A friend of mine gives me a (user) ssh access on an ec2-instance (ubuntu) that he's got. So, for reason that now I don't know, in the future I will have need of an open tcp port over the firewall to make listening some sort of service (like http or other). I don't want to stress him every time that I need a tcp open port in the firewall but, meanwhile, I don't want to leave open (and vulnerably unbinded) a port on his firewall. The question is: is there a way to fake bind (in the way that this fake service occupy) this tcp port? Or is there another "pattern" to accomply this issue?
Asked
Active
Viewed 3,240 times
-1
Andrea Rabbaglietti
- 111
- 1
- 7
-
4What makes you think an open and unbound port is less secure than one with a stub daemon attached? The former just gives a quick and simple TCP reset, while the latter can be vulnerable to all sorts of interesting attacks if wrongly coded. – MadHatter Oct 10 '12 at 14:34
2 Answers
1
If you really want to do it like that, possibly the easiest way would be using the discard service which is a xinetd builtin service. This service is pretty much a /dev/null for networking. However, even having an infinitely huge data landfill doesn't make sure that xinetd is working correctly.
Probably more secure would be using a proper iptables rule in your Ubuntu box until you really set up the service. This would be just a iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset.
My pesonal opninion is keeping those rules at the edge of your network, but thinking of similar experiences with... colleagues... I can understand your motivation.
Alexander Janssen
- 2,607
- 16
- 21
-1
To solve your issue it is better to use port knocker, it will open ports for you wen needed and close it by your command. It works very well on Ubuntu.
digger3d
- 11
- 3
-
-
what do you mean it is nonsense? using port knocker to open ports? or having unbinded ports open in the firewall? port knocker could even start needed service... – digger3d Nov 20 '17 at 14:16
-