-
Why do many companies...
...who run they're own webservers use default ports for daemons like ftp, ssh, etc? it would make more sense to me for them to use different ports so if some script kiddie is scanning a subnet for a new ftp vulnerability to which they're software is vulnerable to they likely won't get attacked.
-
because a lot of times they are doing it for ease of use. I know that with my company, people dont want to change the port in their FTP program to 9009 or something other than 21.
-
Big companies dont worry about script kiddies, firewalls take care of them. Patches and smart configuring secure the ports they have open...and webservers usually only have port 80 open.
-
Well , not necessarily that they wont get attacked. Because im sure that there are port scanners out now that can find an ftp server even if it is assigned a different port. But I think it would be easier all together , to stay up to date with the ftp software they are running instead of changing which port the daemon listens on , because even if they did change the port , the script kiddy can probably still analyze that it is an ftp server even if it is on a different port , and still exploit it as if you never changed the port. Hope I answered a few of your questions
-
Yes they still will get the port through a port scan, but in changing the default port and "forcing" the attacker to use a scanner... you as an attacker just set off the IDS system and the attackers IP is flagged. Even the most basic of security deployments flag a port scan.
The bottom line is ease of use like CXGJarrod said - your end users will have difficulty setting up non-standard ports.
-
Quote:
Originally posted here by n01100110
Well , not necessarily that they wont get attacked. Because im sure that there are port scanners out now that can find an ftp server even if it is assigned a different port. But I think it would be easier all together , to stay up to date with the ftp software they are running instead of changing which port the daemon listens on , because even if they did change the port , the script kiddy can probably still analyze that it is an ftp server even if it is on a different port , and still exploit it as if you never changed the port. Hope I answered a few of your questions
n01100110: That was exactly the point I was going to make. There are vulnerability scanners (such as nessus) that will not only look at the port, but match up the banner/footprint that is returned to find out which service (along with the server vendor and version) it is running. It can then map out the service along with port to see if it has been patched or list any known vulnerabilities.
One thing someone can do to fool these vulnerability scanners is to change the banner that is reported back... for instance... someone is using BulletProof FTP can change the banner to look like they're using Pure FTP. The scanner would then list vulnerabilites of the Pure FTP instead of BulletProof FTP and all exploits they throw at it will fail. This can be done with several services using various methods.
Another example... a virus writer writes a worm that will infect all Apache version x.x.x servers. When it scans the web server to find out which version it is running. If it is running Apache version x.x.x it will then try to exploit it. If the Apache server returns that it is supposedly running GenericX, the worm might skip it and move to the next web server.
Another example would be to use something like Proxomitron to make it look like your browser is netscape when you are really useing IE. This could cause some formatting errors though... because the server will be serving pages to what it thinks is a netscape browser when its really IE and they won't display properly. I've done this to fool the Cisco Router Web Setup into thinking that I was using IE when I was really using Mozilla. (an unsupported browser according to Cisco)
Besides the browser trick, I have not tried any of the other services tricks. They were all explained to me by one of my professors. If anyone has any more information about this, I'd really be interested in reading up on it more. Thanks!
A reason they might not want to change it... if your clients need to connect to the ftp server, you'd have to tell every client which port it is running on. It will make it more confusing for the client trying to access the service and you'd be fielding phone calls all the time to explain to them you changed the port for no good reason at all.
The best solution (IMO) would to be only run services you NEED and only allow clients that NEED access. This can be done by keeping up with service packs and patches, firewalling (using ACLs or other rule based IDS) and using strong usernames and passwords.
It is good that you can change the ports if you want to... example: My ISP won't allow me to run public servers on my home network and they block traffic destined for certain ports. But... I do want to access my Intranet page from school. I can change the port the web server is running on, then change the rules in my firewall to allow traffic from my school network. I'm not providing a public service or server... I'm simply using the service I pay for.
-
Besides the whole fire wall, and security through obfuscation dosn't work issues there is also ease of use. My company has a lot of nontechnical people (includeing contractors and busniess partners) that use ftp ect that may not know enough to secure their ports. There is also multi busniess compatibility issues, if I have a nonstandard port for ftp and one of my partnering companies dosn't they have to configure their firewall to allow another port out that they wouldn't have otherwise.