Why is it bad to have open ports?

A port isn't open if something isn't listening for a connection on it.

The reason it is bad form to have all ports open to everywhere is that it exposes those services that are listening on those ports to exploits. That is why firewalls exist, to limit what is allowed to connect to certain ports, to reduce the surface area exposed by services.


EDIT

To address your question about why people can't just write software that isn't exploitable:

This is fairly easy for simple programs, but many programs that require a socket are complex. As such, they have many components, many of which aren't even written by the developer most likely (included libraries). You cannot rely on other people to keep your network secure when there are hardening methods you can use yourself, such as firewalls.

Arbitrary/remote code execution is a huge risk, as you have pointed out. Unfortunately buffer overflows and other security flaws that allow it are common. Look at any Microsoft security update and I'll bet it patches either remote code execution or elevation of privileges, and MS is a huge company with hundreds of developers and billions of dollars.


Regarding the update you wrote:

Thanks for the replies so far. I understand now, that a port being open actually means there is a program that can be exploited listening on that port. But why is it so hard to write software that can't be exploited? To do any real harm to a computer wouldn't a program have to allow one or more files to be uploaded, and then one of those files would need to be executed. It seems like that would be incredibly hard to allow accidentally.

It's very difficult to write software that can't be exploited!

I have read the book Building Secure Software and one things it discussed was exploiting stack overflows. There were two very scary facts in there:

  • For a program to have an exploitable stack overflow bug is very easy to do, especially when the program is written in C. In the C programming language, many functions are not safe by default and the programmer either needs to know to avoid the vulnerable functions, or has to take special actions to be safe.
  • The exploit a hacker needs to use is short - very short. It was less than half a page of assembly language, which translates to 100 or so (guess) bytes of machine code. This exploit code is sufficient to give the hacker shell(command prompt) access to your machine. No big file upload and execution required - just a tiny piece of code that can be inserted into the middle of legitimate data.

So if a hacker can find a program that (a) has a stack overflow bug that is (b) exploitable over a network and (c) has a couple 100 bytes spare in its buffer, then your computer is pwned. Fortunately knowledge about stack overflow bugs is fairly common knowledge now, but they do still pop up. 5 years ago and longer this was a much more frequent problem.

Going back to your original question, you should avoid open ports to avoid any accident with an exploitable bug in a program. You now have a second reason: the remote shell that a hacker would then use is another open port. If you have a firewall that is blocking everything except that you have specifically allowed, you would also block that remote shell (although a hacker would still be able to do other nasty things to your computer, so don't be complacent!)


  • Open port: When anyone asks, the computer responds that there is a service listening on this port. This means anything coming to this port will get processed by a program (a service) running on that computer.
  • Closed port: When anyone asks, the computer responds that there are no services listening on that port. The akser will know there is a computer responding at the address.
  • Stealth port: When anyone asks, they get no reply. The point is to hide if there is a computer at the address at all. It might not be very effective, though, as joschi poits out in the comments.

If you have an open port, you are safe provided the program processing the incoming stuff has no available exploits. But exploits are found all the time, and it's good to know that there are a lot of port scans travelling around the net, looking for targets.

Closed ports still respond to the akser, so possible attacker knows to proceed checking other ports. Then again, this is how the internet is specificed to work. While stealth ports attempt to not give the potential attacker any information, in theory they break the specification.

From a security point of view, any open port is a huge gaping hole, since code is being used to process foreign data. What a firewall (or a NAT router) does is make sure no incoming traffic gets to your computer, even if the system has some open ports. This way, they effectively close all ports.