Why Do We Bind Ports In Linux?

Within most operating systems, including all Linux distros, there exists a range of ports that are considered privileged ports. All privileged ports range from 1 to 1023 and can accessed by root user and, in most cases, can't be accessed for any other users.... unless there's a break down in the security bridge.

1024 port is a security measure limit and leads to a security holes. And this port forces the limit to run in all daemons with the root privileges. Some daemons can be started without the root privileges, but a parent daemon does need to start with root privileges.

The solution for not completely binding with the 1024, is to pair the “sysctl” parameters to adjust with port limit i.e

 

Adjusting port limit


 

Binding non root process to privileged ports

To achieve this there are several different of ways to bind ports depending on your environment. For our article, we'll go over a couple of the more common methods for port binding.

Method I:

If you are writing your own daemon in an interpreted language, it should listen to the privileged ports. To do this, you need to use an external open source to drop the root. In distros like Solaris or Ubuntu, you can assign a binding privileged port to non root users by executing the below command:

binding a privileged port to a non root user.


Method II:

This method can be used when you have any service that uses a lower-numbered port than 1024, while not running it with root privileges. Giving applications and services root access all the time is a security hole, we will use this method map and run your service through with a non-priviliged port to a priviliged one, 

To do this, we'll be using setcap. For our example, we'll be using setcap to run OUD (Oracle Unified Directory).

  • Install the setcap utility package as per the version of linux OS.

  • On the target system, install the latest version of JDK.

  • Restrict JDM access to just the user you need.

  • From root, execute the below commands:

  • After executing the above commands, you'll need to change the dynamic library of java, as default will not be a compatible for the setcap. For reference below are the commands

  • Start the OUD service with start-ds command.

Note:Oracle Unified directory is a storage,proxy, synchornization etc all were incorporated in to one directory. It basically provides the environments and high perfomance. If necessary, adjust the architecture to amd64.

Hopefully this gives you a good idea about binding ports. It should give you that extra bit of security, which always helps, by allowing you to use privileged ports without having other users use root access to your servers. As always, feel free to message us on twitter, facebook, or leave a comment if you have any questions or feedback on this article or anything else!

November 02 2017

Add or review comments

Please leave your comment

Existing comments

Comments 0


Get notified about new publications and product updates.
Please note we do not share information to anyone.