Safe to use high port numbers? (re: obscuring web services)

I have a small home network and I'm trying to balance the need for security versus convenience. The safest way to secure internal web servers is to only connect using VPNs but this seems overkill to protect a DVRs remote web interface (for example).

As a compromise, would it be better to use very large ports numbers? (eg. five digits up to 65531)

I've read that port scanners typically only scan the first 10,000 ports so using very high port numbers is a bit more secure.

Is this true?

Are there better ways to protect web servers? (ie. web guis for applications)

I've read that port scanners typically only scan the first 10,000 ports so using very high port numbers is a bit more secure.

Many people believe this. I don't.

Maybe it's a bit more secure, but not much. The low numbered ports are more common, so some scanners will look there first.

If I was a cracker, I would scan the high ports first, just to catch people who rely on this method for security. People who rely on security-through-obscurity probably have a poor understanding of security, and are more likely to forget to use other security methods. Therefore, those services might be more vulnerable, and easier to crack.

Some scanners exploit this believe, and start at the top and work their way down the list. Other scans will pick random ports throughout the entire range, so all ports have an equal chance of being scanned.

Go ahead and test this yourself using NMAP. Run an nmap scan against ports 1-10,000 and look for a HTTP server, and compare that against a scan which scans against all 1-65,xxx ports. You'll see that the difference is typically 3-10 minutes. If I make a detailed scan using something like Nessus, the difference is sometimes 20-60 minutes.

A good cracker is a patient cracker. They will wait.

Using odd port numbers is no security at all unless you're waging the fact that it's allowing you to run your application as a non-root user.

This sort of thing can be considered as security by obscurity but it's not actually security.

You can also use an ssh tunnel if you're using Linux on both ends:

ssh -f -N -L 9090:localhost:9090 user@remote-host

For example, that is what I use to forward port 9090 on the remote host to my local port 9090 for cherokee-admin, and I use similar setups for other web GUIs. You can protect applications in this way by specifying in the app configuration that they only run on localhost, i.e. on 127.0.0.1. In this way they aren't reachable from outside, but you can forward them with ssh. Check man ssh for more options using port forwarding (including X, which might solve your problem in another way entirely.)

This might be a suitable way to achieve your goal without installing / configuring additional software, depending on your setup.

If your firewall permits it you can make the authentification happen at the firewall level first, if your passwords complexity is good enought, that should enforce the security of the services exposed. you can also use SSL tunneling using for example stunnel and mutual auth.

Considering the fact that using higher ports number is more secure, in a certain way, maybe in reference to bots scanning your IP and trying some exploits, but if someone wants really to breack in, using higher ports numbers will not provide an increased security.