Browse
Tools
Categories

Security Ports Scanned by SiteAudit

Reference Number: AA-01290 Views: 1875 Last Updated: 06-23-2023 01:18 PM 0 Rating/ Voters

Netaphor SiteAudit plays a crucial role in maintaining printer security by identifying potential points of vulnerability, such as open ports, which can serve as entry points for hackers and malware. During the discovery process, SiteAudit scans a specific set of ports listed below and generates incidents to highlight any open ports. This allows users to promptly address security vulnerabilities and secure their devices. SiteAudit also provides the capability to create notifications when any of these ports are opened or modified. Users can access this information through various SiteAudit products, tools, and reports.

Upgrading SiteAudit to version 7.7

When upgrading either SiteAudit OnSite or Hosted to version 7.7, the list of ports scanned by SiteAudit is expanded to include port 65002. If you had previously modified the list of security ports scanned by SiteAudit, you will need to modify it again after the upgrade to version 7.7.

Modifying the List of Security Ports

The list of security ports scanned by SiteAudit includes the following ports: 20, 21, 22, 23, 25, 53, 110, 137, 139, 443, 445, 995, 5900, 5901, 8443, 65002. To modify the list of security ports on the machine where the Data Collection Agent (DCA) is installed:

For SiteAudit OnSite:

  • Open the SiteAudit Viewer and navigate to Tools > Application Settings.
  • Locate the "PortsForSecurityScan4" setting and modify the set of ports as required.
    Set this value to -1 to disable scanning security ports.
  • Click "Apply" to save the changes.
  • Restart the monitoring service.

For SiteAudit Hosted:

  • Open the SiteAudit Viewer and select the customer from the Quick Select list.
  • Go to Diagnostics > Virtual Technician > Remote DCA Diagnostics.
  • Select the Settings tab.
  • Locate the "PortsForSecurityScan4" setting and modify the set of ports as needed.
    Set this value to -1 to disable scanning security ports.
  • Click "Apply" to save the changes.
  • Restart the monitoring service.

Ports Scanned by SiteAudit

The following ports are scanned during discovery in order to identify printers that may have a security vulnerability.

Port 20 (FTP Data) and Port 21 (FTP Control):

File Transfer Protocol (FTP) ports facilitate file sharing between devices. Open FTP ports on printers can expose sensitive information or provide unauthorized access if not adequately secured. Potential exploits include FTP brute-forcing or unauthorized file retrieval.

Port 22 (SSH):

Secure Shell (SSH) allows secure remote access to printers. However, an open SSH port without proper security measures can lead to unauthorized access or malicious activities. Exploits may include brute-forcing SSH credentials or exploiting vulnerabilities in the SSH protocol.

Port 23 (Telnet):

Port 23 (Telnet) is a network protocol that allows remote access to devices for command-line management. Telnet is an outdated and insecure protocol that transmits data, including login credentials, in plaintext, making it vulnerable to eavesdropping and unauthorized access. There have been known exploits and vulnerabilities targeting this port, including brute-force attacks to guess weak passwords, command injection attacks to execute malicious commands on the target device, and the potential for unauthorized access and control of the compromised system. 

Port 25 (SMTP):

Simple Mail Transfer Protocol (SMTP) ports handle email communication. An open port 25 may be exploited for unauthorized relaying of email or spamming. Exploits can involve email spoofing, unauthorized use, or email flooding.

Port 53 (DNS):

Domain Name System (DNS) ports are responsible for translating domain names to IP addresses. Misconfigured DNS ports can be exploited for DNS hijacking, leading to phishing attacks, redirecting traffic, or denial-of-service attacks.

Port 110 (POP3):

Post Office Protocol version 3 (POP3) ports retrieve emails from servers. An open POP3 port without proper security can be targeted for unauthorized email retrieval, including potential access to sensitive information.

Ports 137 and 139 (NetBIOS):

NetBIOS ports allow sharing resources and services over a network. Open NetBIOS ports can expose printers to unauthorized access, file sharing, or potential malware propagation through the network.

Ports 443 and 8443 (HTTPS):

Hypertext Transfer Protocol Secure (HTTPS) ports provide encrypted communication. However, if not configured properly, open HTTPS ports can be vulnerable to SSL/TLS vulnerabilities, potentially leading to man-in-the-middle attacks, data interception, or unauthorized access.

Port 445 (SMB):

Server Message Block (SMB) ports enable file sharing and printer access. An open SMB port can be exploited for unauthorized file access, lateral movement within a network, or spreading malware, such as the notorious WannaCry ransomware.

Port 995 (POP3S):

POP3S ports use SSL/TLS encryption for secure email retrieval. If not adequately secured, open POP3S ports can be targeted for unauthorized email access or data interception during communication.

Port 5900 and 5901 (VNC):

Virtual Network Computing (VNC) ports provide remote desktop access. Open VNC ports can be exploited for unauthorized remote control, potentially allowing attackers to view or manipulate printer settings or other connected systems.

Port 65002:

Port 65002 is a non-standard port that can vary in use across different printer models or manufacturers. The presence of an open port 65002 without legitimate use may indicate a potential vulnerability, highlighting the importance of further investigation.


FAQ

Are These Ports Required by SiteAudit?
SiteAudit operates as a read-only application and does not rely on any of these ports being open to function correctly. The purpose of scanning these ports during the discovery process is to detect and notify users about potential security vulnerabilities. In fact, it is recommended to keep these ports closed unless necessary, and ensure the devices and environments are adequately secured.

What Has Changed?
Starting from version 7.7, SiteAudit now includes port 65002 in the list of security ports it scans.

Understanding Port 65002:
Port 65002 is a non-standard port that may be used by certain printer manufacturers.

Which Ports Does SiteAudit Scan for Security Vulnerabilities?
SiteAudit scans the following ports for security vulnerabilities: 20, 21, 22, 25, 53, 110, 137, 139, 443, 445, 995, 5900, 8443, 65002.

How Often Does SiteAudit Scan These Ports?
In version 7.7, SiteAudit performs a discovery every 4 hours. During this process, it checks for any open ports or changes in the status of these ports (i.e., from open to closed or vice versa).

Why Does SiteAudit Scan These Ports?
The purpose of scanning these ports is to identify and report potential security vulnerabilities associated with open ports.

How Can I Determine If One of These Ports Is Open?
SiteAudit generates incidents that can be viewed in the Incident History view. These incidents indicate the presence of any open ports that were scanned. Users can also generate reports or configure notifications to stay informed about the discovery or modification of these ports.

Can I Add or Remove Ports To Be Scanned by SiteAudit?
Yes. The ports scanned by SiteAudit can be accessed directly on the machine where the DCA is installed. One can use the Virtual Technician with SiteAudit Hosted to remotely modify the ports that are monitored by the DCA. 
- Open the SiteAudit Viewer > Tools > Application Settings
- Locate PortsForSecurityScan4 and modify the set of ports
- Click Apply to save the changes and restart the monitoring service.

How Do I Ensure My Printers Are Secure?
The first step to ensure your printers are secure is to know which have vulnerabilities. Netaphor SiteAudit helps identify those devices. The next step is to address any vulnerability that is found. The following article can help with this. "How to Secure Your Printers."

Can I Customize the Ports Scanned by SiteAudit?
Yes, you have the flexibility to customize the ports scanned by SiteAudit based on your specific requirements. To modify the monitored ports, follow these steps:

For SiteAudit OnSite:

  • Open the SiteAudit Viewer and navigate to Tools > Application Settings.
  • Locate the "PortsForSecurityScan4" setting and modify the set of ports according to your needs.
  • Click "Apply" to save the changes.
  • Restart the monitoring service to apply the updated port configuration.

For SiteAudit Hosted:

  • Open the SiteAudit Viewer and select the customer from the Quick Select list.
  • Go to Diagnostics > Virtual Technician > Remote DCA Diagnostics.
  • Select the Settings tab.
  • Locate the "PortsForSecurityScan4" setting and modify the set of ports as desired.
  • Click "Apply" to save the changes.
  • Restart the monitoring service to ensure the updated port configuration is in effect.

How Can I Disable Scanning of Security Ports?
Follow the same steps as in the previous question except set the value of PortsForSecurityScan4 to -1

How Do I Ensure My Printers Are Secure?
To ensure the security of your printers, it is essential to identify any vulnerabilities they may have. Netaphor SiteAudit plays a crucial role in this regard. By utilizing SiteAudit, you can gain insights into potential security risks associated with your devices. Once vulnerabilities are detected, it is imperative to address them promptly. For guidance on securing your printers, we recommend referring to the article titled "How to Secure Your Printers."

By following these steps and leveraging the capabilities of Netaphor SiteAudit, you can proactively protect your printers from potential security threats, maintain a secure environment, and ensure the confidentiality and integrity of your data.