Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Securing webmail - changing a port necessary to ensure security?

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 12 Feb 2004 13:54:58 +0100
On 2004-02-11 Jennifer Fountain wrote:

I am going back and forth on this one with a consultant on this one and
need an expert opinion.  So, I turn to you :)


Hope you don't mind me answering instead ;)


When configuring webemail (such as owa) that is using https, is it
better to change the default port (443) to an uncommon port (20000)for
security reasons?  Does it secure it further by doing this?


No. Security by obscurity won't work since an attacker could simply run
a portscan against your webmail host to determine which ports are open.


Wouldn't it cause more issues than anything if you try to access that
site from inside an org that only allows port 80/443 and 21 out?  


If you allow 21 out, you will also have to allow 1024+ out, since
passive FTP opens the data connection on a high port IIRC. So no, using
port 20000 won't cause problems in that scenario, but it also won't
improve your security.

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: