if your server is accessible on the public internet, then anyone will be able to tell what its doing.
it’s common for people to think that by switching ports, they are hiding their running services. unfortunately as you have seen, you cannot hide from nmap.
Nmap works by crawling every possible port number, and sends a variety of packets at every port until it provokes a response from the running service. the response, often times leaks a lot of information about the running service, as you have seen above. once nmap knows a service is running on a particular port, it will do more things to expose more inforamtion. your server is not just advertising this data, but it’s coming out in it’s normal server respones. nmap will aslo make guesses at what is running based on packet information it gets back from the server, so it does not necessarily mean your server is just telling it everything, but rather nmap is very smart.
changing service port numbers is, however, a good way to avoid the low-tier “dumb” bots that crawl the internet, ie, if someone wrote a bot that looks for xmpp servers on the default port.
you need to not worry about hiding what your server is… but rather protecting it so that even if somebody has this info, there’s not much they could do with it. Make sure you have proper firewalling for all ports you do not wish to expose to the public internet. make sure you have strong passwords for not just administrator accounts, but all accounts. Make sure the server OS is updated regularly so it has the recent vulnerbility patches, disable any OS-level user accounts not in use and not needed by the server to operate, etc. Just the normal good-server practices.
I would like to have a fixed user base, XMPP server isolated from the others and the XMPP server only respond to that users requests, without advertising any capabilities or answer to any other requests other than the minimum needed…
It seems that a generic XMPP server like Openfire is not compatible with my scenario and maybe a stripped-down alternative version is needed…
I take you answer as correct, however if there is any possible configuration that can help to harden a little bit Openfire against port scanning (without change Openfire code / recompile), i would be more than happy to know.
well, what you’re seeking wont work on the public internet. for example, if you had a web server, and I were to attempt to determine if it’s a web server or not, I could crawl all your ports and try to open an http connection. the port that gives any kind of response (because it’s listening for http connections, it must reponsd somehow), well, then I know it’s a web server. Same thing works will XMPP servers (like Openfire) and any server software for that matter.
if the server must respond to real traffic, then it’s going to respond to all traffic.
One possibility that comes to mind, is to take your server off the public internet. You could try using LogMeIn’s Hamachi product (Free) which is a software VPN. It creates an encrypted tunnel between anyone you allow onto your private network (you configure it on their website who’s allowed to connect and who’s not). This would prevent anyone without explicit permissions to join your private network, from connectiong to your server. Of course there’s the downside that anyone you do want to connect, must download and install Hamachi… but that may be acceptable. Worth a shot.