Find open ports / disable unnecessary services

Discussion in 'other firewalls' started by Mrkvonic, Dec 29, 2008.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hi all,

    A fellow Wilderser approached me in a pm, so I decided to answer the question publicly, so everyone can benefit.

    The two questions were: "how can I check what open ports I have?" and "how can I disable unnecessary services?"

    So:


    1) Open ports

    There are several ways to check this. The simplest is to run:

    Code:
    netstat -ano
    In the command line windows (start > run > cmd)

    This will display all connections, on different network interfaces. However, this does not mean that that all these ports are open to the Internet! They may only be used in an internal network.

    Look for LISTENING under State. These are the open ports. Then check the IP address column. If the ports are only open on local IP addresses, which are any of the following:

    172.16-32.x.x
    192.168.x.x
    10.x.x.x

    Then you have nothing to worry about. These are non-routable internal IPs, which can only be resolved from local networks, meaning your office, your home etc.

    Example of my own:

    Code:
     Proto  Local Address          Foreign Address        State
      TCP    192.168.35.1:139       0.0.0.0:0              LISTENING
      TCP    192.168.242.1:139      0.0.0.0:0              LISTENING
    
    Local addresses, all is fine. But there might be other addresses, which are routable. An example if this:

    Code:
      Proto  Local Address          Foreign Address        State
      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
      TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
    
    0.0.0.0 means YOUR machine, or rather the default gateway of your machine. Default gateway is the network interface that connects to the outside world.

    So you need to ask yourself: what is the IP address of this interface? If you're using a router, for example, the IP will be internal, so again, you have nothing to worry about. If you're directly connected to the Internet, then disabling these services or running a firewall might be prudent.

    But if you can't bother with netstat, to check out if your ports are closed, perform a port scan from outside your network:

    Either using a network scanner, like nmap:
    http://nmap.org/

    Can be run from another machine or live CD ...

    Or perform the ShieldsUP! scan at grc.com:
    http://www.grc.com/default.htm

    If neither of these shows any open ports, you're fine. Closed or stealthed, the result is the same. You either have no open ports listening to the web or you have a firewall that blocks unsolicited incoming traffic. Both are good.


    2) Disabling unnecessary services

    First, define unnecessary. NetBIOS, for example, do you need it? Do you share your files and printer resources with other machines? Yes, no, this will tell you if a service is unneeded.

    Second, services are disabled by start > run > services.msc.

    This will give you the list of all services. Those running are marked with started. They will also be set to Automatic or Manual, meaning start with the computer or run when necessary. Disabled services won't run. Disabled services also means less functionality.

    So as always, it's the tradeoff between functionality and security.

    But if you're using a firewall AND your ports show up as closed in scans, then you have nothing to worry about, so no need to disable useful services.


    I hope this helps someone.

    Enjoy.

    Mrk
     
    Last edited: Dec 29, 2008
  2. rOadToIS

    rOadToIS Registered Member

    Joined:
    Dec 16, 2008
    Posts:
    168
    Thanks for the info!
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool info and value ,thanks:thumb:
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Regarding the disabling of services, be sure that you understand the consequences of disabling a particular service before doing so. A lot of services depend on other services to work properly. In some instances, disabling a single service can result in the disabling of several others that depend on it. Black Vipers site has a lot of info on services and which ones can be disabled. It doesn't cover all the possibilities so don't treat it as the final word on the subject. Everyone's setup is different.

    If you decide you want to disable services for security reasons, to save resources, or whatever reason, go slowly. Disable one or two, reboot, then check to make sure that everything still works. Pay close attention to external devices. Keep tract of what you changed so you can put it back if you have to.
     
  5. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    The Black Viper site mentioned above is a great resource for this. Years ago I used to build and support lots of game servers (for Quake, Battlefield, Unreal Tournament, etc)...I'd co-lo them at data centers, they'd be on public IP addresses.

    I always used the Black Viper site as a guide to disable services. For one...on a default Windows Install, depending on the purpose you're going to use the PC for, you don't need many services, and disabling them makes the OS run "leaner". Secondly, disabling many of them will make the PC more secure...remote registry service for example. And server and workstation services.

    The Black Viper site has a history of going offline for a while, then coming back on. But you can usually still find useful content at Archive.

    Always document the changes you make.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    to disable unnecessary services you could also use winpatrol plus:thumb:
     
  7. normishmael

    normishmael Guest

    I can "third" the thumbs up for BlackViper.
    With a mix of "SAFE" and "tweaked" settings,plus a few from "bare bones"
    as I do not print,I have really cut my RAM use,thus leaving me a little more of my 1gb.
     
  8. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    You also can make a test profile to see just what Services you can cut.
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,783
    I'd agree with all of the above and also add that checking the Event Viewer Logs after each change is helpful, you will often see errors and problems show up there after disabling a service, and this helps you figure out which ones you can disable and which you perhaps should not.
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    BlackViper helped me out way back prior to sp1. Now I know the services so well, that I just disable what I want, and if something is broke, only a couple clicks away from finding the culprit. You really should use this program for tweaking services
    http://p-nand-q.com/download/pserv_cpl.html

    As for seeing what ports are open, yes, a netstat -ano will show you what ports are open. You will see the PID for the program holding the port open as well.

    How about when svchost.exe or others are holding it open? Svchost is a host to many different services, and most people see 4 or more instances of svchost.exe in thier process list. Those running many of BlackVipers tweaks can see only 3 open, but I have never seen fewer than that.

    If you want to know what service is holding a port open, first run netstat -ano. Then run tasklist /svc. This will give you a listing of the services running within each PID. Now you can track down that open port to say a possiblity of 5 services that particular PID is using.

    Want more? Try to find a copy of openports. DiamondCS made it as freeware, and it is much better than netstat. Netstat does not give the destination address of UDP connections. Openports does. It is a much better app, and is scriptable for ongoing monitoring to a logfile. Very nice. Script up a little reverse dns, and now you can see where it is headed to in a domain.

    Not enough? Give tdimon a try. MS owns it now, but it is still free. Used to be Mark Russinovich/SysInternals if you can still find it. This one will monitor all your tdi endpoints. Translation: it monitors all network activiity pretty much. Not quite as intesive as maybe a packet sniffer like wireshark, but still, it profides more data that you probably need.

    If there is interest, I made an app that you can start openports with or tdimon with, have them log data, then my app parses those logs out and consolidates the results. Sort of to check and see what app went where type thing.

    Sul.
     
  11. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,947
    Location:
    U.S.A.
  12. Rapid Dr3am

    Rapid Dr3am Registered Member

    Joined:
    Jun 14, 2008
    Posts:
    60
    Oh noes I has open ports! Oh noes I has a service listening on open ports! It's taking inbound connections from the outside World? OMG WHO IS WRITING THIS? Thanks for yet more open port FUD.
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Care to elaborate what you mean, rapid?
    Mrk
     
  14. wat0114

    wat0114 Guest

    True, but that is why it's possible and I'd say recommended as BV suggests to copy the default services profile so you have two, then rename the one you want to modify (mine is Safe Profile) and tweak to your heart's content. If something goes wrong it is easy enough to select the default profile upon boot-up.
     

    Attached Files:

  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    lol dude. FUD is what now? This thread is merely a topic on how to view what ports you have open, and what services etc may be holding them open. There is nothing in here at all that would be FUD.

    Really, is it taboo or something to actually know what ports your computer has open? Come on, you don't really want remote registry running on your home computer, do you? lol, good stuff.

    Sul.
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Mrk,

    Useful information!

    Firewalls will also show the connections:

    kerio-listening_1.gif

    You can also see the services that use the ports. Here, Win2K:

    kerio-listening_2.gif

    Port 135: Remote Procedure Call (RPC) Endpoint Mapper (epmap)

    Port 445: Microsoft Directory Services. (Microsoft-ds) This port replaces the notorious Windows NetBIOS trio (ports 137-139),

    Port 500: Internet Security Association and Key Management Protocol (ISAKMP)

    In another discussion last year, some questioned if "listening" meant that the port is vulnerable.
    The system can "listen" all it wants, but as you point out:

    A check of the firewall log confirms:

    [​IMG]

    From an old log entry, port 500::
    Code:
    Blocked: In UDP, 69.88.76.58:500->localhost:500, 
    Owner: C:\WINNT\SYSTEM32\LSASS.EXE
    
    ----
    rich
     
  17. wat0114

    wat0114 Guest

  18. TheSpirit

    TheSpirit Registered Member

    Joined:
    Sep 18, 2007
    Posts:
    7
    Yes, of course. I've been waiting for this obvious answer. And Process Explorer will show you the ports for a specific process.
     
  19. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I was messing with some ipSec policies, and was using netstat -ano 3 in looping mode. I don't like the fact that netstat does not show UDP endpoints. So I decided to make a quick batch file to loop diamondCS openports.exe, which outputs a display like netstat -ano, but also shows UDP endpoints.

    Grap a copy of openports.exe somewhere, than make a batchfile. You will need the old dos file choice.com for this to work. 9x has it.

    openports_loop.bat
    Code:
    @echo off
    :looping
    openports.exe -netstat
    
    type nul|choice /c:y /t:y,03>nul
    goto looping
    Change the value 03 to whatever you want. This is the sleep time.

    Sul.
     
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    UDP shows up in netstat ... I don't know why you don't get them.
    Mrk
     
  21. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    UDP endpoints? I have never seen them. It shows the start point, your ip, but not the endpoint. TDImon shows them. Can't remember if TCPview or CurrPorts does or not. But, for me at least, netstat only shows

    UDP source 192.168.1.x dest 0.0.0.0 port xyz

    openports shows


    UDP source 192.168.1.x dest 192.168.1.xx port xyz

    Unless I am missing something.

    Sul.
     
Loading...
Thread Status:
Not open for further replies.