3

Is it worth the trouble to map open ports in the firewall from some inconspicuous port number to the correct port number for a given service?

Or is it simpler and similarly secure just to present the actual port number required to the outside world? Client software these days is often pre-setup to just work if the default ports are used, and in many cases, people tend not to read instructions which often cause unnecessary disruptions and complexity.

This would be for a small to medium business situation. All software is kept up-to-date and internet security software installed on everything. If we need an example, let’s consider POP3 SSL @ 995, or FTP @ 21.

1 Answers1

10

Changing your ports is only a cloud of smoke as far as security is concerned. It may cause you to have less attempts against your services but it doesn't add any real security.

You are better off running a service that watches for portscans or intrusion attempts and blocking those IPs than changing your ports and making things potentially more difficult on users.

sclarson
  • 3,624
  • 21
  • 20
  • +1 - There's that security-by-obscurity again... >smile – Evan Anderson Nov 30 '09 at 22:23
  • +1 - Attackers can still look at how the port responds and work out what the service is from that, but legitimate users will just be confused by an SSH server that runs on port 12327 (to pick an extreme example). – RainyRat Nov 30 '09 at 23:05
  • +1. This won't strengthen the security profile as an experienced hacker will find the open port anyway and then quickly determine what service is listening on that port. At the same time, you'll have made it more cumbersome for users and other services that need to connect to the port\service in question. – joeqwerty Nov 30 '09 at 23:59