TCP services on non-default ports - Security Benefit?

[ElijahBaley]

Hi

I have setup an FTP server on a non default control port, I have finally got around problems related to my firewall and active/passive mode, only to now realize that most users are not very familiar with FTP and a lot of client software do not have obvious option to change the default TCP port of 21.

The reason that I changed the port was for security by disguise, IE if any port scanners came our way they would not detect an open 21, and may not detect our disguised port at all, thus reducing the chances of an attack.

After all the problems i am having with clients failling to connect, im wondering whether this is worth it after all...

should i just change it back to 21, to save the hassle?

Thanks for any comments.



..EB


"Smoke me a kipper, I'll be back for breakfast!"

"Captain A.J. Rimmer, Space Adventurer!"

 

[bierhunter]

I've gotten to where I just use the standard ports mainly for the reasons you've noted. I was easier for me to secure the network around the standard ports than to try and teach the users how to change things. Also, if someone really wants to scan your network, he's most likely going to use a scanner that will go from port 0 - 65535 and look for anything.

For FTP, I would of course deny anonymous connections and put in place access controls to only allow connections from specified host addresses (if your situation allows). Also enforce good password security to help discourage brute force password attacks. Those basics will help keep most people from bothering you. There are a lot of script kiddies out there who are just playing with their hacker wannabe tools and will pass on anything even somewhat difficult to get into.

Setting up firewalls, isolated DMZs, VPNs, etc will definitely help; but you need to weigh the pros and cons of everything according to what the FTP server is really used for and how secure you need it to be.

BierHunter
CNE, MCSE, CCNP

 

[rwullems]

I agree with bierhunter.
A portscanner will find the open port anyway and you make it clients very difficult using non standard ports.

For a intranet or special website i can imagine that you use other ports (e.g. 8080 and 8081 are also already "known ports" for that), but agian, you can not escape a portscanner with that.

So, save yourself the hassle, create a DMZ for your FTP and webserver(s), and go back to the standard ports.
Regards,
Robert



Robert Wullems
Network Specialist
SCP/SCE/SCM/CNX/MCP/MCSA/Network+/CNA
***************************************
If you can Sniff it, you can solve it!
***************************************

 

[ElijahBaley]

Thanks for your help - back to 21 it is!!



..EB


"Smoke me a kipper, I'll be back for breakfast!"

"Captain A.J. Rimmer, Space Adventurer!"

 

[ElijahBaley]

I have this box behind a firewall and am currently NAT and port forwarding through the firewall.

What would be the advantage of creating a DMZ, surely this would expose the box to all the baddies, like a lamb to the slaughter?



..EB


"Smoke me a kipper, I'll be back for breakfast!"

"Captain A.J. Rimmer, Space Adventurer!"

 

[rwullems]

No, that is not nessecarrely.
For example if you leave the current config in place and place a second firewall between the box and the rest of the internal network, you have created a dmz.

if now sombody manages to compromise your ftp box and is directly connected to the rest of the LAN, it can be used to compromise other machines on the LAN.

With the second firewall in place, the ftp box will be compromised, but it will be much more difficult to compromise machines on the LAN.

Regards,
Robert


Robert Wullems
Network Specialist
SCP/SCE/SCM/CNX/MCP/MCSA/Network+/CNA
***************************************
If you can Sniff it, you can solve it!
***************************************

 

[ElijahBaley]

Understood, thats good advice.

Thanks very much



..EB


"Smoke me a kipper, I'll be back for breakfast!"

"Captain A.J. Rimmer, Space Adventurer!"