/Security through obscurity: Default ports
A network switch with several ports.

Security through obscurity: Default ports

Recently someone asked me the question if he should use alternative ports when connecting his new NAS to the internet. My opinion is that changing default ports for things like FTP and SSH won’t actually save you from hackers, but it will make you a less likely target.

First of all, when someone targets you, they will likely find your alternative ports by doing a port scan. However, there are a lot of bots that are trying to connect to port 21 (FTP) and 22 (SSH) checking if these services are available. Changing the ports will keep most of these bots out. You should never assume that changing the default port is enough to keep you safe, therefore you should always implement additional steps to secure your servers.

But a theory is just a theory until it is tested. So I set up a small experiment this weekend. I installed an SSH server running on port 22 (default) and port 222 and logged the number of connection attempts. The test ran for 48 hours from Friday 21:00 until Sunday 21:00. During this time period, 22.482 connection attempts were made on port 22. 12 connection attempts were made on port 222. This all happened on a consumer internet connection on which normally no external ports are available.

Test results

 

The first thing that stands out immediately is the fact that while this port is normally unavailable, there were incoming connections within minutes after the port became available. In conclusion, it’s evident that you should never assume “no one is connecting” when you set up a “temporary” server.

Does changing default ports increase security?

Yes. It protects you from 90% of the bots that are looking for services on the default ports. It does not, however, protect you against an attack where a port-scan is used. In my test 12 connections were made on the non-standard port. So while it does increase the security of your server, it does not secure your server.

The recent outbreak of WanaCry is a great example. Vulnerable servers that had the default SMB port (445) forwarded were infected within hours. As a result, servers that used a non-standard port did not get infected automatically. They were still vulnerable, but the WanaCry ransomware only tried to connect to the default SMB port.

When implementing a security policy every layer counts. In most cases, security through obscurity helps to protect your network, but you should never have to rely on obscurity alone.