Apache 2 with SSL/TLS: Step-by-Step, Part 1 Artur Maj 2005-01-18 For more than 10 years the SSL protocol has been widely used for the purpose of securing web transactions over the Internet. One can only guess how many millions or billions of dollars in transactions are processed per a day using SSL. Unfortunately, the simple fact we use SSL does not necessarily mean that the information sent over this protocol is secure. The use of weak encryption, the impossibility of verifying web servers' certificates, security vulnerabilities in web servers or the SSL libraries, as well as other attacks, may each let intruders access sensitive information -- regardless of the fact that it is being sent through the SSL.
This article begins a series of three articles dedicated to configuring Apache 2.0 with SSL/TLS support in order to ensure maximum security and optimal performance of the SSL communication. This article, part one, introduces key aspects of SSL/TLS and then shows how to install and configure Apache 2.0 with support for these protocols. The second part discusses the configuration of mod_ssl, and then addresses issues with web server authentication. The second article also shows how to create web server's SSL certificate. The third and final article in this series discusses client authentication and some typical configuration mistakes made by administrators that may decrease the security level of any SSL communication. Introduction to SSL
Secure Sockets Layer (SSL) is the most widely known protocol that offers privacy and good reliability for client-server communication over the Internet. SSL itself is conceptually quite simple: it negotiates the cryptography algorithms and keys between two sides of a communication, and establishes an encrypted tunnel through which other protocols (like HTTP) can be transported. Optionally, SSL can also authenticate both sides of communication through the use of certificates. SSL is a layered protocol and consists of four sub-protocols:
• SSL Handshake Protocol • SSL Change Cipher Spec Protocol • SSL Alert Protocol • SSL Record Layer
The position of the above protocols according to the TCP/IP model has been illustrated on the following diagram in Figure 1. Figure 1. SSL sub-protocols in the TCP/IP model As the above diagrams shows, SSL is found in the application layer of the TCP/IP model. By dint of this feature, SSL can be implemented on almost every operating system that supports TCP/IP, without the need to modify the system kernel or the TCP/IP stack. This gives SSL a very strong advantage over other protocols like IPSec (IP Security Protocol), which requires kernel support and a modified TCP/IP stack. SSL can also be easily passed through firewalls and proxies, as well as through NAT (Network Address Translation) without issues. How does SSL work? The diagram below, Figure 2, shows the simplified, step-by-step process of establishing each new SSL connection between the client (usually a web browser) and the server (usually an SSL web server). Figure 2. How SSL established connections, step-by-step. As you can see from Figure 2, the process of establishing each new SSL connection starts with exchanging encryption parameters and then optionally authenticating the servers (using the SSL Handshake Protocol). If the handshake is successful and both sides agree on a common cipher suite and encryption keys, the application data (usually HTTP, but it can be another protocol) can be sent through encrypted tunnel (using the SSL Record Layer). In reality, the above process is in fact a little bit more complicated. To avoid unnecessary handshakes, some of the encryption parameters are being cached. Alert messages may be sent. Ciphers suites can be changed as well. However, regardless of the SSL specification details, the most common way this process actually works is very similar to the above. SSL, PCT, TLS and WTLS (but not SSH)
Although SSL is the most known and the most popular, it is not the only protocol that has been used for the purpose of securing web transactions. It is important to know that since invention of SSL v1.0 (which has never been released, by the way) there have been at least five protocols that have played a more-or-less important role in securing access to World Wide Web, as we see below:
• SSL v2.0 Released by Netscape Communications in 1994. The main goal of this protocol was to provide security for transactions over the World Wide Web. Unfortunately, very quickly a number of security weaknesses were found in this initial version of the SSL protocol, thus making it less reliable for commercial use: o weak MAC construction o possibility of forcing parties to use weaker encryption o no protection for handshakes o possibility of an attacker performing truncation attacks • PCT v1.0 Developed in 1995 by Microsoft. Privacy Communication Technology (PCT) v1.0 addressed some weaknesses of SSL v2.0, and was aimed to replace SSL. However, this protocol has never gained as much popularity as SSL v3.0. • SSL v3.0 Released in 1996 by Netscape Communications. SSL v3.0 solved most of the SSL v2.0 problems, and incorporated many of the features of PCT. Pretty quickly become the most popular protocol for securing communication over WWW. • TLS v1.0 (also known as SSL v3.1) Published by IETF in 1999 (RFC 2246). This protocol is based on SSL v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches. It is important to note that although TLS is based on SSL, it is not a 100% backward compatible with its predecessor. IETF did some security improvements, such as using HMAC instead of MAC, using a different calculation of the master secret and key material, adding additional alert codes, no support for Fortezza cipher suites, and so on. The end result of these improvements is that these protocols don't fully interoperate. Fortunately enough, TLS has also got a mode to fall back to SSL v3.0. • WTLS "Mobile and wireless" version of the TLS protocol that uses the UDP protocol as a carrier. It is designed and optimized for the lower bandwidth and smaller processing capabilities of WAP-enabled mobile devices. WTLS was introduced with the WAP 1.1 protocol, and was released by the WAP Forum. However, after the introduction of the WAP 2.0 protocol, WTLS has been replaced by a profiled version of the TLS protocol, which is much more secure -- mainly because there is no need for decryption and re- encryption of the traffic at the WAP gateway.
Why has the SSH (Secure Shell) protocol not been used for the purpose of providing secure access to World Wide Web? There are few reasons why not. First of all, from the very beginning TLS and SSL were designed for securing web (HTTP) sessions, whereas SSH was indented to replace Telnet and FTP. SSL does nothing more than handshake and establishing encryption tunnel, and at the same time SSH offers console login, secure file transfer, and support for multiple authentication schemes (including passwords, public keys, Kerberos, and more). On the other hand, SSL/TLS is based on X.509v3 certificates and PKI, which makes the distribution and management of authentication credentials much easier to perform. Hence, these and other reasons make SSL/TLS more suitable for securing WWW access and similar forms of communication, including SMTP, LDAP and others -- whereas SSH is more convenient for remote system management. To summarize, although several "secure" protocols do indeed exist, only two of them should be used for the purpose of securing web transactions (at least at the moment): TLS v1.0 and SSL v3.0. Both of them are further referred in this article series as simply SSL/TLS. Because of known weaknesses of SSL v2.0, and the famous "WAP gap" in case of WTLS, the use of these other protocols should be avoided or at least minimized. Software requirements
This next part of the article shows how to configure Apache 2.0 with SSL/TLS support, using the mod_ssl module. Therefore, before going further, readers are encouraged to download the latest version of Apache's 2.0 source code from Apache's web site. Most of the examples should also work for Apache 1.3.x - in that case, however, mod_ssl need to be downloaded separately from Apache's source code, from the mod_ssl website. The practical examples presented in the article should work on most Linux, Linux-like and BSD-based operating systems. The only requirement for the operating system is to have both GCC and the OpenSSL library installed. As a default web browser, MS Internet Explorer has been chosen for our testing, mainly because of ubiquitous popularity of that browser. However, any modern web browser can be used, including FireFox, Mozilla, Netscape, Safari, Opera and others). Installing Apache with SSL/TLS support The first step in order to install Apache with SSL/TLS support is to configure and install the Apache 2 web server, and create a user and group named "apache". A secure way of installing Apache's 2.0 has already been published on SecurityFocus in the article Securing Apache 2.0: Step-by-Step. The only difference to that process is to enable mod_ssl and mod_setenvif, which is required to provide compatibility with some versions of MS Internet Explorer, as follows (changes shown in bold): ./configure \ --prefix=/usr/local/apache2 \ --with-mpm=prefork \ --enable-ssl \ --disable-charset-lite \ --disable-include \ --disable-env \ --enable-setenvif \ --disable-status \ --disable-autoindex \ --disable-asis \ --disable-cgi \ --disable-negotiation \ --disable-imap \ --disable-actions \ --disable-userdir \ --disable-alias \ --disable-so After configuring, we can install Apache into the destination directory: make su umask 022 make install chown -R root:sys /usr/local/apache2 Configuring SSL/TLS
Before running Apache for a first time, we need also to provide an initial configuration and prepare some sample web content. As a minimum, we need to go through the following steps (as root):
1. Create some sample web content, which will be served up via TLS/SSL:
umask 022 mkdir /www echo "
2. Replace the default Apache configuration file (normally found in /usr/local/apache2/conf/httpd.conf) with the new one, using the following content (optimized with respect to security and performance).
# ======# Basic settings # ======User apache Group apache ServerAdmin [email protected] ServerName www.seccure.lab UseCanonicalName Off ServerSignature Off HostnameLookups Off ServerTokens Prod ServerRoot "/usr/local/apache2" DocumentRoot "/www" PidFile /usr/local/apache2/logs/httpd.pid ScoreBoardFile /usr/local/apache2/logs/httpd.scoreboard
# ======# HTTP and performance settings # ======Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 30
# ======# Access control # ======
# ======# MIME encoding # ======
# ======# Logs # ======LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ErrorLog /usr/local/apache2/logs/error_log CustomLog /usr/local/apache2/logs/access_log combined CustomLog logs/ssl_request_log \ "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
# ======# SSL/TLS settings # ======Listen 0.0.0.0:443
SSLEngine on SSLOptions +StrictRequire
SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm SSLSessionCacheTimeout 600
SSLPassPhraseDialog builtin SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
SSLVerifyClient none SSLProxyEngine off
SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
3. Note: Readers should change some of the values in the above configuration file such as the name of the web server, the administrator's e-mail address, etc. 4. Prepare the directory structure for web server's private keys, certificates and certification revocation lists (CRLs):
umask 022 mkdir /usr/local/apache2/conf/ssl.key mkdir /usr/local/apache2/conf/ssl.crt mkdir /usr/local/apache2/conf/ssl.crl
5. Create a self-signed server certificate (it should be used only for test purposes -- your real certificate should come from a valid CA such as Verisign):
openssl req \ -new \ -x509 \ -days 30 \ -keyout /usr/local/apache2/conf/ssl.key/server.key \ -out /usr/local/apache2/conf/ssl.crt/server.crt \ -subj '/CN=Test-Only Certificate' Testing the installation
At this point we can start Apache with SSL/TLS support, as follows: /usr/local/apache2/bin/apachectl startssl Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases.
Server 127.0.0.1:443 (RSA) Enter pass phrase:*************
Ok: Pass Phrase Dialog successful. After the server starts, we can try to connect to it by pointing the web browser to the URL of the form: https://name.of.the.web.server (in our case, https://www.seccure.lab) In few moments, we should see a warning message saying that there is problem with verifying the authentication of the web server we want to access. Below in Figure 3 we will see an example from MS Internet Explorer 6.0. Figure 3. Anticipated IE 6 certificate warning. The occurrence of the above warning is perfectly correct. We should receive this message because of two reasons:
• The web browser does not know the Certificate Authority which issued the web server's certificate (and cannot know, because we are using self-signed certificate) • The CN (Common Name) attribute of the certificate does not match the name of the website - at the moment it is "Test-Only Certificate", and it should be the fully qualified domain name of the web server (e.g. www.seccure.lab)
After proceeding with Internet Explorer, we should see the following web content as shown below in Figure 4. Figure 4. Sample working SSL web page. As one may notice, there is a yellow lock at the bottom of the web browsers, which means that the SSL connection has been successfully established. The value "128-bit" says that the symmetric key that that is being used to encrypt the communication has the length of 128 bits, which is strong enough (at least for the moment) to protect the traffic from unauthorized access. If we double click the lock icon, we will see the properties of website's certificate, as shown below in Figure 5.
Figure 5. Details of our self-signed certificate. Troubleshooting If for some reasons we could not access the website, there is a very useful diagnostic tool known as "s_client" that comes with the OpenSSL library. It can be used to troubleshoot TLS/SSL connections. An example of how to use this tool has been shown below: /usr/bin/openssl s_client -connect localhost:443 CONNECTED(00000003) depth=0 /CN=Test-Only Certificate verify error:num=18:self signed certificate verify return:1 depth=0 /CN=Test-Only Certificate verify return:1 --- Certificate chain 0 s:/CN=Test-Only Certificate i:/CN=Test-Only Certificate --- Server certificate -----BEGIN CERTIFICATE----- MIICLzCCAZigAwIBAgIBADANBgkqhkiG9w0BAQQFADAgMR4wHAYDVQQDExVUZXN0 LU9ubHkgQ2VydGlmaWNhdGUwHhcNMDQxMTIyMTg0ODUxWhcNMDQxMjIyMTg0ODUx WjAgMR4wHAYDVQQDExVUZXN0LU9ubHkgQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAMEttnihJ7JpksdToPi5ZVGcssUbHn/G+4G43OiLhP0i KvYuqNxBkSqqM1AanR0BFVEtVCSuq8KS9LLRdQLJ/B1UTMOGz1Pb14WGsVJS+38D LdLEFaCyfkjNKnUgeKMyzsdhZ52pF9febB+d8cLmvXFve28sTIxLCUK7l4rjT3Xl
AgMBAAGjeTB3MB0GA1UdDgQWBBQ50isUEV6uFPZ0L4RbRm41+i1CpTBIBgNVHSME QTA/gBQ50isUEV6uFPZ0L4RbRm41+i1CpaEkpCIwIDEeMBwGA1UEAxMVVGVzdC1P bmx5IENlcnRpZmljYXRlggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD gYEAThyofbK3hg8AJXbAUD6w6+mz6dwsBmcTWLvYtLQUh86B0zWnVxzSLDmwgdUB NxfJ7yfo0PkqNnjHfvnb5W07GcfGgLx5/U3iUROObYlwKlr6tQzMoysNQ/YtN3pp 52sGsqaOOWpYlAGOaM8j57Nv/eXogQnDRT0txXqoVEbunmM= -----END CERTIFICATE----- subject=/CN=Test-Only Certificate issuer=/CN=Test-Only Certificate --- No client certificate CA names sent --- SSL handshake has read 1143 bytes and written 362 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 56EA68A5750511917CC42A1B134A8F218C27C9C0241C35C53977A2A8BBB9986A Session-ID-ctx: Master-Key: 303B60D625B020280F5F346AB00F8A61A7C4BEA707DFA0ED8D2F52371F8C4F087FB6EFFC02CE3B48F912D2C8929D B5BE Key-Arg : None Start Time: 1101164382 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- GET / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 22 Nov 2004 22:59:56 GMT Server: Apache Last-Modified: Mon, 22 Nov 2004 17:24:56 GMT ETag: "5c911-46-229c0a00" Accept-Ranges: bytes Content-Length: 70 Connection: close Content-Type: text/html
Figure 6. Ethereal watching SSL Handshake methods. Concluding part one
With our secure Apache 2 server up and running with SSL and a sample certificate, this concludes part one of the article series. Next in part two, the reader will see the recommended security and performance settings for mod_ssl, as well as the process for creating a valid web server certificate.
About the author Artur Maj works as a Principal Software Engineer for Oracle Corporation, in the EMEA Mobile, Wireless & Voice Center of Expertise. He is experienced in designing computer systems, performing security audits as well as providing security training. He is also author of many articles and publications devoted to securing computer systems and software against intruders. View more articles by Artur Maj on SecurityFocus.
[ Home | Contact Me ]
• Table of Ports for Internet Services • Official TCP/IP Port List (IANA assigned port numbers) • Searchable Port Lists • Complex Services: iSCSI, printing, email, Oracle database • Understanding TCP/IP • Articles and Related Resources : Windows Articles • Network Protocols • Related Info: Trojan Ports, Firewall Books • Questions
Any Port in a Datastorm It seems like every day there is a new Internet service that uses some new set of poorly-documented, unregistered ports. I created this page to gather together all the information I could find about the ports used by these new services, for use by firewall administrators and other network monitors.
• "dyn" in the ports field denotes dynamically allocated port(s), usually in the range >=1024 <=65535 • A name in the ports field (e.g. LDAP) indicates that service is also required • A plus sign + in the ports field indicates the service may use a series of ports starting at the specified one • An asterisk * in the Notes field indicates that the ports are IANA registered When a specific port is registered it is usually assigned for both TCP and UDP even though only one or the other may be required. Where possible I have only shown the required ones. This is not intended to list old, well-documented services such as telnet, FTP etc. You can find these in the IANA list. You may contact me by email with any suggestions or corrections, or post a message to the TCP/IP Ports discussion. Ports for Internet Services
Service TCP UDP Notes SSH 22 Secure Shell * HyperText Transfer Protocol * (e.g. for web browsing). Currently (2003-07-05) HTTP 80 HTTP/1.1 is officially described in RFC 2616. * An interesting story. The name attached to this port in the IANA list, Earl Killian, says he shouldn't be. He says "I don't know what HOSTS2 Name 81 is, or whether it is still in use." Since Mr. 81 81 Server Killian doesn't know what HOSTS2 is/was, and with Postel gone, I wonder if there's anyone left in the world who knows what 81 was/is for and who actually requested it. * Another interesting story. The name attached to this port in the IANA list, Thomas M. Smith of Lockheed Martin, says Sorry... there is no publicly available XFER Utility 82 82 information regarding the details of the XFER Utility and its use of tcp and udp port # 82. XFER employs a proprietary protocol which has not been disclosed. * registered as "epmap - DCE endpoint RPC Endpoint 135 135 resolution". Used by Microsoft for RPC Mapper locator service. See additional information. LDAP 389 389 Lightweight Directory Access Protocol * LDAP or ULP, dyn >=1024, dyn MS NetMeeting videoconferencing 1503, H.323 >=1024 HostCall, MS ICCP Timbuktu 407, 1417- 407 remote control * 1420 Service Location Protocol * Used by MacOS SLP 427 427 and NetWare. HTTPs 443 secure HTTP (SSL) * printing * LPD stands for Line Printer LPD / printer 515 515 Daemon. Also see printing section. ULP 522 522 User Location Protocol (Microsoft) * AppleTalk Filing 548 548 * Protocol (AFP) QuickTime 4 RTSP RTP-QT4 streaming audio, video * Real Time Streaming Protocol *. Currently RTSP 554 (2003-07-05) described in RFC 2326. NNTPs 563 secure NNTP news (SSL) * print remotely to any IPP enabled printer Internet Printing through the Internet * The Common Unix 631 631 Protocol (IPP) Printing System (CUPS) is based on IPP. Also see printing section. secure LDAP * (LDAP protocol over LDAPs 636 636 TLS/SSL) Doom 666 666 network game * Remotely Possible 799 remote control. CA ControlIT support. (ControlIT) VMware Virtual remote control and viewing of virtual 902 Machine Console machines. vmware-authd. SOCKS 1080 internet proxy *. Also used by Trojans. OpenVPN 1194 1194 * Kazaa 1214 1214 peer-to-peer file sharing * peer-to-peer. Also see InfoAnarchy WASTE WASTE 1337 1337 FAQ. This port is officially registered for Men and Mice DNS (QuickDNS Remote). Lotus Notes 1352 * Domino VocalTec Internet 1490, 6670, 22555 videoconferencing * Phone 25793 1494, dyn 1604, dyn Citrix ICA remote application access * >=1023 >=1023 Virtual Places 1533 conferencing *, also see VP voice Xing StreamWorks 1558 streaming video * Novell GroupWise group collaboration * NOTE: Other features 1677 1677 (Remote Client) of GroupWise use many other ports. H.323 Host Call 1720 1720 H.323 host call * virtual private network (VPN) * Note PPTP also uses the GRE protocol. However Microsoft says in Understanding PPTP: PPTP 1723 "PPTP can be used with most firewalls and routers by enabling traffic destined for port 1723 to be routed through the firewall or router." MS ICCP 1731 1731 audio call control (Microsoft) * 1755, dyn MS NetShow 1755 >=1024 streaming video * <=5000 instant messenging *. NOTE: For detailed info on ports for file transfers, voice and MSN Messenger 1863 video, see the Windows and MSN Messenger section below. Netopia netOctopus 1917, 1921 1917 network management * Big Brother 1984 1984 network monitoring * videoconferencing. NOTE: security risk on ICU II 2000-2003 TCP port 50000 videoconferencing. Note: support docs are iSpQ 2000-2003 inconsistent on what ports are required glimpseserver 2001 search engine Distributed.Net 2064 distributed computation RC5/DES 2234, SoulSeek 2234, 5534 file sharing 5534 Microsoft DirectX networked multiplayer games, * only 47624 2300-2400, gaming (DirectPlay) 2300-2400is registered as "Direct Play Server", if 47624 7 needed also see MSN Gaming Zone Microsoft DirectX 2302- networked multiplayer games, * only 6073 is gaming (DirectPlay) 2400, registered as DirectPlay8, if needed also see 8 6073 MSN Gaming Zone MADCAP - * defined in RFC 2730 - Multicast Address Multicast Address 2535 2535 Dynamic Client Allocation Protocol Dynamic Client (MADCAP). Also used by Trojans. Allocation Protocol Netrek 2592 network game * peer-to-peer (P2P) filesharing. Officially ShareDirect 2705 2705 registered for Sun SDS Admin. * Alex Tronin reports was used for Urbis URBISNET 2745 2745 geolocation service... now not operational, but may be revived. Also used by Trojans. Borland Interbase 3050 3050 * gds_db. See CERT Advisory CA-2001-01 database for potential security risk. squid 3128 3130 web proxy cache. Also used by Trojans. * Internet Storage Name Service, see iSCSI iSNS 3205 3205 section iSCSI default port 3260 3260 * SCSI over IP, see iSCSI section * registered as ms-wbt-server. RDP 5.1 is the Windows Remote current version. See below for more Desktop Protocol 3389 information. Remote Desktop Web (RDP) Connection also uses HTTP. NetworkLens SSL 3410 3410 * Also used by Trojans. Event Virtual Places 3450, 8000- voice chat, also see Virtual Places Voice Chat 9000 Apple iTunes music 3689 3689 Digital Audio Access Protocol * sharing (DAAP) Mirabilis ICQ dyn >=1024 4000 locator, chat (note: see newer AOL ICQ) 4000, 6112- 4000, network gaming - support (captured 2001- Blizzard / Battle.net 6119 6112-611911-11), proxy and firewall info 4000-4100, peer-to-peer audio and video streaming. Abacast 4500, 9000- NOTE: This software will create 9100 OUTGOING streams to other users if it can. GlobalChat client, 4020 4020 chat rooms, used to be called ichat server PGPfone 4747 secure phone 4747, 4748, PlayLink 6144 online games 10090 radmin 4899 4899 remote control * Yahoo Messenger - 5000-5001 5000-5010voice chat Voice Chat H.323 5000- audio and videoconference. 5000-5003 is GnomeMeeting HostCall, 5003, RTP and RTCP range for this app. 30000-30010 5010-5013 Yahoo Messenger - messaging. NOTE: It will try ports 5050, 80, 5050 messages any port. Session Initiation Protocol *. For audio and SIP 5060 5060 video. Currently (2003-07-05) see RFCs 3261, 3262, 3263, 3264, 3265 SIP, RTP- audio and video conferencing. May also Apple iChat AV iChatAV need iChat local port. Yahoo Messenger - 5100 video Webcams AOL Instant 5190 5190 America OnLine * Also used by Apple iChat Messenger (AIM) (in AIM compatibility mode). video chat. It is unclear from their FAQ 1024-5000 AIM Video IM 1024-5000 ? whether you need to open both TCP and ? UDP ports. 5190, dyn AOL ICQ messaging >=1024 AOL 5190-5193 5190-5193America OnLine * * Extensible Messaging and Presence 5222, Protocol. Also see Using Jabber behind XMPP / Jabber 5222, 5269 5269 firewalls. Defined by XMPP specs (RFCs now issued), specs created by IETF group. audio / video conference, fileshare, Qnext 5235-5237 5235-5237everything. Port 5236 is officially assigned to "padl2sim". iChat local traffic 5298 5298 Some Rendezvous thing. * Mac OS X 10.2: About Multicast DNS. Related to Zeroconf which Apple has Multicast DNS 5353 5353 implemented as Rendezvous. (Note: the regular Domain Name Service port is 53.) 5354, 7175, 8680-8890, dyn Dialpad.com telephony 9000, 9450- >=1024 9460 HotLine 5500-5503 peer-to-peer filesharing. * SGI Embedded Support Partner (ESP) web SGI ESP HTTP 5554 5554 server. Also used by Trojans, see SGI Security Advisory 20040501-01-I. * I don't know if InfoSeek Personal Agent InfoSeek Personal exists anymore. This port is commonly used 5555 5555 Agent by HP OpenView Storage Data Protector (formerly HP OmniBack). pcAnywhere 5631 5632 remote control * eShare Chat Server 5760 eShare Web Tour 5761 eShare Admin 5764 Server VNC 5800+, 5900+ remote control 6346, GNUtella 6346, 6347 peer-to-peer file sharing * 6347 H.323 Netscape HostCall, 2327 audioconferencing Conference 6498, 6502 Danware NetOp 6502 6502 remote control Remote Control common IRC 6665-6669 Internet Relay Chat * telephony, admin should select one TCP and Net2Phone 6801, UDP port in the range 1-3000. Same ports selected CommCenter selected are used by Yahoo Messenger - PC-to- Phone. 6881-6889, distributed data download, newer versions BitTorrent 6969 TCP 6881-6999. Alternate FAQ link. Realtime Transport Protocol. (These ports RTP-QT4 6970-6999 are specifically for the Apple QT4 version.) user- VDOLive 7000 streaming video specified Real Audio & RTSP, 7070 6970-7170streaming audio and video Video 7648- CU-SeeMe, 7648, 7649, 7652, videoconferencing Enhanced CUSM LDAP 24032 8000, 8001, common HTTP 8080 Apache JServ (default port) See Workers HowTo for Protocol v12 8007 8007 config info. (ajp12) Apache JServ (default port) e.g. Apache mod_jk Tomcat Protocol v13 8009 8009 connector using ajp13. See Workers HowTo (ajp13) for config info. Grouper 8038 8038 peer-to-peer (P2P) filesharing printing * PDL is Page Description PDL datastream 9100 9100 Language. Used commonly by HP printers and by Apple. Also see printing section. MonkeyCom 9898 9898 * video-chat, also used by Trojans 9943, iVisit 9945, videoconferencing 56768 The Palace 9992-9997 9992-9997chat environment * common Palace 9998 chat environment Network Data Management Protocol *. Used NDMP 10000 10000 for storage backup. Also used by Trojans. Amanda 10080 10080 backup software *. Also used by Trojans. Yahoo Games 11999 network games Italk 12345 12345 network chat supporting multiple access methods * Appears mostly used in Japan. There are many other applications calling themselves "italk". TrendMicro OfficeScan antivirus also uses this port. Commonly used by Trojans. 16384- RTP-iChatAV Used by Apple iChat AV. 16403 Realtime Transport Protocol. RTP in general is described in RFC 3550. This range is not 16384- RTP registered (it never could be, being so broad) 32767 but it seems to be somewhat common. See Are there specific ports assigned to RTP? Palm Computing 14237 14238 data synchronization Network Hotsync Liquid Audio 18888 streaming audio 21300- FreeTel audioconferencing 21303 VocalTec Internet 22555 22555 audio & document conferencing * Conference Quake 26000 26000 network game * 28800- network gaming (zone.com, zone.msn.com), MSN Gaming Zone 28800-29100 29100 also see DirectPlay 7 and DirectPlay 8 Sygate Manager 39213
iSCSI
iSCSI is specified in RFC 3720 - Internet Small Computer Systems Interface.
The well-known user TCP port number for iSCSI connections assigned by IANA is 3260 and this is the default iSCSI port. Implementations needing a system TCP port number may use port 860, the port assigned by IANA as the iSCSI system port; however in order to use port 860, it MUST be explicitly specified - implementations MUST NOT default to use of port 860, as 3260 is the only allowed default.
Also associated with iSCSI is iSNS, Internet Storage Name Service, on port 3205. These services essentially open up your storage to the Internet in ways even more deep than CIFS, NFS and other file-level sharing services. Therefore you should be very careful about security and may want to block these ports completely, or tightly limit access to them. Printing There are several port numbers that may be involved with printing. Print Server Port Numbers is a useful guide. The three main ones are LPD ("printer") on port 515, IPP on 631, and PDL-datastream on 9100. Apple MacOS X Rendezvous Printing (PDF) will discover printers that are advertising their services. They give the example For example, the Apple LaserWriter 8500 would register the following services, assuming the default domain is "local."
Apple LaserWriter 8500._printer._tcp.local. Port 515 Apple LaserWriter 8500._ipp._tcp.local. Port 631 Apple LaserWriter 8500._pdl-datastream._tcp.local. Port 9100 Napster
After examining Napster, I decided it was such a complex protocol that it deserved its own section. The first thing to be aware of is that there are two versions of Napster. The "original" flavor is what most people will be interested in. This is the full music file-sharing service. This original service provided by Napster.com has now been shut down. Napster.com will be providing a new service with much more controlled music sharing. However, the original protocol lives on, and the protocol has been analyzed so that people could write compatible applications for many different operating systems. There is information on the protocol (and how to get it through your firewall) from:
• Microsoft Support Q275236 • opennap.sourceforge.net • david.weekly.org
Here is a summary of the TCP ports it uses. I have put the notation (primary) after the main port, if more than one port is listed.
• metaserver / redirector: 8875 • directory servers: 4444, 5555, 6666, 7777, 8888 (primary) • client: 6600 to 6699 (primary) PalTalk
PalTalk is another messy service that uses many ports, more than I want to summarize here. Visit their support page: PalTalk Networking Support. Ultima Online Information from What are the port numbers I need to play UO behind a firewall or proxy server? Service Ports Notes Game 5001-5010 Login 7775-7777 Patch 8888 overlaps with common HTTP port UO Messenger 8800-8900 includes port 8866 which is also used by Trojan Patch 9999
Windows and MSN Messenger Application
A related note: the Messenger Service that runs at the Windows SERVICE level is different from the Windows Messenger or MSN Messenger application. For information about the Messenger APPLICATION see
• For file transfer or voice chat ports and NAT information for MSN Messenger 3 see MS Support article Q278887. • Microsoft Knowledge Base Article Q324214 - You cannot make phone calls or start voice or video conversations with Windows Messenger • Windows Messenger 5.0 in Windows XP: Working With Firewalls and Network Address Translation Devices • Microsoft Support WebCast - Microsoft Windows Messenger for Windows XP: New Features, Common Issues, and Troubleshooting July 17, 2002
Service TCP UDP Notes Windows Messenger - voice 2001-2120, from Q324214. NOTE: 6801 is (computer to phone) 6801, 6901 Net2Phone. 6891- from Q278887. Allows up to MSN Messenger - file transfers 6900 10 simultaneous transfers. MSN Messenger - voice communications (computer to 6901 6901 from Q278887 computer) For Windows Messenger in a non-UPnP environment, unfortunately Microsoft requires dynamic UDP ports across a very wide range. This is a tremendous security risk. Try to establish a UPnP environment if possible. Nevertheless, here is what they say To support [audio and video] in both directions through the firewall, all UDP ports between 5004 and 65535 must be opened to allow signaling (SIP) and media streams (RTP) to traverse the firewall. Also note: I don't know how much information for WINDOWS Messenger applies to MSN Messenger and vice versa. I also don't know how much information for MSN Messenger Windows version applies to MSN Messenger Mac version. And last but not least, there are multiple different versions of Messenger, which may differ in various ways. Email Ports
Email is sent around the Internet mainly from server to server using SMTP. Once delivered, clients may access it in a variety of ways, including POP3 and IMAP. This section DOES NOT cover Microsoft Exchange or other proprietary mail protocols. The major upcoming change to email is the use of TCP port 587 "submission" for email, as defined in section 3.1 of RFC 2476 - Message Submission. This is planned to replace the traditional use of TCP port 25, SMTP.
3.1. Submission Identification
Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions as specified here.
While most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site MAY choose to use port 25 for message submission, by designating some hosts to be MSAs and others to be MTAs.
This initiative is being promoted by, amongst others, the Anti-Spam Technical Alliance. See Anti-Spam Technical Alliance Technology and Policy Proposal, Version 1.0, 22 June 2004 (PDF)
We further recommend that SMTP authentication be implemented on the standard Mail Submission Port, port 587, and that ISPs encourage their customers to switch their mail client software (for example, MS Outlook, Eudora, and so on) to this port. Using this port will provide seamless connectivity that does not depend on if a network allows port 25 traffic.
In addition to SMTP, the other main email protocols are POP3 and IMAP, these are protocols for email clients to access their mailboxes. There are many other topics that are outside the scope of this page. For example, email addresses are described in RFC 2822 (obsoletes RFC 822), and SMTP authentication is covered in RFC 2554 - SMTP Service Extension for Authentication. Transport Layer Security (TLS) is covered in RFC 2246 - The TLS Protocol Version 1.0. SMTP over TLS is covered in RFC 3207 - SMTP Service Extension for Secure SMTP over Transport Layer Security. The Network Sorcery RFC Sourcebook entry for SMTP also links to many relevant RFCs that cover the details of the protocol itself. TCP Service Notes Port SMTP - Simple * As part of the anti-spam best practices, you should block this Mail Transfer 25 outgoing for any machine that doesn't need to send email directly. Protocol Port 465 shows up Appendix A of the 1996 non-standard standard The SSL Protocol Version 3.0 as "Simple Mail Transfer Protocol SMTPs - secure with SSL". Unfortunately, it's not registered for SMTPs, it's 465 SMTP registered for URD - "URL Rendesvous Directory for SSM" by Cisco. The recommended approach, at least for authentication, is to use START TLS encryption on submission port 587. (SMTP email) 587 * See RFC 2476 - Message Submission. submission POP2 - Post 109 * obsolete Office Protocol 2 POP3 - Post 110 * Office Protocol 3 POP3s - secure 995 * Full description is "pop3 protocol over TLS/SSL (was spop3)". POP3 IMAP3 - Interactive Mail 220 * obsolete Access Protocol v3 IMAP4 - Internet Message Access 143 * Also referred to by version as IMAP4. Protocol 4 IMAPs - secure * Full description is "imap4 protocol over TLS/SSL". Use 993 993 IMAP instead of TCP port 585 "imap4-ssl", which is deprecated.
Oracle Database TCP/IP Ports
I have a separate page for Oracle ports. Obsolete Services
Apple released QuickTime 4 some time ago. I am unsure of the status of their older QuickTime Conferencing (MovieTalk) protocol. All of the applications that supported it (Connectix VideoPhone, Apple VideoPhone, Netscape CoolTalk, QuickTime TV) are no longer supported and the QuickTime Conferencing website is gone. Service TCP UDP Notes QuickTime Conferencing 458 458, dyn >= 7000 videoconferencing * (MovieTalk) Apple VideoPhone MovieTalk MovieTalk videoconferencing * MovieTalk, dyn >=1024, Connectix VideoPhone MovieTalk videoconferencing 4242 Netscape CoolTalk 6499, 6500 13000 videoconferencing Official TCP/IP Port Assignments
• IANA - TCP/IP Port Assignments (585K)
Also note, although you will sometimes see mention of RFC 1700 "Assigned Numbers" (dated October 1994) it was long ago obsoleted by the official IANA list. Do not use RFC 1700 as a reference. This fact is now officially documented by RFC 3232 "Assigned Numbers: RFC 1700 is Replaced by an On-line Database". Network Sorcery lists the IANA TCP/UDP Ports with links to pages describing some protocols in detail, as part of its incredibly useful RFC Sourcebook. Searchable Port Lists
These cover registered, unregistered, and trojan ports - note that many ports have legitimate, required uses, even though people have also used them as trojan ports.
• Andrew Daviel's Network Service Query is a very nice port metasearch engine • Tantalo.net Ports database • Neohapsis Ports List • PC Flank Ports Database • portsdb.org Ports Database • Snort Ports Database • SecurityStats.Com TCP/UDP Port Search • Dave's Port Lookup lists registered services along with known trojans • WeetHet in English or in Dutch lists both registered and trojan ports • UpOneLevel Network Port listing • Techeez Port Search Understanding TCP/IP The IBM RedBooks are an amazing resource for many technical topics. They have a TCP/IP Tutorial and Technical Overview available as HTML or 7.7 MB PDF. Cisco also provides excellent information online. Internet Protocols is just one section of their Internetworking Technology Handbook. There is information on IP (the protocol on which TCP and UDP are built) in Internet Core Protocols: The Definitive Guide Sample Chapter 2: The Internet Protocol [IP]. Articles and Related Resources Windows
This section discusses specific port information related to Microsoft or provided by them. If you are looking for information about Windows firewalls, including XP Service Pack 2, see the Windows Security Software and Built-in Windows Firewalls sections of my Trojan TCP/IP Ports page. Microsoft has announced a new Windows Firewall in Windows XP Service Pack 2, it replaces the Internet Connection Firewall (ICF) in previous versions of Windows.
• MS KB 842242 - Some programs seem to stop working after you install Windows XP Service Pack 2 has a section "Identifying and opening ports" and also a fairly extensive list of ports in "Programs that may require you to open ports manually", although for all of the games it says "see the documentation" in the Ports column which is not exactly helpful information. • How to Open Ports in the Windows XP Internet Connection Firewall has a list of ports followed by instructions • Port Requirements for the Microsoft Windows Server System (KB 832017) • TCP and UDP Port Assignments (Windows 2000 Server - Resource Kits - TCP/IP Core Networking Guide - Appendix C) • NetBIOS Over TCP/IP [original page removed; using archive.org version] • Firewall Information - Windows Media Technologies • Microsoft has provided a good list of Windows NT, Terminal Server, and Microsoft Exchange Services Use TCP/IP Ports • TCP/UDP Ports Used By Exchange 2000 Server • Active Directory Replication over Firewalls • TCP, UDP, and RPC Ports Used by MSMQ (Microsoft Message Queue Server) • A List of the Windows 2000 Domain Controller Default Ports
More information about Windows Remote Desktop Protocol (RDP) As indicated in the RDP section above, this protocol uses a registered TCP port. It is used for XP Pro Remote Desktop and XP Remote Assistance (read Administering Remote Assistance for a very good overview of firewall, NAT and blocking issues). Also used for WinNT4 Terminal Server, Win2000 Terminal Services, and Win .NET Server 2003 Terminal Server.
Windows Remote Procedure Call (RPC) and Distributed COM (DCOM)
In some cases, Microsoft uses port 135 as an RPC Endpoint Mapper. Runs as RPCSS on (some versions of?) Windows. This is a sort of "RPC directory" service which can be used to lookup what ports other services are running on. For some additional information, see Windows 2000 Network Architecture: Remote Procedure Call and NT Gatekeeper: RPC and Firewall Configuration. MS-RPC on port 135 is required for some Exchange Server and Active Directory communications. See e.g. TCP Ports and Microsoft Exchange: In-depth Discussion and Restricting Active Directory Replication Traffic to a Specific Port. However this port also poses a security risk, as indicated in the NET SEND section of my broadband security page. UPDATE 2003-08-13: Also see the Blaster Worm section for information about this additional security risk. Additional information:
• Using Distributed COM with Firewalls • RPC and Firewall Configuration Sidebar: RPC Dynamic Port Allocation Mac
OpenDoor (makers of DoorStop) have a nice list of MacOS-related ports, with hyperlinks to relevant information. Apple support has provided a list of "Well Known" TCP and UDP Ports Used By Apple Software Products. Although it doesn't give any port numbers, you may find Rendezvous service types being used by Mac OS X useful. Novell (NetWare)
• Novell Documentation: NetWare 6 - Port Number Assignments • Matrix of Ports used in NetWare 6 - TID 10065719 • TCP/IP Port Numbers used by Novell Products - TID 10014320 (NetWare 5.0 and earlier) IBM (WebSphere)
• Firewall Port Assignments in WebSphere Application Server V5 IP Telephony / Voice over IP (VoIP) / H.323 / SIP / RTP
Some applications that use H.323 include: ohphone, ohphoneX, ... Getting H.323 audio/video conferencing through firewalls is particularly problematic. I have used Google cache to rescue an Intel document The Problems and Pitfalls of Getting H.323 Safely Through Firewalls. Note in particular that RTCP (Real Time Control Protocol) has no fixed port, an RTCP session is paired with an RTP session, if you have an RTP stream on even numbered UDP port x, RTCP is on x + 1.
• IP Ports and Protocols used by H.323 Devices • Cisco: IP Telephony / VoIP Traversal of NAT and Firewall General
The white paper Cisco PIX Firewall and Stateful Firewall Security contains some useful information about the ports and connection protocols for VDOnet, CU-SeeMe, and RealAudio. Ed Bott's article Block those ports! contains some useful information, and also a kind review of this web page. You can check out Internet Firewalls: Frequently Asked Questions. As of this writing it was last updated 2000/12/01 but it still has lots of good information. NetGear's Applications Port List lists a lot of games. Tim Williams' list of Ports Used by Computer Games has lots of good info. By popular request: a page on Blocking Chat Programs. More and more good resources are becoming available, particularly for people with home networks. If you haven't found what you were looking for here, you can try:
• PracticallyNetworked: o Handling Special Applications o Special Applications - Opening Ports o Special Applications - Port List • HomeNetHelp: o Explaining DMZs and Port Forwarding o Port list for running a server through a router o Port list for running a game server through a router or firewall Network Protocols
Note that certain services such as IPSec and Microsoft's PPTP use non- TCP/UDP protocols so they may be more complicated to use. In particular, PPTP uses GRE (protocol 47) and IPSec uses ESP (protocol 50) and AH (protocol 51). Protocol numbers are not the same as port numbers. IANA maintains the Assigned Internet Protocol Numbers. Related Information: Trojan TCP/IP Ports, Free Firewall Book
Those of you concerned with Internet security may wish to also check out my companion page, Trojan TCP/IP Ports for a list of ports used by trojan horse and backdoor programs. Also I have a link to firewall books there (including a free book). Questions
If you have questions, comments or suggestions specifically about this page or TCP/IP ports then you can email me or use my QuickTopic: Discuss TCP/IP Ports. For firewall questions I suggest the USENET group comp.security.firewalls via groups.google.com or your newsreader. If your question is Microsoft-specific, you may want to try the USENET microsoft.public groups, in particular:
• microsoft.public.msn.messenger: Google Groups or newsreader • microsoft.public.windowsxp.messenger: Google Groups or newsreader • microsoft.public.internet.mschat: Google Groups or newsreader • microsoft.public.internet.netmeeting: Google Groups or newsreader
Copyright © 1996-2006 Richard Akerman. All rights reserved. No mirroring without prior written consent. If you wish to mirror this page, contact me by email. The requirements are:
• The page content including my copyright notice remains intact • The official permanent link to this page is http://www.akerman.ca/port-table.html • The date of the mirror and the frequency of updates must be indicated • Use metatags or robots.txt to prevent your mirror from being indexed by search engines • There can be no other copyright notices or advertising/promotion of any kind on the mirror page
[ Home | Contact Me ]