Security Basics mailing list archives
RE: non-default ports (Was: Remote Desktop vs VPN on Windows 2003)
From: Alexander Klimov <alserkli () inbox ru>
Date: Wed, 19 Jan 2005 12:03:38 +0200 (IST)
The best thing you should do is to install secure software and do not use default ports unless absolutely necessary (e.g., domain, smtp, ...) Of course, non-default port would not protect you from an adversary who wants to attack your network, but it helps to distinct such adversaries from viruses/worms. This way it protects you (log-reader) from a "DoS attack on a log-reader". For example, then I use default ssh port I have on average a login attempt (automated user/password bruteforcing) each second, now I have failed password only from legitimate users (who failed to setup a ssh client propertly). Note that since we do not use password authentication there is no hope somebody can find a password, still my logs are significantly reduced since I start to use a non-default port. On Tue, 18 Jan 2005, Joe Dumass wrote:
I think that the problem with arbitrarily assigning services to non-standard ports is that it disrupts the flow of communication. Is it somewhat more secure against worms, etc? Maybe... but the protocol definition exists to define how to standardize communication for a reason. If our partners go out and redefine https to non-standard ports, we would have to open new rules in our firewalls to allow communication to them, resulting in a less secure environment than simply allowing out-bound 443, and more of an administrative burden of trying to remember what outbound 8888, 4422, 1192, 65213, etc are.
Why do you think that limiting outbound ports makes YOUR environment any safer as long as you open at least one port? Note that most spyware use http (probably thru proxy) anyway. By closing outbound ports you can protect others from worms running on your computers, but worms usually do not use non-default ports anyway. -- Regards, ASK
Current thread:
- Re: Remote Desktop vs VPN on Windows 2003, (continued)
- Re: Remote Desktop vs VPN on Windows 2003 Anonymous (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 John McGuire (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 shrek-m () gmx de (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 David Gillett (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Rhett Grant (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Danny Puckett (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Joe Dumass (Jan 19)
- RE: non-default ports (Was: Remote Desktop vs VPN on Windows 2003) Alexander Klimov (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 Ansgar -59cobalt- Wiechers (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Frank Hamersley (Jan 20)
(Thread continues...)