Why do many companies...
Results 1 to 7 of 7

Thread: Why do many companies...

  1. #1
    Member
    Join Date
    Dec 2001
    Posts
    31

    Why do many companies...

    ...who run they're own webservers use default ports for daemons like ftp, ssh, etc? it would make more sense to me for them to use different ports so if some script kiddie is scanning a subnet for a new ftp vulnerability to which they're software is vulnerable to they likely won't get attacked.

  2. #2
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    because a lot of times they are doing it for ease of use. I know that with my company, people dont want to change the port in their FTP program to 9009 or something other than 21.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  3. #3
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    Big companies dont worry about script kiddies, firewalls take care of them. Patches and smart configuring secure the ports they have open...and webservers usually only have port 80 open.

  4. #4
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    349
    Well , not necessarily that they wont get attacked. Because im sure that there are port scanners out now that can find an ftp server even if it is assigned a different port. But I think it would be easier all together , to stay up to date with the ftp software they are running instead of changing which port the daemon listens on , because even if they did change the port , the script kiddy can probably still analyze that it is an ftp server even if it is on a different port , and still exploit it as if you never changed the port. Hope I answered a few of your questions
    "Serenity is not the absence of conflict, but the ability to cope with it."

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Yes they still will get the port through a port scan, but in changing the default port and "forcing" the attacker to use a scanner... you as an attacker just set off the IDS system and the attackers IP is flagged. Even the most basic of security deployments flag a port scan.

    The bottom line is ease of use like CXGJarrod said - your end users will have difficulty setting up non-standard ports.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Originally posted here by n01100110
    Well , not necessarily that they wont get attacked. Because im sure that there are port scanners out now that can find an ftp server even if it is assigned a different port. But I think it would be easier all together , to stay up to date with the ftp software they are running instead of changing which port the daemon listens on , because even if they did change the port , the script kiddy can probably still analyze that it is an ftp server even if it is on a different port , and still exploit it as if you never changed the port. Hope I answered a few of your questions
    n01100110: That was exactly the point I was going to make. There are vulnerability scanners (such as nessus) that will not only look at the port, but match up the banner/footprint that is returned to find out which service (along with the server vendor and version) it is running. It can then map out the service along with port to see if it has been patched or list any known vulnerabilities.

    One thing someone can do to fool these vulnerability scanners is to change the banner that is reported back... for instance... someone is using BulletProof FTP can change the banner to look like they're using Pure FTP. The scanner would then list vulnerabilites of the Pure FTP instead of BulletProof FTP and all exploits they throw at it will fail. This can be done with several services using various methods.

    Another example... a virus writer writes a worm that will infect all Apache version x.x.x servers. When it scans the web server to find out which version it is running. If it is running Apache version x.x.x it will then try to exploit it. If the Apache server returns that it is supposedly running GenericX, the worm might skip it and move to the next web server.

    Another example would be to use something like Proxomitron to make it look like your browser is netscape when you are really useing IE. This could cause some formatting errors though... because the server will be serving pages to what it thinks is a netscape browser when its really IE and they won't display properly. I've done this to fool the Cisco Router Web Setup into thinking that I was using IE when I was really using Mozilla. (an unsupported browser according to Cisco)

    Besides the browser trick, I have not tried any of the other services tricks. They were all explained to me by one of my professors. If anyone has any more information about this, I'd really be interested in reading up on it more. Thanks!

    A reason they might not want to change it... if your clients need to connect to the ftp server, you'd have to tell every client which port it is running on. It will make it more confusing for the client trying to access the service and you'd be fielding phone calls all the time to explain to them you changed the port for no good reason at all.

    The best solution (IMO) would to be only run services you NEED and only allow clients that NEED access. This can be done by keeping up with service packs and patches, firewalling (using ACLs or other rule based IDS) and using strong usernames and passwords.

    It is good that you can change the ports if you want to... example: My ISP won't allow me to run public servers on my home network and they block traffic destined for certain ports. But... I do want to access my Intranet page from school. I can change the port the web server is running on, then change the rules in my firewall to allow traffic from my school network. I'm not providing a public service or server... I'm simply using the service I pay for.

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Besides the whole fire wall, and security through obfuscation dosn't work issues there is also ease of use. My company has a lot of nontechnical people (includeing contractors and busniess partners) that use ftp ect that may not know enough to secure their ports. There is also multi busniess compatibility issues, if I have a nonstandard port for ftp and one of my partnering companies dosn't they have to configure their firewall to allow another port out that they wouldn't have otherwise.
    Who is more trustworthy then all of the gurus or Buddha’s?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides