How to secure your TCP/IP ports

While it's necessary for some ports to be open to internet traffic, it's also necessary to ensure that only the bare minimum are exposed and that the software connected to them is as up to date as possible.

This is why it's essential to turn on automatic updates, both for Windows and Linux, but also for your antivirus software.

If a computer starts acting up and its patches aren't up to date, security professionals will treat it as infected. As the saying goes, 'the unprotected become infected'.

Beyond staying up to date, the key to keeping your PC secure is to ensure that your firewall is closed to all traffic other than to the ports you know should be open. Because some malicious software can silently open ports, it pays to check them yourself and close any that you don't need open.

In Windows XP, the firewall settings can be found by opening the Control Panel and double clicking Windows Firewall. If you're in an insecure place such as a public Wi-Fi hotspot, make sure that the checkbox to prevent exceptions on the first tab of the resulting window is ticked.

The second tab lists all the programs allowed through your firewall. Uncheck all those you don't actively use and press 'OK'. Also ensure that the checkbox making sure that Windows pops up a message to say that it's blocked a program is ticked. By default, Windows also creates a log of firewall activity, storing it in 'C:\WINDOWS\pfirewall.log'.

The procedure is similar in Vista. On the Control Panel, select 'Allow a program through Windows Firewall' under the Security section. This brings up the same window as in XP. Inspect all the open ports and close those you don't need.

If your broadband router contains a firewall, it's a good idea to update your firmware regularly and to block traffic on all ports other than email in and out (ports 25 and 110), DNS (port 53), HTTP (port 80) and HTTPS (port 443).

On no account should you allow Microsoft's NetBIOS services through (ports 137 to 139), as these are vulnerable to attack. Finally, see the 'Test your exposure' section below for details of an online service that will show you which of your PC's ports can be seen from the internet.

Test your exposure

When trying to assess the state of your online security, it pays to be able to see how others see your network. There are various online services that can help you. One is by T1shopper, at www.t1shopper. com/tools/port-scanner.

On this page, you'll see your IP address displayed. You can enter a single port to see if it's reachable, as well as a range of port numbers to scan.

You can also tick any of the more commonly used ports from the two-column list. Each port that's closed (meaning that it has no software attached and listening to it and is therefore not vulnerable to attack) will return a line telling you that it isn't responding.


GET TESTED: Using free online tools such as Nmap and T1Shopper will show you which ports are open on your network

If your firewall is working and configured correctly, all of these tests should fail. For a more comprehensive test – one that will find out whether there's a botnet or other piece of malware listening on a specific port on your computer – enter a start and end port number and the service will scan these individually looking for open ones.

Don't abuse this service by entering '1' and '65,535' (the highest port number). Instead, play nicely, and enter only blocks of a maximum of 500.

Scanning will take some time, so be patient. At the end you should have a comprehensive view of how exposed your system is.