/dev/urandom

/dev/urandom

Pseudorandom thoughts generator.

I'm Niccolò Maggioni.
Student, geek and developer.

On default ports

Let’s face it: leaving your MySQL on the default port 3306 is… comfy. As comfy as it is to leave any service on its default port configuration.

You don’t have to store the umpteenth number in your head, all the most usual clients and interfaces will pick up the right port without asking, most of the times that you’ll have to configure a firewall or port forwarding you’ll find presets here and there, ready to be applied… It is definitely a nice little help in a {developer|sysadmin}‘s everyday life.

But there are downsides! The first one that comes to my mind is decreased security, closely followed by higher complexity of operation and being forgetfully error-prone, along with a bunch of noise in the logs.

Security

By not changing a default port of a service you’ll more probably be subject to attacks and scans: a quick GitHub search turned up Routerhunter 2.0 and Sn1per for example, but I remember having seen much worse tools around the net aimed at mass-scanning for vulnerabilties and default credentials.


It may not even been that difficult, now that I think of it, to write a script that iterates through a given range of IPs doing a standard nmap portscan and trying default credentials for known services’ if their ports are found to be open… Given enough bandwidth and time, I’m quite sure you’d pick up some interesting data. Throw in the deal a decent amount of parallel connections and you’d be set even better. But I’m rambling here.


Complexity of operation

Not all tools - especially custom-written ones - support the customization of the port number of whatever service they are relying on, and this will introduce a lot of overhead in such edge cases.

You may even have to write your own little proxy or network bridge, if you’re particularly unlucky.

Being forgetful

Just this morning, for the first time after so long, I had to connect to a special MySQL database from outside the server it resides on and was promptly greeted with a cheerful ERROR 2003 (HY000): Can't connect to MySQL on server 'myhost.com' (101).

So I had to troubleshoot my local laptop connection, SSH (actually Mosh‘ing, heh!) into the server, check the firewall, check MySQL’s configuration, actually check the config a second time because I was looking at the wrong section of it, and then finally resume my development flow after having dreadfully acknowledged that I was running on public port 3307 (so original on my side!).

I wasted some time, but most importantly my flow broke completely and I had to start focusing again - something I’m sure that most (if not all) developers hate at all.

Log noise

As the user “tylerl” wrote in this StackOverflow answer about dealing with massive port scans, they can be the cause of quite a lot of unnecessary rows in your log files.

Perhaps you may want to remap SSH to port 222 or or something in the upper range to avoid filling your auth logs with failed logins.

Unnecessary entries means more disk usage, but most importantly a greater effort when you’ll be searching for something in those log files.

Have you been targeted by the CCC‘s masspoem4u software not so long ago? It was not one of the nicest feeling in the morning.


In the end it’s a matter of what you value the most: simplicity or security. Do you run a small backend with not-so-important development data in it? Go with the default port. Do you run a gigantic behemoth monolith holding tons of corporate data? Screw the simplicity.

Share this