Would it be a good idea to change admin console ports?

Openfire Openfire Support
1

As the title says, by default we have ports 9090 and 9091 for the admin console.

In order to make the admin consol a little more secure, would it be a good idea to change these ports?

Also, can I force HTTPS access to the admin consol and disable non-encrypted access to it?

Thanks.

2

How would changing the ports make them more secure.

In the admin console, set the unsecured port to 0, rather than 9090. It will not be used the next time Openfire is started. Or you could use a firewall to block it.

3

How would changing the ports make them more secure.

I mean at least to change them from default values and make them harder to guess?

Thanks for the top about setting the unsecured port to 0.

4

In the admin console, set the unsecured port to 0, rather than 9090. It will not be used the next time Openfire is started. Or you could use a firewall to block it.

Hmm, this doesn’t seem to work. If I set it to 0 then it won’t let me save and says I need a valid port number. Blocking the port seems easiest.

5

Try -1 maybe?

I thought 0 used to work.

6

That strategy usually gives a false sense of security - A port scan can identify open ports on a system pretty quickly, so even if you move services to non-standard ports they are easy to find.

Admin console should be restricted to an internal LAN or management network.No reason to have it open to the Internet.

7

Admin console should be restricted to an internal LAN or management network.No reason to have it open to the Internet.

This is a hosted VPS.

8

Those would be reserved port numbers.

From: http://en.wikipedia.org/wiki/Port_(computer_networking)

The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. This includes the registration of commonly used port numbers for well-known Internet services.

The port numbers are divided into three ranges: the well-known ports, the registered ports, and the dynamic or private ports. The well-known ports are those from 0 through 1023. Examples include:

  • 20 & 21: File Transfer Protocol (FTP)
  • 22: Secure Shell (SSH)
  • 23: Telnet remote login service
  • 25: Simple Mail Transfer Protocol (SMTP)
  • 53: Domain Name System (DNS) service
  • 80: Hypertext Transfer Protocol (HTTP) used in the World Wide Web
  • 110: Post Office Protocol (POP3)
  • 119: Network News Transfer Protocol (NNTP)
  • 143: Internet Message Access Protocol (IMAP)
  • 161: Simple Network Management Protocol (SNMP)
  • 443: HTTP Secure (HTTPS)
    The registered ports are those from 1024 through 49151. IANA maintains the official list.[2] The dynamic or private ports are those from 49152 through 65535. One common use is for ephemeral ports.

End Quote:

a good firewall wil monitor what is running on those ports and verify the protocol as well. otherwise you will not be able to open the port and the server will not likely start. you could try getting around this by registering the program etc. On Unix this is easier to do than windows. If done correctly and if you also tell the firewal to buzz off you can open on a reserved port

9

try in your iptables on the VPS setup a rule that only allows access to port 9090 from a specified IP address (your public IP address). Case solved.

10

Thanks, solved my issue. I blocked port 9090 and made sure only a specific IP can connect to 9091.