How to reserve a port to a particular program?

Discussion in 'HOWTO-Related Questions' started by joshun, Apr 8, 2019.

  1. joshun

    joshun New Member

    I want to harden my server from "ip hijacking" by restricting a port to a particular service/program to use.

    For example, this site might be using ngnix to listen to port 443, but once a hacker gets into the server and shuts it down, they can just use a mock program instead and at least acquire some user accounts and passwords. Another threat comes within - an employee who runs the server could mock one to acquire user information if enabled to shutdown the server and run a mock using the same port.

    This is a real vulnerability in C/S framework because the valid identification of server by a client is its ip+port only. ASUS has been disposed an accident that its firmware updating service was replaced by hacker to instill trojans to ASUS laptops trying to get recent "updates".

    I believe the quick and strong way to prevent these accidents is to use some firewall and explicitly dedicate some port number for some program (binary or python script) only, trying to bind it to any other program will be denied. Is there functionality in firewalld/iptables/SELinux or any other security programs to implement this idea?

    PS: I heard that iptables could reserve a port to a certain user group, then it might be doable through chain restrictions.

    Thanks in advance.
  2. Technically, there's no such thing as a "Reserved Port".
    • In TCP/UDP, the only way to "Reserve" a port is to actually bind() a socket to it. A bound port will not be used by other applications; an unused port is, will, unused so other applications are free to use it.
    • if you are writing server software, then you can bind your sockets to specific ports as early as you want in the application code. Make the port numbers configurable, or at least clearly state them in the documentation, so that a systems administrator can quickly identify clashes and move conflicting application to separate servers.
    I hope that is useful for you.....!!!
    thank you..

Share This Page