Restrict a port to a particular service/program?

Discussion in 'Server Operation' started by joshun, Apr 6, 2019.

Tags:
  1. joshun

    joshun New Member

    Hi guys,
    I want to harden my server from "ip hijacking" by restricting a port to a particular service/program to use.

    For example, this site might be using ngnix to listen to port 443, but once a hacker gets into the server and shuts it down, they can just use a mock program instead and at least acquire some user accounts and passwords. Another threat comes within - an employee who runs the server could mock one to acquire user information if enabled to shutdown the server and run a mock using the same port.

    This is a real vulnerability in C/S framework because the valid identification of server by a client is its ip+port only. ASUS has been disposed an accident that its firmware updating service was replaced by hacker to instill trojans to ASUS laptops trying to get recent "updates".

    I believe the quick and strong way to prevent these accidents is to use some firewall and explicitly dedicate some port number for some program (binary or python script) only, trying to bind it to any other program will be denied. Is there functionality in firewalld/iptables/SELinux or any other security programs to implement this idea?

    Thanks in advance.
     
  2. William WIlsey

    William WIlsey New Member

    following this post
     
  3. danhansen@denmark

    [email protected] Member HowtoForge Supporter

    Hi Joshun,

    Most of your programs listen at a default port. I change the default port for mine in the programs config file. If you want to do it better, maybe a PVE Firewall is the solution... Prevents spoofing.

    But, hijacking only works if your system is already infected. If it's not a problem, then make a clean installation and harden your system from scratch. Do the same as written above, anti virus software, e.g. ClamAV if it's a server which handles NTFS, FAT32 partitions etc. Setup VPN and so on, use a random source port instead of UDP port 53, randomize query ID, randomize the case of the letters of the resolved domain names.

    Check out this article from Spamhouse: https://www.spamhaus.org/news/article/778/network-hijacking-the-low-down


    KR
    Dan
     
    Last edited: Apr 28, 2019

Share This Page