Many services (not all) can be configured with random TCP or UDP ports. But which ports are safer than others? This simple script selects safer TCP or UDP ports. A safer port is defined as:
-
Port number 1024 or higher: ports from 0 to 1023 are privileged ports and a service needs root permissions to bind to privileged ports. This is insecure, a bug in your service might expose the whole server.
-
Not listed in the IANA port and services list: many vulnerability scanners such as OpenVas can be configured to scan all ports listed in IANA. Hence we avoid those ports.
-
Not part of the Nmap top 1000 ports. Nmap is a powerfull port scanner. Without additional options, it will scan the top 1000 most common ports. We avoid those ports.
What is gained by using the safer ports instead of port numbers found in "Howto" documents or your imagination? Plain and simple:
- Wannabe hackers (script kiddies) will not detect your service, since the commonly used hacking tools (in their standard configuration) do not scan for these ports.
- If you managed to choose a random port used by another service, you might see a surge in connections and attacks if a vulnerability in that other service is detected. You might be an innocent bystander, but you will get hit anyway.
- If an attacker want to exploit a bug in your type of service, he or she will first find and attack servers using the common ports for that service. You might just have bought some time to prepare a defense while criminals are attacking your neighbours.
All this will result in smaller logs and less headaches to monitor your service.
Wait, what is this? Do I hear a horde of CISSP or CISA certified consultants shouting that this is security by obscurity and does not help? Please get of my lawn, security by obscurity really works. It is only proven not to work in the domain of cryptography.
Clone this repository:
git clone --depth 1 https://github.com/igbuend/under-the-mat.gitRun the script:
./under-the-mat/bin/under-the-mat.shThe script will give you five TCP ports by default. You can ask for UDP ports as follows:
./under-the-mat/bin/under-the-mat.sh --type=UDPIf you need more ports:
./under-the-mat/bin/under-the-mat.sh --type=UDP --amount=10If you need help:
./under-the-mat/bin/under-the-mat.sh --help-
if you choose a rediculous high amount of ports (higher than the total number of ports not listed in Nmap and IANA), the script will go in an infinite loop. I do not plan to fix that. Just don't be an idiot.
-
The script uses the Nmap Top 2000 ports instead of the top 1000. Reason is that at Nmap position 1000 hundreds of ports have the same frequency of occurrence. I could not bother to reverse engineer Nmap to verify how they determine who gets position 1000. I also did not want to make this script dependant on Nmap.