Listening port

From Sysadmin

Jump to: navigation, search

Most services use a predefined and static listening port.

An exception is RPC under Unix which will dynamically allocate a listening port as required and deliver this information to the client via portmap. This dynamic port strategy is difficult to use in conjunction with a firewall.

For an alternative to using static ports for services see the SRV DNS record.


Moving Service Port

It is recommended to not change the default port for a service merely to avoid probes. This is a form of security through obscurity. Changing the port in this manner means that legitimate users of the service need to be notified of the port and remember it as a special case.

Additionally, any firewalls between the client and server need to accomodate the special case. Many organisations, particularly larger companies, are restrictive in what outgoing ports they allow. Moving the port away from the default may result in some users being unable to access the service without further complications like a VPN. This is a violation of the KISS principal.

This should not be confused with the use of SRV records to announce a port. Since these ports are announced anyway, the use of SRV does not obscure the port at all.

Retrieved from "http://www.practicalsysadmin.com/wiki/index.php/Listening_port"
Personal tools