere.

#5 – SOCKS (TCP/UDP 1080)

Global TCP Listeners: about 6,000,000

The SOCKS protocol allows proxying connections to web sites and other services. It sees wide use for many legitimate purposes and many malicious purposes. Many malicious actors set up proxy networks to hide behind. Does your network need SOCKS exposed to the world?

#6 – SNMP (TCP/UDP 161 and 162)

Global TCP Listeners: about 6,000,000

SNMP (Simple Network Management Protocol) allows the reading of monitoring, metrics, and configuration data from many different types of devices. In some cases, it allows configuration variables to be set or changed. There are secure ways to use SNMP and it is useful for monitoring equipment. Some organizations are exposing more than they may intend via SNMP listening devices.

#7 – SMB (TCP/UDP 445)

Global TCP Listeners: over 4,000,000

SMB (Server Message Block) is a file sharing service used by Microsoft Windows and related devices. These services are most often used for sharing within a LAN, or within a defined network perimeter. There are other protocols that tend to be better suited for serving public content.

#8 – PostgreSQL (TCP 5432)

Global TCP Listeners: about 4,000,000

Like MySQL above, PostgreSQL is a popular database server. Also like MySQL, this port is a good candidate for ACLs and/or host routes. There is little reason to expose this to the world.

#9 – Kafka / H2 DBMS (TCP 9092)

Global TCP Listeners: over 3,500,000

Both Kafka and H2 DBMS use port 9092. Kafka is a popular distributed streaming platform. It is often placed in a similar architectural role to message buses. H2 DMBS is a database management system. Restricting access with ACLs is a good idea in most situations.

#10 – Redis (TCP 6379)

Global TCP Listeners: over 3,500,000

Redis is a in-memory data store that used as a database, cache, and message broker. As with the other similar systems on this list, does your organization intend to expose this to the world? Are there ACLs that may be suitable to put in front of your Redis services? 

Summary

Putting this list together surprised your author! It proved a challenge to keep this list capped to ten items. Any full review would consider many more ports. Ahh, but here is the trap: perfection is the enemy of progress. Our goal here is to move the bar forward. Please take the time to consider this list!

Do you agree or disagree with these ports appearing here? In both cases, GOOD! This list requires review before applying, as each network is unique.

Comments are closed.

Up ↑

%d bloggers like this: