HOWTO

Choose Safer Ports for your Ada Pool

Once you decided you want to become an ADA (Cardano) Pool Operator, one of the first technical decisions you have to make is which ports to use for your ADA core node and relay.

Your relay will connect to other Cardano relays and must accept incoming connections from them. Your core node will only connect to your realy and will only accept incoming connections from your relays. Installation guides often propose to use TCP ports 3000, 3001, 6000 or 6001.

This choice is arbitrary, and it is better to configure a safer choice. But which ports are safer than others?

Safety first

A safer port is defined as:

  1. Port number 1024 or higher: ports from 0 to 1023 are privileged ports and a service needs root permissions to bind to privileged ports. This is insecure, a bug in your service might expose the whole server.

  2. Not listed in the IANA port and services list: many vulnerability scanners such as OpenVas can be configured to scan all ports listed in IANA. Hence we avoid those ports.

  3. Not part of the Nmap top 1000 ports. Nmap is a powerfull port scanner. Without additional options, it will scan the top 1000 most common ports. We avoid those ports.

Profit

What is gained by using the safer ports instead of port numbers found in “Howto” documents or your imagination? Plain and simple:

  • Wannabe hackers (script kiddies) will not detect your service, since the commonly used hacking tools (in their standard configuration) do not scan for these ports.
  • If you managed to choose a random port used by another service, you might see a surge in connections and attacks if a vulnerability in that other service is detected. You might be an innocent bystander, but you will get hit anyway.
  • If an attacker want to exploit a bug in your type of service, he or she will first find and attack servers using the common ports for that service. You might just have bought some time to prepare a defense while criminals are attacking your neighbours.

All this will result in smaller logs and less headaches to monitor your service.

Security Zealots

Wait, what is this? Do I hear a horde of CISSP or CISA certified consultants shouting that this is security by obscurity and does not help?

Please get of my lawn, security by obscurity really works. It is only proven not to work in the domain of cryptography.

Howto

We open-sourced a small script to give you safer choices for TCP or UDP ports. Here is how to use it.

Clone this repository:

git clone --depth 1 https://github.com/igbuend/under-the-mat.git

Run the script:

./under-the-mat/bin/under-the-mat.sh

The script will give you five TCP ports by default. You can ask for UDP ports as follows:

./under-the-mat/bin/under-the-mat.sh --type=UDP

If you need more ports:

./under-the-mat/bin/under-the-mat.sh --type=UDP --amount=10

If you need help:

./under-the-mat/bin/under-the-mat.sh --help

Conclusion

That’s it! A small item, but might save you one day.

Herman Stevens