What are the best/common options to protect an open Port? For example for Plex or torrent A few I can think of:
- change Port number from standard to random unused one to help obfuscate
- Setup firewall to restrict incoming traffic only to valid sources (ie plex) though up can be spoofed
- Run inside a VPN, but internet facing VPN may be higher profile Target
- Run service in vm to try to contain any breach
Am I missing anything? I know Plex is already encrypted, but doesn't preclude any vulnerability in Plex.
31 Answer
What are the best/common options to protect an open Port?
The best thing is to not having anything running that's listening on the port. Limiting your attack surface by only having what you need running, and only having things listening on interfaces and ports you need, is the first and best thing.
Other common options include
blocking/restricting ports at the router
configuring a firewall on the system the service is running on and blocking/restricting ports at the system - sometimes this firewall is part of an antivirus package
running monitoring software on your network that A) logs traffic for later analysis, B) updates and enacts IP and other blocklists from a service, and/or C) looks for patterns in incoming traffic and sends alerts if anything unusual is found,
inserting a device (dedicated firewall, security device) between router and core switch that does any of the above
software blacklisting on systems (specific executables can't be run, very often integrated with antivirus or other security suite)
software whitelisting on systems (only specific executables can be run)
restricting access through physical network topology or VLAN assignments
VPN/encrypted tunnel services, running on edge of network (on or between router and core switch), that only allow external access when authenticated and encrypted.
change Port number from standard to random unused one to help obfuscate
This is "security by obscurity" and won't affect a determined adversary who will check all ports. It will stop many automated attacks, though, and might lower the number of incidents you log.
The real problem with this is while you can change what port a service uses on your end, you might not be able to control that on the client end, and a network inbetween may block standard ports. If you access Plex at your house from a cellular connection, you might find that ports other than 443 are blocked by the cellular network. Some guest Wifi hotspots might do the same.
Run insider VPN, but internet facing VPN may be higher profile Target
Assuming you have a single IP that everything is behind, you would only have one point of entry into your network to protect anyway. A VPN adds authentication and encryption, but you're not any worse off by using it unless your VPN encryption or authentication is weak.
Run service in vm to try to contain any breach
This can be helpful, but there are CPU vulnerabilities like Spectre, etc. that advanced attackers can use even when in a VM. Services that are extremely sensitive optimally should be run on their own physical device.
1
