There are 65,536 ports (virtual access on points) on a computer, but not all of them are created equal. When it comes to ransomware gangs looking for a way to break in, they have some very clear favorites.

Port 3389 (Mr obvious, RDP)

For years, one of the most popular vectors for ransomware attacks has been the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, a tool for remotely controlling a computer that gives you all the power and control you would have if you were actually sitting behind it—which is what makes it so dangerous in the wrong hands.

Criminals break in by guessing RDP passwords, so your ability to protect port 3389 depends on the strength of your weakest password, unless you have additional authentication steps like two-factor authentication enabled.

We have a very extensive article about securing RDP, but the bottom line is to turn off RDP unless you absolutely need it.

Port 22 (SSH)

Like RDP, SSH provides a method for logging in to a computer remotely, but in this case the user gets a shell, rather than a GUI. It has several strong authentication options, and it protects communications over-the-wire with strong encryption.

While SSH is a secure protocol, it can still be vulnerable to password brute force attacks or compromised SSH keys. The Vice Society ransomware group is known to use SSH brute forcing, for example, while other attackers are known to use SSH key stealing software like SSH-Snake.

Authentication credentials, particularly SSH keys, are a prime target for attackers and should be handled securely. Keys are a better option than passwords, but if you use passwords ensure you have strong password policies. In all cases, consider limiting access to trusted hosts only.

Port 445 (SMB)

Windows Server Message Block (SMB) is a protocol used by PCs for file and printer sharing, as well as for access to remote services. SMB can be used to enter a network or move laterally through it.

SMB abuse was made infamous by the EternalBlue exploit, used by WannaCry ransomware to spread around the world in 2017. Although EternalBlue is the most famous, SMB has had a number of named vulnerabilities since, such as DejaBlue, SMBGhost, and SMBleed. SMB signing weaknesses or misconfigurations can also lead to NTLM relaying attacks, and SMB can be vulnerable to brute force attacks too.

To defend SMB, block all inbound traffic on port 445 and keep SMB patched. Use network segmentation to minimize the impact of lateral movement.

Port 137-139 (NetBIOS)

NetBIOS stands for Network Basic Input/Output System. It is not a networking protocol itself but an Application Programming Interface (API) that allows applications on different computers to communicate over a local area network. NetBIOS provides services like name resolution, connectionless communication, and connection-oriented communication.

Originally, SMB relied on NetBIOS to function. Howver, since Windows Vista and Windows Server 2008, SMB can run directly over TCP/IP using port 445, without the need for NetBIOS. This also provides better security and efficiency.

So, it’s very likely that you do not need NetBIOS. Unless you have an application or service that relies on it, you should disable, block, and forget about it.

Port 20-21 (FTP)

The File Transfer Protocol (FTP), which uses port 20 and 21, is considered insecure because it passes data (including passwords) in clear text, making it vulnerable to machine-in-the-middle (MitM) attacks. FTP can also be targeted by brute force password attacks.

FTP is insecure by design and should never be used. There are numerous secure alternatives, such as SFTP.

Mitigation

The most important steps in securing your ports is to perform regular port scans and close the ones that don’t need to be open. For those that do need to be open, use strong authentication, such as two-factor authentication, and limit access to the individuals, networks, or services that need it.

Use vulnerability assessment and patch management to stay on top of vulnerabilities in any software running on open ports.

Monitor your endpoints and network traffic for abnormal behavior, using a service like Managed Detection and Response (MDR).

Consider changing the default ports for applications, to make it harder for criminals to determine what services you’re running.