diff --git a/doc/p2p-bad-ports.md b/doc/p2p-bad-ports.md index 0e4342ac56860..a7b412ff8cc17 100644 --- a/doc/p2p-bad-ports.md +++ b/doc/p2p-bad-ports.md @@ -11,78 +11,18 @@ nodes. and usually require authentication. A connection attempt (by Dash Core, trying to connect because it thinks there is a Dash node on that address:port) to such service may be considered a malicious action by an -ultra-paranoid administrator. An example for such a port is 22 (ssh). On the -other hand, connection attempts to public services that usually do not require -authentication are unlikely to be considered a malicious action, -e.g. port 80 (http). +ultra-paranoid administrator. An example for such a port is 22 (ssh). + +Additionally, ports below 1024 are classified as "system ports" by RFC 6335 +and on some platforms, require administrative privileges in order to use them. +They are also considered "bad" ports as they require clients to either run Dash +Core with elevated privileges or configure their system to relax such requirements, +which may not be possible or desirable in some deployments. Below is a list of "bad" ports which Dash Core avoids when choosing a peer to connect to. If a node is listening on such a port, it will likely receive fewer incoming connections. - 1: tcpmux - 7: echo - 9: discard - 11: systat - 13: daytime - 15: netstat - 17: qotd - 19: chargen - 20: ftp data - 21: ftp access - 22: ssh - 23: telnet - 25: smtp - 37: time - 42: name - 43: nicname - 53: domain - 69: tftp - 77: priv-rjs - 79: finger - 87: ttylink - 95: supdup - 101: hostname - 102: iso-tsap - 103: gppitnp - 104: acr-nema - 109: pop2 - 110: pop3 - 111: sunrpc - 113: auth - 115: sftp - 117: uucp-path - 119: nntp - 123: NTP - 135: loc-srv /epmap - 137: netbios - 139: netbios - 143: imap2 - 161: snmp - 179: BGP - 389: ldap - 427: SLP (Also used by Apple Filing Protocol) - 465: smtp+ssl - 512: print / exec - 513: login - 514: shell - 515: printer - 526: tempo - 530: courier - 531: chat - 532: netnews - 540: uucp - 548: AFP (Apple Filing Protocol) - 554: rtsp - 556: remotefs - 563: nntp+ssl - 587: smtp (rfc6409) - 601: syslog-conn (rfc3195) - 636: ldap+ssl - 989: ftps-data - 990: ftps - 993: ldap+ssl - 995: pop3+ssl 1719: h323gatestat 1720: h323hostcall 1723: pptp @@ -99,7 +39,11 @@ incoming connections. 6668: Alternate IRC 6669: Alternate IRC 6697: IRC + TLS + 8882: Bitcoin RPC + 8883: Bitcoin P2P 10080: Amanda + 18882: Bitcoin testnet RPC + 18883: Bitcoin testnet P2P For further information see: @@ -112,3 +56,5 @@ For further information see: [chromium.googlesource.com](https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/net/base/port_util.cc) [hg.mozilla.org](https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsIOService.cpp) + +[RFC 6335, Section 6 ("Port Number Ranges")](https://datatracker.ietf.org/doc/html/rfc6335#section-6) diff --git a/src/netbase.cpp b/src/netbase.cpp index e659f76d09db0..d44645821c282 100644 --- a/src/netbase.cpp +++ b/src/netbase.cpp @@ -709,70 +709,8 @@ bool IsBadPort(uint16_t port) { /* Don't forget to update doc/p2p-bad-ports.md if you change this list. */ + if (port <= PRIVILEGED_PORTS_THRESHOLD) return true; switch (port) { - case 1: // tcpmux - case 7: // echo - case 9: // discard - case 11: // systat - case 13: // daytime - case 15: // netstat - case 17: // qotd - case 19: // chargen - case 20: // ftp data - case 21: // ftp access - case 22: // ssh - case 23: // telnet - case 25: // smtp - case 37: // time - case 42: // name - case 43: // nicname - case 53: // domain - case 69: // tftp - case 77: // priv-rjs - case 79: // finger - case 87: // ttylink - case 95: // supdup - case 101: // hostname - case 102: // iso-tsap - case 103: // gppitnp - case 104: // acr-nema - case 109: // pop2 - case 110: // pop3 - case 111: // sunrpc - case 113: // auth - case 115: // sftp - case 117: // uucp-path - case 119: // nntp - case 123: // NTP - case 135: // loc-srv /epmap - case 137: // netbios - case 139: // netbios - case 143: // imap2 - case 161: // snmp - case 179: // BGP - case 389: // ldap - case 427: // SLP (Also used by Apple Filing Protocol) - case 465: // smtp+ssl - case 512: // print / exec - case 513: // login - case 514: // shell - case 515: // printer - case 526: // tempo - case 530: // courier - case 531: // chat - case 532: // netnews - case 540: // uucp - case 548: // AFP (Apple Filing Protocol) - case 554: // rtsp - case 556: // remotefs - case 563: // nntp+ssl - case 587: // smtp (rfc6409) - case 601: // syslog-conn (rfc3195) - case 636: // ldap+ssl - case 989: // ftps-data - case 990: // ftps - case 993: // ldap+ssl - case 995: // pop3+ssl case 1719: // h323gatestat case 1720: // h323hostcall case 1723: // pptp @@ -789,7 +727,11 @@ bool IsBadPort(uint16_t port) case 6668: // Alternate IRC case 6669: // Alternate IRC case 6697: // IRC + TLS + case 8332: // Bitcoin RPC + case 8333: // Bitcoin P2P case 10080: // Amanda + case 18332: // Bitcoin testnet RPC + case 18333: // Bitcoin testnet RPC return true; } return false; diff --git a/src/netbase.h b/src/netbase.h index 58e4ad5d2515b..15b47271d4e48 100644 --- a/src/netbase.h +++ b/src/netbase.h @@ -246,6 +246,9 @@ void InterruptSocks5(bool interrupt); */ bool Socks5(const std::string& strDest, uint16_t port, const ProxyCredentials* auth, const Sock& socket); +//! Upper range of ports classified as "System Ports" under RFC 6335 +static constexpr uint16_t PRIVILEGED_PORTS_THRESHOLD{1023}; + /** * Determine if a port is "bad" from the perspective of attempting to connect * to a node on that port. diff --git a/src/test/netbase_tests.cpp b/src/test/netbase_tests.cpp index ee96bd3f549f4..950c58a20865f 100644 --- a/src/test/netbase_tests.cpp +++ b/src/test/netbase_tests.cpp @@ -440,18 +440,28 @@ BOOST_AUTO_TEST_CASE(isbadport) BOOST_CHECK(IsBadPort(22)); BOOST_CHECK(IsBadPort(6000)); - BOOST_CHECK(!IsBadPort(80)); - BOOST_CHECK(!IsBadPort(443)); + // We don't expect Dash Core to operate over HTTP(S) + BOOST_CHECK(IsBadPort(80)); + BOOST_CHECK(IsBadPort(443)); + + // We shouldn't use ports used by Bitcoin Core + BOOST_CHECK(IsBadPort(8332)); + BOOST_CHECK(IsBadPort(8333)); + BOOST_CHECK(IsBadPort(18332)); + BOOST_CHECK(IsBadPort(18333)); + + BOOST_CHECK(!IsBadPort(9998)); BOOST_CHECK(!IsBadPort(9999)); + BOOST_CHECK(!IsBadPort(26656)); - // Check all ports, there must be 80 bad ports in total. + // Check all ports, there must be 21 bad ports in addition to the restriction on privileged ports. size_t total_bad_ports{0}; for (uint16_t port = std::numeric_limits::max(); port > 0; --port) { if (IsBadPort(port)) { ++total_bad_ports; } } - BOOST_CHECK_EQUAL(total_bad_ports, 80); + BOOST_CHECK_EQUAL(total_bad_ports - PRIVILEGED_PORTS_THRESHOLD, 21); } BOOST_AUTO_TEST_CASE(netbase_parsenetwork)