[Discuss] S/W in Linux to change its default ports
Scott Petersen
scott at slal.net
Mon Jan 8 11:39:15 PST 2007
R. McFarlane wrote:
> On 1/8/07 10:21 AM, Scott Petersen wrote:
>
> <snip>
>
>> All this being said, if you really want a single tool to change all
>> ports on a system you could use iptables to mostly accomplish that.
>> Iptables can do port forwarding (DNAT or Destination Network Address
>> Translation). With that tool you could block external access on port
>> 22 and forward external connections to port 2890 to port 22. The SSH
>> Daemon would still be listening on port 22. This is much more complex
>> than just using each application's config and, in my opinion, is
>> really the wrong way to accomplish things.
>
> I disagree. I would leave all software running on it's default
> ports and instead use the firewall to forward an outside obscure port
> to the default inside port. This way, you don't have to reconfigure
> your client programs to connect on the internal network, you only have
> to remember the port number for when you are not at home.
> That being said, if the ports are for public access (eg : running
> a mail server or web server for far more people than just yourself),
> then you will want to leave them as is.
>
> <snip>
>
>
I suppose there are arguments to be made for both sides. However, my
reasoning for saying it is the wrong approach is that I find the human
element to be the weakest link in any security policy. Any way that I
can take complexity out of my system, the more likely I am to configure
it correctly and securely. As well, I don't have to remember to use one
port internally and one port externally.
Of course, this is my experience and my opinion, refunds gladly provided
in the same amount you paid for them. :-)
Cheers
Scott Petersen
More information about the Discuss
mailing list