[Discuss] S/W in Linux to change its default ports

Thor Heinrichs-Wolpert thor.wolpert at maximusbc.ca
Mon Jan 8 11:50:02 PST 2007 

I'd have to agree.  We work on lots of systems and have a similar approach to what Scott is saying.  We have several zones, but the Internet goes to our DMZ, where each box is hardened itself (rather than just rely on the firewall) and all of the standard ports are moved (except public http/s).  The amount of script kiddie attacks dropped by over 90% as soon as we switched the ports ... so I think it's a great idea to change them.

On another note, a friend of mine that runs lots of systems in Vancouver (ISP / ASP type) has different port ranges for different client groups.  All of his local tools just use the ssh tunnel, so it's only the ssh connection ports that are different and the firewalls move them into the proper DMZ based on range.  I thought it was an interesting approach and seemed to work exceptionally well for their support team.

Cheers,
Thor HW


-----Original Message-----
From: discuss-bounces at vlug.org on behalf of Scott Petersen
Sent: Mon 1/8/2007 11:39 AM
To: discuss at vlug.org
Subject: Re: [Discuss] S/W in Linux to change its default ports
 
R. McFarlane wrote:
> On 1/8/07 10:21 AM, Scott Petersen wrote:
>
> <snip>
>
>> All this being said, if you really want a single tool to change all 
>> ports on a system you could use iptables to mostly accomplish that. 
>> Iptables can do port forwarding (DNAT or Destination Network Address 
>> Translation). With  that tool you could block external access on port 
>> 22 and forward external connections to port 2890 to port 22. The SSH 
>> Daemon would still be listening on port 22. This is much more complex 
>> than just using each application's config and, in my opinion, is 
>> really the wrong way to accomplish things.
>
>     I disagree. I would leave all software running on it's default 
> ports and instead use the firewall to forward an outside obscure port 
> to the default inside port. This way, you don't have to reconfigure 
> your client programs to connect on the internal network, you only have 
> to remember the port number for when you are not at home.
>     That being said, if the ports are for public access (eg : running 
> a mail server or web server for far more people than just yourself), 
> then you will want to leave them as is.
>
> <snip>
>
>
I suppose there are arguments to be made for both sides. However, my 
reasoning for saying it is the wrong approach is that I find the human 
element to be the weakest link in any security policy. Any way that I 
can take complexity out of my system, the more likely I am to configure 
it correctly and securely. As well, I don't have to remember to use one 
port internally and one port externally.

Of course, this is my experience and my opinion, refunds gladly provided 
in the same amount you paid for them. :-)

Cheers
Scott Petersen
_______________________________________________
Discuss mailing list
Discuss at vlug.org
http://ladybug.vlug.org/cgi-bin/mailman/listinfo/discuss

More information about the Discuss mailing list