Changing web server from port 80 to something else

[Drakkon]

Other than "security by obscurity" is there any gain associated with running a web server on a different port than 80 - say 8000? Or are there any pitfalls to doing this?

Back story - have a server running an internal website. We've restricted it in the past to only to internal IP's but suddenly someone higher up wanted access from home/road. So we opened it to external IP's (no VPN). So the admin just changed the port the server was running off of and called it "good" because its obscure. I'm just wondering how "good" this really might be...

 

[skyking]

Not too good. A portscan will pick that up unless you have a system in place to shut that down. I'd be hardening that server ASAP, if it is not already good for "prime time" WAN exposure.
I would also stick .htaccess out in front of it as an added measure.

 

[Tarrant64]

You may run into some internal applications that by default reference port 80 for the web server. All depends on what you are using though. This goes for most applications when you change the default port number.

skyking is right, changing the port doesn't do much for security these days.

 

[Crusty]

Doesn't matter, any decent port scanner that can open a TCP connection to the server will be able to tell it's a web server sitting on your 'obscure' port. There's nothing secure about that.

 

[RebateMonger]

There probably is something to be gained by this. It depends on what you are trying to protect against.

It takes time to scan EVERY TCP port for a web server, so a generic 'bot scanning the Internet for web sites isn't going to bother, as long as you don't use 8000 or 8080 or some other easy-to-guess port. If it's specific probe of a specifc server at a specific IP address, then that's less time consuming.

Intrusion detection software can also detect port scans and do something about it (deny access, notify administrator, etc.

 

[Gillbot]

the GRC port scanner goes through ports pretty quickly. I'd imagine there are others that can skim though and find an open port rather quickly.

 

[skyking]

I do use some "security through obscurity" myself, it does have some usefulness. None of my exposed ssh boxes are on a standard port, simply because I don't need logfiles of failed logins. They are still hardened.

 

[RebateMonger]

Originally posted by: Gillbot
the GRC port scanner goes through ports pretty quickly. I'd imagine there are others that can skim though and find an open port rather quickly.

Have you ever scanned the 1056 "Service Ports" with the GRC scanner? GRC takes well over a minute to scan 1056 ports. It'd average about one hour per IP address to find a single "obscure" web site. That's 4200 days (11 years) for 100,000 IP addresses.

A generic scanning 'bot isn't going to spend that time when there are zillions of web sites running on TCP Port 80 to be investigated.

 

[Crusty]

nmap scanned 65536 ports in about 10s on my local network, sure it's going to take longer over the Internet but it's definitely fast.

 

[drebo]

Do yourself a favor and set up a remote access VPN. PPTP is pretty easy to configure on a windows server.

 

[zenguy]

As others have noted, "Obscure" does not do much for security.

As second issue is that someplace may only allow a limited number of ports in/out.

So if you start running on non-standard port numbers, there is a chance you Boss could setup on some network where he could not access your server.

 

[JackMDS]

If chanages the port does not affect the system then change.

Why Not, change, emotional security is just as important as real functional security.

However if such a change creates turmoil in the whole system and needs adaptation and changes, taking some Anti anxiety medication can be more productive than changing the port.:shocked:

 

[Aarondeep]

Originally posted by: drebo
Do yourself a favor and set up a remote access VPN. PPTP is pretty easy to configure on a windows server.

:thumbsup:

 

[Tarrant64]

Originally posted by: RebateMonger
There probably is something to be gained by this. It depends on what you are trying to protect against.

It takes time to scan EVERY TCP port for a web server, so a generic 'bot scanning the Internet for web sites isn't going to bother, as long as you don't use 8000 or 8080 or some other easy-to-guess port. If it's specific probe of a specifc server at a specific IP address, then that's less time consuming.

Intrusion detection software can also detect port scans and do something about it (deny access, notify administrator, etc.

Another thing to add to this. A good firewall will sometimes have this built-in functionality, and of course IDS software can be installed on the server itself. SNORT can do this for you.

Back to the firewall, a good one will see port scans occurring and should just drop the connection all together preventing this from happening.

 

[netsysadmin]

If you cannot do VPN to access the site then I would at least suggest getting an SSL cert and securing the site with user authentication.

John

 

[Nothinman]

Do yourself a favor and set up a remote access VPN. PPTP is pretty easy to configure on a windows server.

PPTP is also incredibly insecure, even MS recommends against using it.

 

[drebo]

It's more secure than exposing the entire web application to the world.

 

[Nothinman]

It's more secure than exposing the entire web application to the world.

Using something known to be insecure and easily broken is less secure than nothing because it gives you a false sense of security.

 

[drebo]

Kind of like changing the access port, right?

If someone wants to get in, they're going to get in. 99% of people do not know how to circumvent a PPTP VPN. That's more secure than nothing, I'd say.

 

[Nothinman]

Kind of like changing the access port, right?

Yea, they're both pretty much equally worthless.

99% of people do not know how to circumvent a PPTP VPN. That's more secure than nothing, I'd say.

No at best they're a wash, because once they realize you've got a PPTP tunnel up they can trivially break in. Bad security is worse than no security in most cases.