Should I run my small website in port 80, 8080, or 81?
I am running a small website using nginx. Since there's (probably) not going to be a lot of traffic in my server's lifespan and to avoid random DoS attacks, I am considering setting the web server to listen on an alternate port instead of port 80.
Does listening on an alternate port (81, 8080, etc.) actually reduce my risk of attacks or breaches? Or does the burden of maintaining it outweigh the benefits? In that case, should I be using those alternate ports for other web services in case I set them up in the future?
Solution 1:
There are two things to consider here:
- Will your users remember to use a non-standard port in the name? By default, port 80 is the standard and therefore you do not have to type it into the URL. For example,
http://superuser.com
runs on port 80 and your browser assumes 80 is the port you mean when typing it in. It is no different than typinghttp://superuser.com:80
. If you run your websever on port 8080, then the user has to typehttp://superuser.com:8080
. The average user will not likely remember that. - Does running a webserver on a non-standard port protect you from DoS attacks? Not really. If someone really wanted to bring your site down, running on a non standard port will not stop them. Attackers will scan all the ports on your IP and quickly find that 8080 (or whatever you choose) is open and responding to HTTP requests.
Methods like changing ports is called "Security through obscurity" and it is highly questionable that the extra work and inconvenience provides any valuable security.
Solution 2:
Yes, setting an alternate port actually reduce the risks of attacks, as the bots crawling the web to find flawed webapp usually doesn't look at other ports.
If a human attacker is aiming your server, it will be really easy to discover the real port on which nginx is listening on (by scanning open ports).
Using theses alternate ports is rare (except proxies or... alternate webservers) so I think you can use it without fear.
But remember that using such an alternate port will prevent "default" visitors to find your website, you will need to tell people (or write it in links) the right port by using URLs like http://yourserver.com:81/...
Solution 3:
An additional consideration (to the two provided by Keltari) is that using a non-standard port may result in your website being overlooked by search engine web crawlers like Google's, unless you specify otherwise.
If it is your intention that your website be difficult to find for everyone except the people you provide a link to, then using a non-standard port would seem to be favourable, but otherwise I'd go with a standard port.
Solution 4:
It depends. What's the use for the "small site"?
If it's going to be used by other people, I would highly recommend using standard ports. As mentioned in most of the answers, using a nonstandard port requires that the port is specified by the user (e.g. for port 81 -> yoursite.com:81). If you use a standard port, the browser infers the port from the protocol (http, https). http:// is normally port 80 and https:// is normally port 443, unless overridden. I highly recommend using standard ports. Sure, you CAN put the only entrance to a house in the backyard, but how will visitors know it's there?
-
If it's a testing site only used by you, there are two things to ask yourself:
- Will it be attached to a DNS record (domain name)? (I find my servers with no DNS references are much quieter attack-wise. NOTE: please don't consider this as more secure. It's not; it just makes it more difficult for attackers to find you through DNS)
- Are you OK with manually typing the port and/or IP?
TL;DR:
- Used by other people: use 80/443
- Private: Up to you