Constraints on "secure" port assignments -- NOT port 80

Constraints on "secure" port assignments -- NOT port 80

Post by Shannon Jaco » Wed, 04 Sep 2002 11:52:05



Well, I'd have thought it was a FAQish question, but can't find it in
the FAQs or in the Google searches of the newsgroups, so I'll ask:

Are there any constraints or guidelines for port assignments? If so,
I'd appreciate a nifty URL beyond the easily available list of
well-known ports.

Actual situation is that I'm going to allow the server (Apache V2) to
use port 80, but that is safe inside my network. I'll map that during
NAT translation in my ADSL modem/router. My underlying concern is with
blocking the random probes from the mindless script kiddies. Quite
surprised how many there were and how soon. Concerned that one of them
might get lucky, so I'd prefer to move to somewhere where the light
isn't so good.

The other half of my idea is to set my dynamic DNS mapping to some
other port. Port 21 seems like a nice number. Just joking, but apart
from the well-known ports, are there any real constraints or
guidelines? Port 8080 is popular, but I think that means it will also
be targeted by the kiddies. Maybe 8137 is a lucky number, but maybe
it's just a less well-known port, like 6699. Or maybe I should jump
somewhere into the 20,000s...

Jya, thanks for any substantive advice.

 
 
 

Constraints on "secure" port assignments -- NOT port 80

Post by Juha Laih » Wed, 04 Sep 2002 16:37:01



Quote:>Are there any constraints or guidelines for port assignments? If so,
>I'd appreciate a nifty URL beyond the easily available list of
>well-known ports.

The typical is "Run the services at their intended ports. Keep the
service software hardened against attacks."

Quote:>Actual situation is that I'm going to allow the server (Apache V2) to
>use port 80, but that is safe inside my network. I'll map that during
>NAT translation in my ADSL modem/router. My underlying concern is with
>blocking the random probes from the mindless script kiddies. Quite
>surprised how many there were and how soon. Concerned that one of them
>might get lucky, so I'd prefer to move to somewhere where the light
>isn't so good.

Are you planning to provide a public service on that server - or are
you just setting up a server as your private playground? If you're
setting up a private playground, don't make it visible outside your
network. If you're setting up a public service, keep it at the regular
port 80.

If it's a public service, make sure you keep up to date with security
advisories and patches.

Quote:>The other half of my idea is to set my dynamic DNS mapping to some
>other port. Port 21 seems like a nice number.

DNS does not map ports.

Quote:>Just joking, but apart from the well-known ports, are there any real
>constraints or guidelines? Port 8080 is popular, but I think that means
>it will also be targeted by the kiddies. Maybe 8137 is a lucky number,
>but maybe it's just a less well-known port, like 6699. Or maybe I
>should jump somewhere into the 20,000s...

If you use anything else but 80, you'll need to always include that
into the URL. And once there's a visible link somewhere to your site,
your site is public. It may attract less probes when set to some non-
obvious port, but the ones it'll attract are typically more forceful
(as they're not bound to some specific port, they can be assumed to
be more "intelligent" in other aspects, too). So, anyway you'll need
to make sure your system is hardened.

Also, I've seen reports of some ISPs (and companies) having their proxy
configured to only allow connetions to some well-known HTTP service
ports (80, 8080). Of course, it's possible to configure the browser
not to use a proxy, but may be a nuisance if the provider also forces
the use of proxy by prohibiting all non-proxy outgoing traffi to these
ports.
--
Wolf  a.k.a.  Juha Laiho     Espoo, Finland

         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

 
 
 

Constraints on "secure" port assignments -- NOT port 80

Post by Shannon Jaco » Thu, 19 Sep 2002 19:53:56




> >Are there any constraints or guidelines for port assignments? If so,
> >I'd appreciate a nifty URL beyond the easily available list of
> >well-known ports.

> The typical is "Run the services at their intended ports. Keep the
> service software hardened against attacks."

Well, I guess I'm really asking for the why. Yes, the big obvious
threat is not keeping up with the security updates? But the one that
actually scares me is someone who finds a hole and just exploits it on
the QT.

You can configure Apache not to log certain things. So should I
perhaps try to configure it to pitch the logs of the known (and
therefore harmless) attacks into the bit bucket? Or maybe someone has
those configuration settings conveniently at hand? Basically, I don't
see any reason to keep logs on such trash.

Right now the probes seem to come about once per hour. If that's
typical for any random IP address, then there must be a WHOLE lot of
that traffic in the network. So why don't they isolate it and
eliminate the perpetrators?

<snip>

Quote:> Are you planning to provide a public service on that server - or are
> you just setting up a server as your private playground? If you're
> setting up a private playground, don't make it visible outside your
> network. If you're setting up a public service, keep it at the regular
> port 80.

> If it's a public service, make sure you keep up to date with security
> advisories and patches.

Interesting problem... I'd like it to be public, but if the open port
is 80, it seems like the log files are going to be constantly filled
with garbage. I really hate to watch so much stupidity at work.

Quote:> DNS does not map ports.
<snip>
> If you use anything else but 80, you'll need to always include that
> into the URL. And once there's a visible link somewhere to your site,
> your site is public. It may attract less probes when set to some non-
> obvious port, but the ones it'll attract are typically more forceful
> (as they're not bound to some specific port, they can be assumed to
> be more "intelligent" in other aspects, too). So, anyway you'll need
> to make sure your system is hardened.

Well, I worded it badly, but by specifying the port you override the
DNS default of port 80 for HTTP, and that suits my purposes and seems
to work with every browser I've tested. I'm not sure how it works in
terms of providing visible links to the site. For example, would a
search engine be able to deal with a Web server at some port besides
80?

Trying to reword it, but difficult. Besides being stupid and
malicious, the script kiddies are lazy. What I really want is an
absolute block against the *, lazy imbeciles, but something subtly
suspicious to scare off the intelligent hackers. Nothing to make them
think it's a juicy target, but rather something to give them the
willies, to make them think it's just a poison honey pot.

Quote:> Also, I've seen reports of some ISPs (and companies) having their proxy
> configured to only allow connetions to some well-known HTTP service
> ports (80, 8080). Of course, it's possible to configure the browser
> not to use a proxy, but may be a nuisance if the provider also forces
> the use of proxy by prohibiting all non-proxy outgoing traffi to these
> ports.

When I studied the well-known port list in detail, I found that 591,
8008, and 8080 are listed as alternates for port 80. But there are
about 30 other ports listed with various relationships to HTTP...
Weird list. Lots of them were associated with organizations or
companies. I think I want the HTTP port that is used by the CIA or
FBI. That should make 'em nervous.
 
 
 

1. error: could not bind to "IP" port 80 (Address already in use)

We are running Netscape Commerce Server 1.1 on Sun Solaris 2.4 and SGI IRIX
5.3.  We have encountered the following error when trying to start a server.

error: could not bind to "IP" port 80 (Address already in use)

The scenerio usually is that we have stopped the server first, and then try to
start it.  After the machine is rebooted the servers start fine.  This has
happened several times on different machines.  Any ideas?

2. why are there 2 resolv.conf files?

3. Lilo gives me an "L 80 80 80"

4. .htaccess manipulation in Apache 1.3.0

5. "rm -rf /usr/ports" before "tar -xvzf ports.tar.gz"???

6. RedHat 6.1 CD

7. ipchains: icmp "port" 8 to "port" 0

8. scsi device not found

9. LILO "L 80 80 ... 80" Message

10. port forward port 80 to port 8080

11. GETSERVBYNAME()????????????????????"""""""""""""

12. apache listen to port 80, another standalone apache+modssl listen port 443, not working..?!

13. Could not bind to port 80 (port in use)