I have a small home network and I'm trying to balance the need for security versus convenience. The safest way to secure internal web servers is to only connect using VPNs but this seems overkill to protect a DVRs remote web interface (for example).

As a compromise, would it be better to use very large ports numbers? (eg. five digits up to 65531)

I've read that port scanners typically only scan the first 10,000 ports so using very high port numbers is a bit more secure.

Is this true?

Are there better ways to protect web servers? (ie. web guis for applications)

  • 1
    No it's not true. Modern (even desktop) multi-core CPU machines with broadband access can scan all 65535 ports in seconds. And even if the attacker decided to space them out to two a second to foil a DoS gates, who cares, you're leaving your system up for more than a day, right? An old maxim is, as others have said below, that "security through obscurity" is essentially useless in the digital world.
    – msanford
    Commented Jun 27, 2010 at 22:49

4 Answers 4


I've read that port scanners typically only scan the first 10,000 ports so using very high port numbers is a bit more secure.

Many people believe this. I don't.

Maybe it's a bit more secure, but not much. The low numbered ports are more common, so some scanners will look there first.

If I was a cracker, I would scan the high ports first, just to catch people who rely on this method for security. People who rely on security-through-obscurity probably have a poor understanding of security, and are more likely to forget to use other security methods. Therefore, those services might be more vulnerable, and easier to crack.

Some scanners exploit this believe, and start at the top and work their way down the list. Other scans will pick random ports throughout the entire range, so all ports have an equal chance of being scanned.

Go ahead and test this yourself using NMAP. Run an nmap scan against ports 1-10,000 and look for a HTTP server, and compare that against a scan which scans against all 1-65,xxx ports. You'll see that the difference is typically 3-10 minutes. If I make a detailed scan using something like Nessus, the difference is sometimes 20-60 minutes.

A good cracker is a patient cracker. They will wait.

  • 1
    Assuming that all other relevant security measures were implemented, would it be better or worse to obscure port numbers? My thinking would be that it would be slightly better if the server wasn't specifically targeted.
    – wag2639
    Commented Jun 9, 2010 at 18:55
  • 2
    +1 "A good cracker is a patient cracker. They will wait."
    – msanford
    Commented Jun 27, 2010 at 22:50
  • @wag2639 You're not really doing anything by changing a service's port number but making a script-kiddie find a slightly better script. War-dialing a block of IPs and ALSO portscanning every single port is trivial.
    – msanford
    Commented Jun 27, 2010 at 22:53
  • If a hacker is going after a particular target, then they may be able to wait 20 - 60 minutes scanning high port numbers. However if they're attempting to scan hundreds, or thousands of IP addresses to find vulnerable systems, then they will not be scanning high ports. Also they need to know there is a system there, before they can start targetting it. If the firewall is doing it's job, then the system is basically invisible until they stumble upon an open port. Commented Sep 18, 2019 at 11:45

Using odd port numbers is no security at all unless you're waging the fact that it's allowing you to run your application as a non-root user.

This sort of thing can be considered as security by obscurity but it's not actually security.

  • Are there any alternatives to using a full-blown VPN then? Perhaps some kind of reverse web proxy that has extra login/password protection? (squid doesn't do this)
    – SofaKng
    Commented Jun 9, 2010 at 16:35
  • @sofakng: you may be interested in a SSL wrapper like Stunnel:stunnel.org
    – Maxwell
    Commented Jun 9, 2010 at 16:42

You can also use an ssh tunnel if you're using Linux on both ends:

ssh -f -N -L 9090:localhost:9090 user@remote-host

For example, that is what I use to forward port 9090 on the remote host to my local port 9090 for cherokee-admin, and I use similar setups for other web GUIs. You can protect applications in this way by specifying in the app configuration that they only run on localhost, i.e. on In this way they aren't reachable from outside, but you can forward them with ssh. Check man ssh for more options using port forwarding (including X, which might solve your problem in another way entirely.)

This might be a suitable way to achieve your goal without installing / configuring additional software, depending on your setup.


If your firewall permits it you can make the authentification happen at the firewall level first, if your passwords complexity is good enought, that should enforce the security of the services exposed. you can also use SSL tunneling using for example stunnel and mutual auth.

Considering the fact that using higher ports number is more secure, in a certain way, maybe in reference to bots scanning your IP and trying some exploits, but if someone wants really to breack in, using higher ports numbers will not provide an increased security.

  • I'm using pfsense and some of my web services have built-in SSL (HTTPS) support. Is it still better to use stunnel? Is using stunnel the "authentication at the firewall" level?
    – SofaKng
    Commented Jun 9, 2010 at 16:48
  • 1
    How do you do "authentication at firewall"?
    – wag2639
    Commented Jun 9, 2010 at 18:36
  • I don't know if pfsense has that functionnality but, on Junipers routers you can use local users (even RADIUS) to grant access to HTTP translated traffic. Concerning Stunnel you can use mutual auth with certificates, stunnel will encapsalute the HTTP traffic with SSL and handle the authentification.
    – Maxwell
    Commented Jun 10, 2010 at 7:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .