List of TCP and UDP port numbers

Computer Monitoring

How to Detect Computer & Email Monitoring or Spying Software
The problem is that this kind of 'tampering' is exactly what a VPN tries to prevent! Tripwire —File Integrity Monitoring Software []. Preferably, the PSK is distributed 'out-of-band', i. Yes, and SCTP [11]. Acknowledgements to Jeffrey S. Stinghorn no longer available?

Getting Started With Remote Email Access

Remote Email Access

Nothing much to it. Preshared Key for clients connecting from any IP address: PSK "keysharedbyallclients" Line above only works on recent versions of Openswan. There is a subtle difference with the following see also 'man ipsec. When you enable PFS, your adversaries hackers, competitors, law enforcement, the mob etc.

This property of PFS is also known as "escrow-foilage". Openswan, on the other hand, enables PFS by default. I assume that you have configured Openswan at this stage. See the list of clients at the top of this page.

After you have configured your client s , you can use it to initiate the VPN connection. Initiate 'dial' the VPN connection. The procedure for this depends on the type of client see the previous section.

The client will report an error "The computer you are dialling is not responding" or something similar. The error is correct: The IPsec connection should come up successfully, though. If you see this, congratulations! You've got the IPsec part nailed. Continue with the L2TP part below. If not, check your configuration or go to ' Troubleshooting '. This means you will need an L2TP server on your Linux system.

I am aware of the following open source implementations:. One thing to note is that both l2tpd and rp-l2tp use the same location for their daemon: That is very unfortunate but in most cases you will only install one of these two daemons so it should not be that much of a problem. Rp-l2tp seems to have a better code base than l2tpd. Most of the L2TP daemons l2tpd is the exception have the drawback that they cannot assign dynamic internal virtual IP addresses by themselves.

This is not an issue if you want to assign fixed internal addresses to your users. But this is a problem if you want to assign dynamic IP addresses to users. Three solutions have been proposed: This approach more or less violates the OSI networking layering model but this is how l2tpd does it. Nobody has implemented this solution for the other L2TP daemons yet.

For this to work you need a pppd plugin called ppp-dhcp for more information read this thread , with additional configuration tips by Ben McKeegan in this thread.

The third solution is to use pppd version 2. Most distributions ship with a PPP server pppd. Again, I don't claim that these are the best but they should get you started.

Only Mac OS X I have built several binary RPMs for your convenience but I recommend you get the source RPM, inspect the SPEC file, download the original tarball and the patches from their original locations, review all source files for backdoors and other security risks and then build the RPM yourself.

It's a lot more of a hassle, but security has its price You will need to set a boolean variable for SuSE. The ' listen-addr ' parameter has already been discussed above. By default, l2tpd will listen on all interfaces.

The parameter ' ip range ' specifies a range of IP addresses on the internal LAN that will be allocated to remote users. With ' local ip ' you specify what IP address will be used by the Linux server on pppX interfaces created by l2tpd. In the example above ' local ip ' is You cannot use the IP address of the internal interface for ' local ip ', nor can you use the IP address of ' listen-addr ' both are CHAP is enabled and PAP is disabled because otherwise the Microsoft clients will complain that the password is not encrypted which is of course nonsense because the connection is already encrypted by IPsec.

I also had to set ' length bit ' to yes, because the connection was unstable without this parameter. IPsec supports authentication through Preshared Keys and certificates. PPP also supports authentication e.

It turns out that L2TP also supports authentication. I guess none of the vendors thought that L2TP authentication was important. And rightly so, because it does not seem very useful anyway. IPsec and PPP authentication should be enough for anyone. The confusion comes from the ' require authentication ' parameter in l2tpd.

This parameter has nothing to do with enabling L2TP authentication. It is actually for PPP authentication i. The Windows clients use this by default, so you should enable PPP authentication by including ' require authentication ' in your l2tpd configuration file. L2TP authentication, on the other hand, can be enabled by specifying the parameters ' auth file ' and ' challenge '.

But as explained above, normally you do not need L2TP authentication. This is slightly more interesting than L2TP authentication. However, Openswan already does access control on IP addresses. You could use l2tpd's access control as an extra security measure 'belt and suspenders' approach. There's nothing wrong with that but it only works if you know all the IP addresses of the clients in advance e.

This rules out "Roadwarriors" with dynamic addresses. Let's say that you want to restrict l2tpd access to a client with the fixed IP address Several authentication methods exist for PPP. If you use PAP, the Microsoft clients will complain that the password is not encrypted. This is besides the point because IPsec already does encryption. Obviously you will need a PPP server.

Almost every distribution has one: Install a recent version, i. The same PPP software can be used for something else as well e. Fortunately, with the parameter ' pppoptfile ' in l2tpd. The Microsoft clients have an option "Use Windows logon".

Configuring the PPP server is not explained here. There is lots of documentation on this subject, for instance the PPP Howto. For simplicity, let's assume that the external interface of your Linux server is eth0 and the internal interface is eth1. Once the user is connected interface ppp0 will be up. My sample L2TP configuration file l2tpd.

This parameter will set a proxy arp entry on the internal interface eth1 in the example above for the remote user. With the proxyarp parameter, the machines on the internal network are fooled into sending packets for the remote Windows clients to the gateway. The gateway has IP forwarding on, so it knows how to send the packets through to the Windows clients. Remote clients will pick these up automatically once the connection has been established.

This puzzles me and I don't have an explanation or a workaround for this. What you might see is that you can ping machines on the internal network and you can surf or transfer very small files, but you can't copy large files because the connection stalls. Then try decreasing the MTU to or perhaps even lower?

In some cases especially when certificates are used fragmentation may lead to a problem with IKE. An extension to IKE has been proposed by Cisco. This extension allows fragmented IKE packets pass through broken routers which cause the fragmentation.

Openswan does not support this extension but ipsec-tools racoon does. Fragmentation is less likely with PSKs. Other options might be to reduce the size of certificates e. If you have such a DSL service, you often use interface ppp0 for your Internet connection. However, a problem might arise when you have multiple DSL links and one of them goes down for some reason and then comes up again.

This might screw up several of your settings, for instance, your firewall rules might expect the DSL links on fixed PPP interfaces. A workaround for this problem is adding the parameter ' unit xxxx ' to the PPP options file for your DSL links, where xxxx is a high number, say You do need ppp The pppd man page says that the parameter only works for outbound connections but it works for incoming connections too looks like an undocumented feature in pppd?

This workaround should work as long as the highest PPP unit number assigned to the DSL links is higher than the total number of clients. The procedure is the same as described above. But this time the L2TP connection should come up as well.

If it does not work, check and double check your settings. See also ' Troubleshooting '. There are two final checks that I highly recommend before you consider rolling out to a live network: This was not really a problem since the Linux server was on the local network.

At first I thought that perhaps l2tpd could not determine the hostname of the Linux server it was running on. I solved the problem by entering a hostname on the Windows workstation. I simply did not expect that l2tpd relied on it. If you don't need NAT-Traversal or if you don't want to deal with the complications at this moment you can skip this part. NAT changes packets on the fly. The problem is that this kind of 'tampering' is exactly what a VPN tries to prevent!

However, it seems that IPsec passthrough only works for one user at a time, not multiple concurrent users behind the same NAT device. Pure IPsec on the other hand has been reported to work with these devices i. And this is exactly what has happened. Switching to ipsec-tools won't fix the security issue either. This should be looked into by a programmer.

PSKs have some drawbacks so generally you want to use certificates anyway. If you have multiple clients behind the same NAT device, only the first client will be able to connect. Openswan logs an error similar to this: Another limitation of Openswan is that clients cannot share the same NAT-ed internal address.

This is of course difficult to avoid completely, especially when there is little coordination between remote clients. Many users will be using the same These are limitations of Openswan. Paul Wouters of Xelerance has said that perhaps a solution is in the works. A number of alternative solutions exist. Another alternative is the workaround by the Finnish company Stinghorn which is based on modifications to the Linux kernel and ipsec-tools. Some more details can be found here.

You can solve this by adding an extra 'passthrough' section to ipsec. This update is also included with XP ServicePack 2. However it turned out that the NAT-T update had issues with some third-party applications which caught a lot of bad press. In August they re-released it. The patch can be installed through WindowsUpdate. If you use Windows Professional, you will need to install ServicePack 3 or higher first, otherwise the IPsec update will not show up in WindowsUpdate.

For XP you will need ServicePack1 or higher. If the update still does not show up in WindowsUpdate, go to the Windows Update Catalog and search for "" using the Advanced Search Options feature. I had some doubts when I read this because Microsoft would rather see you upgrade to Windows Server instead. It turns out I was right. Quoting Microsoft KB Q Fortunately this decision by Microsoft will not affect you if you use Linux on the server I suggest you do not use any older Mandrake version than 9.

The patch doesn't actually add support for this implementation, it is only a hack and probably a security risk. You can get the whole lot from me with this modified SRPM super-freeswan Or, if you really want, you could download the binary RPM super-freeswan You may need to hold the 'Shift' key while clicking these links! Debian uses kernel 2. Openswan packages are available. See if there are any Openswan packages kernel and userland RPMs, deb, whatever available.

If none are available, you might have to create them yourself but that may be a lot of work. If your Openswan server is behind NAT, see the next section. The procedure assumes that your setup looks like this: The internal subnet behind your Openswan server is The IP address of the client is The client is on a subnet behind the NAT device, in this example Openswan needs to know what remote subnets the clients use. Most people prefer to enumerate all network subnets that are defined in RFC because there can be many clients with many different subnets.

But of course you can also specify only the You should however always exclude the subnet s that are behind the Openswan server. An exclamation mark is used for this purpose see the example below. If your Openswan server itself is behind NAT, the procedure is slightly different. You can use almost the same setup as described in the previous section but it now looks like this: W ith older Openswan versions there is a problem when the server itself is behind NAT or when both the client and the server are behind NAT.

The Openswan team was notified of this problem by Bernd Galonska. It has been fixed in Openswan 2. For older versions you can download Bernd's experimental patch from this webpage which I have modified slightly so that it applies cleanly to Openswan 2. Unfortunately, Windows Networking is a terrible protocol ask the Samba guys and it often results in all kinds of problems. This is not a tutorial on Windows Networking so I can't help you with that.

But I can provide some hints. The important part to remember is that all computers should be configured to use this WINS server. Otherwise some computers might have trouble seeing other computers. It is better to change these to a common name. Similar tips can be found on the ISA Server. The Microsoft clients have a stetting "Log on to network". Enable this if you want to log on to a domain server. Note that Windows XP Home cannot join a domain. This is also the case for some versions of Windows Vista.

You should be able to access resources in the domain, however. I have not really tried to get logon scripts batch files to work. Perhaps the following procedure works. At the end of the New Connection Wizard, you are asked if this connection is for "Me only" or for "Anyone who uses this computer".

You might prefer to not enter the password. You will notice that a checkbox "Logon through Dial-up Networking" appears. Tick off this checkbox. Logon with your Windows Networking username and password. You will be presented with a window from which you can select the VPN connection that you just created.

Select it and hopefully you will logon over the VPN connection, and the logon script will start. This includes not only traffic to internal servers but also Internet traffic, for instance when you surf to an Internet website.

This has the disadvantage that the Internet traffic goes through the office's Internet link twice: If you use 'split tunnelling' on the other hand, all internal traffic will be tunnelled through the VPN but all Internet traffic will be sent to the Internet directly, i. The problem is that this is less secure. Client users will then have two connections at the same time: Hackers could in theory break into the user's home machine and access the office from there.

With split tunnelling disabled, this is more difficult to do. See also this Cable Guy article on the Microsoft website for more information about split tunnelling. Generally, I would recommend against enabling split tunnelling.

You gain a bit of extra bandwidth but you also introduce a security problem. If you are worried that users might secretly enable split tunnelling without your permission, you could consider assigning "off-subnet" virtual IP addresses to the VPN clients.

This is not a water tight solution but it would keep away most users. With off-subnet I mean that the virtual IP addresses specified with l2tpd's " ip range " parameter are not within the internal subnet You will have to do some extra routing on the VPN server so that the client on the virtual IP subnet can still reach resources on the internal subnet.

Let's assume you have configured off-subnet virtual IP addresses. So what happens when a user connects? When the user has disabled split tunnelling, the default route will be to the VPN server. The user can access internal resources because of the extra routing on the VPN server. Internet sites are also routed through the VPN server and thus accessible.

When the user has enabled split tunnelling, however, things are a bit different. The VPN client's default route will be to the Internet. So Internet sites will be accessible.

But resources on the internal subnet are not accessible. The client has an off-subnet virtual IP address so packets to the internal subnet will be sent to the default route the Internet , not to the VPN server. In other words, the VPN client will not be able to access resources on the internal subnet when split tunnelling is enabled, which was the whole objective.

Unfortunately this method can be circumvented by users who define a static route to the internal subnet on their workstation. There is no cure for negligent users, except not using a VPN at all The very nature of a VPN makes it difficult to troubleshoot. VPN servers do not want to give away much information to a potential 'attacker' in case of a problem. Packets may be silently dropped by the server. Error messages sent to the client might not be very helpful. Use the command ipsec verify.

Not every "[Failed]" error that it reports is a real problem but it can be helpful in certain circumstances. If you don't use Opportunistic Encryption you should ignore the error messages about missing reverse DNS entries, for instance. Sometimes the IPsec packets get blocked. You can also use Openswan's ipsec ikeping command for that.

Problems can be debugged by tracing packets layer by layer:. If your network devices are named or numbered differently, change accordingly. If you use NETKEY and do a tcpdump on the external interface eth0 , you might see unencrypted packets in one direction.

The best and authoritative solution is to check with a third system between the client and the server. There can be various reasons why you don't get a working IPsec connection: This will force Pluto the IKE daemon to log in much more detail. In most cases this should not be necessary because your problem is likely to be caused by some configuration error. Only when there are serious issues you may need to enable Pluto debugging.

For example, when a brand new version of Openswan or the Linux kernel has been released and a problem was introduced in this version. Or when you want to interoperate with an IPsec product that has not yet been tested with Openswan.

This will also show packets silently dropped by the kernel. To activate these changes Pluto will have to be restarted. Do not use these settings in production setups because they make it very easy for the bad guys to perform a Denial Of Service. But not all debug messages are logged there. Then you'll have to restart syslogd with service syslog restart. This may be a bug which should be solved in Openswan 2. You can work around this problem by adding an extra parameter to the Openswan configuration file, e.

Alternatively, you could add net. It defaults to 0, i. As mentioned above , certificates require Strongsec's certificate patch. Don't forget to disable the PSK configuration files once you start using certificates.

The PSK configuration will get the upper hand. OpenSSL is a popular choice for generating certificates because it is Open Source and freely available. This page is not a tutorial on using OpenSSL or certificates in general. Excellent documentation on generating certificates is available elsewhere:. Either way, you will have to end up with certificates in PKCS 12 form. PKCS 12 is a standard for distributing keys and certificates. A PKCS 12 file with extension. Since it contains the client's private key, the PKCS 12 file is encrypted with a password.

Note that client certificates have to be signed by the same Certificate Authority CA as Openswan's certificate! Other uses say, for a webserver are not allowed.

This adds a little bit of extra security to the server's PKI. There has been a report to the Bugtraq mailinglist by Thor Lancelot Simon about a potential Man-in-the-Middle vulnerability mirror with certain IPsec implementations. If one client certificate is compromised which is not too difficult: After all, the compromised certificate of the first client is a valid certificate issued by the CA. The issue is only true for Windows clients if no EKUs are used.

If you do use EKUs as described above then the issue is mitigated. Windows Vista and Mac clients are also not vulnerable to this issue because they require the server's hostname or IP address in the certificate's ID can be disabled on Vista as an option. Some people reported the following problem. Different certificates were installed on the client. Enterprise configuration repository server [].

Enterprise cluster administration server RAS []. Enterprise debug server []. Gadu-Gadu direct client-to-client [ citation needed ]. Enterprise cluster working processes []. DarkComet remote administration tool RAT [ citation needed ]. TCP port must not be used. Old radacct port, [ when? Layer 2 Forwarding Protocol L2F. America's Army , a massively multiplayer online game MMO []. Novell ZENworks [] []. Spaceship Bridge Simulator []. Civilization IV multiplayer [].

WebHost Manager default []. Warzone multiplayer [ citation needed ]. Zephyr Notification Service server. Apache ZooKeeper default client port [ citation needed ]. Apple Push Notification Service [10] []. Apple Push Notification Service, feedback service [10] []. ESET anti-virus updates [].

ESET Remote administrator []. ArmA multiplayer [ citation needed ]. Combat Evolved multiplayer host [].

Combat Evolved multiplayer listener []. Ghost blogging platform []. Docker Swarm cluster management communications []. KGS Go Server []. CVS version control system password-based server. IEC , used to send electric power telecontrol messages between two systems via directly connected data circuits. OrientDB database listening for binary client connections []. Oracle database listening for insecure client connections to the listener, replaces port [ when? Oracle database listening for SSL client connections to the listener.

Ultima Online servers [ citation needed ]. SQL Anywhere database server [] []. Cloud9 IDE server [ citation needed ]. Ruby on Rails development default []. Meteor development default [] [ not in citation given ]. Resilio Sync , [] spun from BitTorrent Sync. BlackBerry Enterprise Server communication protocol []. Squid caching web proxy []. WhiskerControl research control protocol.

Net Assistant , [10] a predecessor to Apple Remote Desktop. Apple Remote Desktop 2. MySQL database system [10]. Eggdrop , an IRC bot default port []. Distcc , distributed compiler [10].

Subversion SVN [10] version control system. Some Blizzard games []. Diameter base protocol RFC Oracle Enterprise Manager Remote Agent. Warframe online interaction [ citation needed ]. OpenTTD game masterserver and content service. Protocol information and warnings [ clarification needed ]. Minger Email Address Verification Protocol []. Microsoft Remote Web Workplace administration. Couch Potato Android app []. NATS server default port [].

Aleph One , a computer game. Docker implementations, redistributions, and setups default [] [ needs update? Referral Whois RWhois Protocol []. Content Server—Intradoc Socket port. Metasploit 's default listener port [ citation needed ]. Armagetron Advanced server default. Sinatra default server port in development mode HTTP. Default for older versions of eMule [].

IP Flow Information Export. UPnP —Windows network device interoperability. League of Legends , a multiplayer online battle arena video game []. FileMaker — name binding and transport [10]. AOL Instant Messenger protocol. Outlaws , a first-person shooter video game [ citation needed ]. Certificate Management over CMS []. Kega Fusion, a Sega multi-console emulator [] []. PostgreSQL [10] database system. Cisco Unified Video Advantage [ citation needed ].

Hotline tracker server connection. Hewlett-Packard Data Protector [ citation needed ]. Fastboot default wireless port. Inbound Refinery—Intradoc Socket port. Port though often changed during installation. Freeciv versions up to 2.

Kibana [ citation needed ]. IBM Lotus Sametime p2p file transfer. Hazelcast default communication port []. System Center Operations Manager []. TeamViewer remote desktop protocol []. X11 —used between an X client and server over the network. Backup Exec Agent Browser [ citation needed ]. Club Penguin Disney online game for kids, Used by some Blizzard games [].

ObjectDB database server []. Oracle WebCenter Content Portable: Sybase Advantage Database Server. Sun Grid Engine Qmaster Service. Port assignment for medical device communication in accordance to IEEE Syslog over TLS []. Pylons project Pyramid Default Pylons Pyramid web service port. Speech-Dispatcher daemon [ citation needed ]. Windows Live FolderShare client. Microsoft Forefront Threat Management Gateway.

OpenFlow [ citation needed ]. BitTorrent Local Peer Discovery. Splashtop Remote server broadcast. Campbell Scientific Loggernet Software []. BitTorrent part of full range of ports used most often. Windows Live Messenger File transfer. Windows Live Messenger Voice. QuickTime Streaming Server [10]. Database mirroring endpoints []. Zimbra LMTP [mailbox]—local mail delivery. Peercast [ citation needed ].

Zimbra mysql [mailbox] [ citation needed ]. Zimbra mysql [logger] [ citation needed ]. Web control interface for Folding home v7. Neo4J Server webadmin []. Default port used by Open iT Server. Saratoga file transfer protocol [] []. Instrument Neutral Distributed Interface.

Oracle Cluster File System 2 [ citation needed ]. Windows backdoor program tini. Multiplayer Mod Server [ citation needed ].

Unreal Tournament series default server [ citation needed ]. Default used by Smartlaunch Internet Cafe Administration [] software. PowerSchool Gradebook Server [ citation needed ]. Default for YSFlight server []. Docker Swarm communication among nodes []. Atlassian Bitbucket default port [ citation needed ]. Django Development Webserver [].

Tomcat remote shutdown [10]. Quest AppAssure 5 Engine []. Alternative port for HTTP. See also ports 80 and Apache JServ Protocol ajp13 [ citation needed ].

Killing Floor web administration interface [ citation needed ]. Apache Tomcat [ citation needed ]. Atlassian JIRA applications []. Asterisk management access via HTTP [ citation needed ].

Splunk daemon management []. Box automatic TR configuration []. Coral Content Distribution Network legacy; 80 and now supported []. CouchBase web administration []. Shadowsocks proxy server [ citation needed ]. Adobe ColdFusion built-in web server []. Freegate , an Internet anonymizer and proxy tool []. Tibero database [ citation needed ]. Ultra Fractal , a fractal generation and rendering software application — distributed calculations over networked computers [] []. Voice channel of TeamSpeak 2 , [] a proprietary Voice over IP protocol targeted at gamers [ citation needed ].

Opera Unite , an extensible framework for web applications [] []. Freenet web UI localhost only [ citation needed ]. Alternate port for I2P Monotone Proxy [] [ jargon ]. I2P Monotone Proxy [] [ jargon ]. SonarQube Web Server []. Framework web server []. Hadoop NameNode default port.

QBittorrent 's embedded torrent tracker default port []. ETL Service Manager []. Microsoft SharePoint authoring environment. Tomcat in standalone mode [10]. Apache Cassandra native protocol clients. Transmission BitTorrent client Web Interface. PDL Data Stream, used for printing to certain network printers [10]. Elasticsearch [] —default Elasticsearch port. Sony PlayStation RemotePlay []. Clash of Clans , a mobile freemium strategy video game. MooseFS distributed file system — master control port [].

MooseFS distributed file system — master command port []. MooseFS distributed file system — master client port []. MooseFS distributed file system — Chunkservers [].

Tripwire —File Integrity Monitoring Software []. ZeroTier Default port for ZeroTier. Splunk port for communication between the forwarders and indexers. Urchin Web Analytics [ citation needed ]. Ubiquiti UniFi access points broadcast to CrossFire , a multiplayer online First Person Shooter [ citation needed ]. Zimbra smtp [mta]—to amavis from postfix [ citation needed ]. Zimbra smtp [mta]—back to postfix from amavis [ citation needed ].

Mathoid server [ citation needed ]. Modern Air Combat [ citation needed ]. BlueStacks android simulator broadcast []. Farming Simulator [ citation needed ]. Jungle Disk this port is opened by the Jungle Disk Monitor service on the localhost [ citation needed ]. Listen port used by the Octopus Deploy Tentacle deployment agent [] []. Battle for Newerth [ citation needed ]. Robot Operating System master. Second Life , used for server UDP in-bound []. NetBus remote administration tool often Trojan horse.

Kaspersky Network Agent [ citation needed ]. ZeroNet fileserver [ citation needed ]. Battlefield Vietnam and mods. RabbitMQ management plugin [].

Email & Web Site Monitoring

Leave a Reply