Switching ports for more security

Johannes Endres

Many server attacks are executed by "script kiddies" – unskilled attackers – who use automatated tools to run the attacks. By using non-standard ports for your services, those scans can be made unsuccessful.

The principle of security through obscurity has become controversial – and not without reason. Manufacturers often try to guarantee security by holding back information; however, information about those vulnerabilities still comes out, and in many cases it turns out that the secrecy was hiding careless, sloppy work and incompetence. Nevertheless, we still recommend not to serve attackers your network information on a silver platter. While hiding the information does not increase the security of a service, it gives the administrator a head-start to respond appropriately in case of an attack.

The time between the publication of a security vulnerability and the first exploit suitable for unsophisticated attackers continues to decrease. For example, if a new vulnerability in the SSH server is posted on Bugtraq on a Friday, you it's likely that by the following Sunday the script kiddies are scanning for victims with automatic tools. They scan entire networks to find computers that are running a vulnerable SSH server running on the standard SSH Port 22. If the server is running on port 52200 instead, there is a good chance it will evade the first wave of attacks. A skilled hacker who attacks this specific machine will still know how to identify and exploit the vulnerability, which means the administrator should still do everything to eliminate the vulnerability in the SSH service as soon as possible.

A public web server like heise online is usually scanned several times on all ports, so it is pointless to move the SSH server to another port. However, it's a good idea for servers that aren't as exposed and offer services for a private user group. In addition to remote access via SSH, this should include web or FTP servers that are mainly used for private data exchange.

Address assignment

The Internet Assigned Numbers Authority (IANA) assigns official port numbers for individual services. Ports 0 to 1023 are the Well Known Ports reserved for services like HTTP (port 80), SSH (port 22) and Telnet (port 23). The Registered Ports are in the range 1024 to 49151. They are assigned to lesser known services that someone has registered with IANA, for example Kazaa (port 1214) and nessus (port 1241). Finally, ports in the range above 49151 are not permanently assigned to any publicly defined application.

The higher port numbers above 49151 hide services better, because most scan programs generally do not scan all possible 65,535 port numbers. Instead they usually just scan the port numbers that are registered in the IANA port list.

Moving SSH

The sshd server settings are stored in the sshd_config[code] file, which is usually located in either [code]/etc or /etc/ssh depending on the Unix version and distribution. The configuration command Port 52200 changes the port of the service to 52200. Since the system only reads the file sshd during start-up, the administrator has to restart the service for this change to become effective.

During log-in the port information is passed to the ssh program through the option p. ssh p 52200 je@sshhost.ath.cx tries to register the user on sshhost.ath.cx through port 52200. Graphic front-ends such as Putty for Windows provide an input field for the port number.

It is just as easy for the admin to set the server port at the Apache web server. The biggest problem usually lies in locating the httpd.conf config file. On many Linux systems it is easier to use the command locate to find the file. The configuration string is then Listen 58000. Apache reads the configuration at start-up or when the user explicitly requests a re-read. Most Linux distributions use the parameter reload in the Apache start script (e.g., /etc/init.d/apache) for this.

Since most browsers use port 80 by default, the new port has to be entered behind the server name, separated by a colon: http://server.example.com:58000.

Router

If you run your server behind a router that forwards incoming connection request via Port Forwarding, you usually do not have to make any changes to your server, because a good router can also change the port number during forwarding, for example, by forwarding any packets of data coming in on port 58000 directly to port 80 on the server. Linux Firewalls can achieve the same effect with Destination-NAT. For example, if the Linux router is connected to the Internet with PPP-Interface ppp0 and the internal server is 192.168.1.2, the calls would be:

iptables -t nat -A PREROUTING -i ppp0 -p tcp 
 --dport 58000 -j DNAT --to 192.168.1.2:80
 iptables -A FORWARD -i ppp0 -p tcp -d 192.168.1.2 --dport 80 -j ACCEPT

Miscellaneous

We also recommend the suppression of the version recognition output (banner) if this can be enabled by the server service. Buffer overflow exploits in particular usually have to match a specific program version. If not, the attacker has to attempt different offsets, which requires time and a certain amount of knowledge. (je)