As convenient as staying with default ports for services on your server is, the sad truth is that thanks to attackers this is probably not such a good idea.
In order to change the listening port for Remote Desktop connections on your Windows Server 2008 R2 instance, you’ll need to first edit the registry and then allow the change in through the firewall.
The steps are as follows:
- Start Registry Editor (Start -> Run -> Type ‘regedit’ -> Enter)
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
- On the Edit menu, click Modify, and then click Decimal.
- Type the new port number, and then click OK.
Then, if you are running a firewall, you’ll need to add an exception for your newly selected port so that traffic over it is indeed allowed. To do this:
- Go to Windows Firewall with Advanced Security >> Inbound Rules >> New Rule >> Enter port number >> Next >> Next >> Done
With all the values changed and the new firewall rule in place (very important if you are doing this with a machine that you don’t actually have physical access to!), close the registry editor and restart/reboot the server.
(And if you are working remotely, then enjoy the agonizing wait before you can try to connect again all while hoping that you did everything correctly first time around! Stressful to say the least.)
Nowadays it would seem really silly to connect a machine to the Internet without some sort of firewall enabled so as to afford it at least a little bit of shielding against the big bad world out there.
A quick and easy solution for Ubuntu is the Uncomplicated Firewall, aka ufw package.
From the documentation: The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default ufw is disabled.
Although it should be installed on your Ubuntu server by default, in the event it isn’t then this is easily enough rectified by running:
sudo apt-get install ufw
Next up is to ensure the ports you know need to be opened up to the rest of the world are indeed enabled in ufw. Needless to say, if this is a remote server then SSH HAS to be enabled, so do that one first! To enable, i.e. add a port, simply run:
sudo ufw allow 22
Note, you can modify the above to control which type of traffic (tcp/udp) it allows through, but for this simple example the above is perfectly fine. If you are setting up a webserver then generally you want to open up FTP (21), SSH (22), HTTP (80), and HTTPS (443).
With SSH access ensured, you can then change the default behaviour to block all incoming traffic not catered for by the allow rules.
sudo ufw default deny
You can check up the status by running:
sudo ufw status verbose
Once you’re happy with your config, enable ufw and if you really want to be sure that ufw rules are being run, reboot your server just for the heck of it.
sudo ufw enable sudo reboot now
Pretty simple, but well worth knowing.
Related Link: https://help.ubuntu.com/community/UFW
By default the SSH daemon listens on port 22 for incoming connections, meaning that in order to harden your server installation ever so slightly, you should switch out the default port 22 to something a little more obscure.
To do this is relatively easy. Simply open the the config file and change the Port declaration (which is right near the top of the file):
sudo nano /etc/ssh/sshd_config
After changing the value to something like 2211, save the file and exit.
now reload the service daemon with:
sudo reload ssh
Important, don’t yet log out of your current root SSH session! We first need to test if our change was successful. So launch up a new terminal and log in to your server using the new port number:
ssh -p 2211 email@example.com
If you successfully connect, great, you know your change was a success. You can further ease your mind by trying to SSH in via a new terminal using the old port number – this connection attempt should fail.
Now that you know the change has been made, you can log out of your initial root terminal window where you originally made the change.
A port is just a port, and just because there is a standard one that is used by something, it doesn’t mean you always have to use the default port for doing that something. Enter sending out an e-mail message via SMTP when using a GoDaddy e-mail account.
Although GoDaddy restricts incoming e-mail to ports 110 and 995 (SSL), outgoing SMTP ports (usually via its smtpout.secureserver.net server) are a little more open. This tutorial will teach you how to find out which ports are available for you to use in your e-mail sending application.
First, login to GoDaddy’s site (http://www.godaddy.com) and click on the “Email” button on the main green menu bar. If you have any active e-mail accounts, they will be listed, and to the right of each entry you will find a green launch button. Clicking on this will open the Control Center.
Once in the Control Center, you’ll see your e-mail addresses listed under the Email Plans folder. The addresses are laid out in a table, with the columns, Address, Size, Relays, Attributes, and Actions.
In the Actions column you will see a Tools icon. Click on it to launch the Info Center.
The Email Info Center is a one-page view of your e-mail address account settings. Under the fieldset entitled “Email Server Settings”, you will spot a label “Outgoing server (SMTP):”, giving you the server details to use, as well as a list of available and open ports. Score!
So if you want to move away from the standard port 25 and perhaps now send out on port 80 via your PHPMailer-using PHP script, your code would look like this:
$mail = new PHPMailer(); $mail->IsSMTP(); // set mailer to use SMTP $mail->Host = "smtpout.secureserver.net"; // specify main and backup server $mail->Port = 80; // new port $mail->SMTPAuth = true; // turn on SMTP authentication $mail->Username = "firstname.lastname@example.org"; // SMTP username $mail->Password = "mypassword"; // SMTP password
Although port 21 is the default port used for SSH connections and thus SCP, most of the time you will find that in order to increase protection, the actual assigned port is far removed from the default 21. So how do you specify this when running a SCP copy operation?
Well SSH has the lowercase -p switch that allows you to specify which port to attempt to connect on, looking like this in practice:
ssh -p 6188 othermachine.com
However, SCP for some or other reason (most likely due to the prevalence of using -p as a password switch elsewhere in Linux) does not use the lowercase -p to specify port, opting rather to make use of a capital -P to specify the port to use.
This means your SCP call would look like this:
scp -P 6188 othermachine.com/file /home/file
And now you know. Nifty.
For the most part, the default port for SSH access into a Linux machine is 22. However, many people change this default in the name of security, meaning that for most of our function usage, we simply need to use the -p port number switch when trying to access with that remote machine.
However, interestingly enough, the -p switch was never bundled with the useful ssh-copy-id function, meaning that should you try something like this:
ssh-copy-id -p221 -i ~/.ssh/id_rsa.pub username@host
you will get a reply back reading: Bad port ‘umask 077; test -d .ssh || mkdir .ssh ‘ cat >> .ssh/authorized_keys’.
Not exactly encouraging.
However, there is actually a simply way to fix this and use ssh-copy-id when interacting with a non-default port 22 machine. Simply enclose your port declaration together with the host name within quotation marks!
So the correct usage would now look like this:
ssh-copy-id -i ~/.ssh/id_rsa.pub ‘-p 221 username@host’
And damn it, it actually works! Nice.
If you are a well established Linux user then you’ll already be pretty familiar with the awesome little wget application that gives you a command line interface with which to download content from web servers via either HTTP, HTTPS and FTP protocols.
Amongst its many features is the ability to set up recursive downloading, conversion of links for offline viewing of local HTML and support for proxies. It is pretty much ubiquitous across most major GNU/Linux distributions and is written in portable C, making it a fairly simpe affair to port it to other operating systems like Microsoft Windows and Mac OS X.
Now for those of you who would like to use something like this little robust, command line and self terminating application for a scheduled task on your great big Windows Server or desktop machine, rejoice because someone has gone to the effort and created a great little port project that offers you a complete wget package for Windows, even going so far as giving you a proper installer to drop everything in its right place.
Simple to install, and even easier to use, go grab your copy of GNU Wget 1.11.4 now! :)
Related Link: http://gnuwin32.sourceforge.net/packages/wget.htm
At the office we share the same ADSL line for both general web surfing and VoIP, not the greatest situation to sit with of course, but if we have to, we have to. Of course, this does mean that should someone try to make or receive a call at the same time the rest of us are all busy frantically raping the web, sound quality diminishes quite substantially.
The way around this is of course to implement some sort of port prioritizing which will give preference to packets flowing in and out of one particular port compared to data flowing through another. In other words, traffic shaping.
Now IPCop comes with a handy built in traffic shaper in the shape of WonderShaper, which allows you to prioritize either TCP or UDP port traffic by placing specific ports into one of three categories, namely Low, Medium and High. In order to use the system, you first need to gauge your upload and download speeds by using one of the many free services like speedtest.net that are currently out there. Once you have these values plugged in and have enabled Traffic Shaping via the Traffic Shaping menu option, you can then begin to sort specific port traffic into your three priority levels.
For example, interactive traffic like SSH (port 22) and VoIP go into the high priority group while normal web traffic (port 80) is more suited to fall within the medium priority group. Lastly, your non critical port traffic like P2P file sharing packets can safely be dropped in the low priority group. These can all be added to the system via the “Add Service” box which allows you to fill in the necessary details as well as select which protocol to apply the rule to (i.e. TCP or UDP).
And that in a nutshell, is traffic shaping on IPCop. Pretty simple eh? :)
Related Link: http://www.ipcop.org/1.4.0/en/admin/html/services.html#services_shaping