Skip to content

Port List

Jump to bottom
loljawn edited this page Jul 17, 2012 · 2 revisions

#Introduction During the audit-groups action Scout will uses an algorithm to assess the severity of Security Group rules. Part of this input for the algorithm is the risk level assigned to a port list defined in EC2.clj. This page is a resource as to why certain ports are flagged and why their risk levels are weighed the way they are. ##Groups The port list is broken up into a several groups, and Scout assigns a risk-level to these groups to be used in calculating a risk score. The scale is from 1 to 5, with 1 being a low risk and 5 being a severe risk. The groups, ports, and corresponding risk-level, are as follows:

  • Web Protocols in most circumstances are fine if exposed to the internet. However, Scout will flag these are low risk, or informational, issues. It's possible that a remote HTTP/HTTPs administration interface becomes exposed, in these instances the user will need to manually validate if the port should be exposed.

    • Port 80 - HTTP - Low Risk (1)
    • Port 443 - HTTPS - Low Risk (1)

  • Administration Protocols ideally should not be exposed to the entire internet. Instead create rules that open these protocols only to the individuals who will be administering your EC2 instances.

    • Port 22 - SSH - Medium Risk (3)
    • Port 3389 - RDP - Medium Risk (3)

  • Control Protocols, like Microsoft RPC, are commonly used by higher level Microsoft components. In the past this have been shown to be vulnerable, and should not be exposed externally. If required, write your instance rules to expose them only to the necessary IP ranges.

    • Port 135 & 137-139 - Medium Risk (3)

  • Database Protocols generally should not be exposed externally to the internet. In some rare cases external administration may be required, in these cases consider a special administration instance with only public-key SSH authentication exposed externally.

    • Port 3306 - MySQL - Medium Risk (3)
    • Port 1521 - Oracle - Medium Risk (3)
    • Port 1433 - MS SQL - Medium Risk (3)
    • Port 5432 - PostGRES - Medium Risk (3)
    • Port 11211 - Memcached - Medium Risk (3)
    • Port 27017 - MongoDB - Medium Risk (3)
    • Port 28017 - MongoDB Web Interface - Medium Risk (3)
    • Port 6379 - Redis - Medium Risk (3)

  • Authentication Protocols ideally should be off the network perimeter and within your internal infrastructure. If required consider writing your rule sets to allow traffic only from trusted sources.

    • Port 389 - LDAP - High Risk (4)
    • Port 88 - Kerberos - High Risk (4)

  • Plaintext Protocols transmit all traffic in the clear, and are a completely unnecessary risk. Secure alternatives , like SFTP or SSH, should be used instead of FTP and Telnet.

    • Port 20/21 - FTP - Critical Risk (5)
    • Port 23 - Telnet - Critical Risk (5)
Clone this wiki locally