443 or not to 443

[aLf]

Hi.

 

Just curious among those out there that are as anal about security as me.

 

Most items, ISY, modem, router, security, etc. are shipped with "default" http & https ports as 80 & 443 respectively. Is there any reason to EVER use these ports? Why, when every person out there knows that for instance, a router is on 443 could hack in. Granted they would need the password, but if you set up the item on another port it would make it that much harder to find. To have access to all from the net, one has to have only one using 443 any way.

 

I thought about using the VPN to access my local network, then go to each item, but the VPN is slow. That said also, if for some reason the VPN went down you couldn't manage the router, i.e., reboot from away!

 

Any ideas on this or other security insurance policy's is much appreciated.

 

aLf

[mitch236]

I've often wondered this too. But since it seems that almost every https connection I know of (and I'm in the medical field so security is paramount) uses 443 so maybe it doesn't matter what port you use because hackers can find your open ports anyway. There are ways to really clamp down your network (depending on your router). You can set up your router to only accept connections from certain MAC addresses or ip addresses. Of course, that precludes using a foreign remote computer to connect to your ISY but maybe you don't care about that.

[markens]

Great question. A port scanner will obviously find open ports on your server, no matter what they are. But many (most?) probe attempts are simply sent to default ports for the service. So running on non-default ports can help shield from those.

 

I personally run private services on my server (such as https and ssh) on non-standard ports. It's easy to set up and use, and the benefits seem worth it to me.

 

Note that on most router/firewalls you can set up a non-default port for https on the internet-facing side, and forward internally to a standard port (443) on the ISY, leaving it at its default.

[aLf]

mitch236:

 

Is there a protocol (name) to look for in the router for setting up access only from certain mac's? I only use two computers fro router/ISY maintenance and would be interested in that.

 

mitch236 & markens: If in my case I have multiple peripherals on my network that are https possible. Question is, can you set up more than one on 443? Or do you just dream up new port numbers? Also, with password protection on the port peripheral, is one "fairly" safe to hacking? Enough work to find the URL (IP), then figure out the password...

 

Lastly, my router (Draytek) has an option in the setup pages, under management, that allows for http, https, telnet, etc. access. I checked only the box for https and then tried to log in using the http (not https) URL:Port and got the password page. Any ideas there?

 

Thanks ahead for all the input.

 

aLf

[mitch236]

I'm not familiar with your particular router but most routers will allow any http traffic as a default. You may have to delete a default rule that allows http traffic.

 

You have to hunt around for the interface that allows you to restrict inbound traffic. The easiest way to find out how to program your router is to Google exactly what you want to do.

 

Like put in the search bar: how do I restrict inbound traffic in my linksys ....

 

You will get enough info!!!

 

 

Keep in mind that nothing you do can stop a talented hacker from accessing your network. The best you can do is NOT put your sensitive hardware on the network. I never understood why people would put their house alarms on their automation network except to monitor its condition. I see these apps that allow an iPhone user to disarm their alarm and that is insane!! And then they come to these types of forums and post their questions about whatever issue they are having. If I were a modern day criminal, I would hang out at home security/automation sites and get all sorts of info. Be careful.

[MikeB]

I liken changing the default port to locking your car door. Will it stop someone who wants to get in? No, but it might make them move on to the next car.