How to secure open port for a particular program?

**Kestreln8144** · March 6th, 2014

Hello everyone. I'm learning my way around network and Linux security, and I would like advice for this situation:

I'm setting up my iptables firewall, and there is a particular application I run that needs to accept incoming tcp connections as well as udp. I've read that allowing incoming connections for tcp is an insecurity (possibly udp too, but I still don't know much about udp). I know I can restrict incoming requests to certain IPs, but unfortunately in this situation I won't be able to know what they are.

The only idea I have is: I could open a particular port for this program only, restrict the usage of this port to this program, then secure the program with AppArmor. This way, any incoming connection would only be able to connect to that program, and even if it's insecure AppArmor should limit any damage.

But I've yet to learn how to do this. Is it possible to restrict the usage of a port to a particular program?

What are your thoughts? You security gurus no doubt know a lot more than I do. How can I go about securing an open port that accepts incoming connections?

**CharlesA** · March 7th, 2014

What program?

See here:
http://bodhizazen.net/Tutorials/iptables

**Empire-Phoenix** · March 7th, 2014

Well if you need access from the internet to a potentially unsecure application, the usual way is to use a vpn, then allow only from the vpn access to the unsecure application. That way if the vpn is secure there are no open vulnerabilities to the internet.

**3rdalbum** · March 7th, 2014

Originally Posted by Kestreln8144

I'm setting up my iptables firewall, and there is a particular application I run that needs to accept incoming tcp connections as well as udp. I've read that allowing incoming connections for tcp is an insecurity

It's not really an "insecurity", it's a risk. An insecurity is an insecurity, a risk can be managed.

The only idea I have is: I could open a particular port for this program only, restrict the usage of this port to this program, then secure the program with AppArmor. This way, any incoming connection would only be able to connect to that program, and even if it's insecure AppArmor should limit any damage.

If the program is the only program listening for incoming connections on that port, then it will be the only one receiving the data. If the program is not running, then no incoming connection will ever be answered and you will receive no data. Even if you have programs listening on port 502, 503, 504, 506 and 507; they will still not receive any data destined for port 505. Do you understand what I mean? If you want to restrict incoming connections on that port to one particular program, then simply don't have any other programs listening on that port.

Securing the service with AppArmour is a great way of limiting risk. You do need to know exactly what that program does, however, otherwise you'll either make the AppArmour profile too loose or so restrictive that the program won't work properly.

**Kestreln8144** · March 8th, 2014

Originally Posted by CharlesA

What program?

Retroshare: http://retroshare.sourceforge.net/
Wiki (needs work): http://retroshare.sourceforge.net/wi....php/Main_Page

Originally Posted by Empire-Phoenix

Well if you need access from the internet to a potentially unsecure application, the usual way is to use a vpn, then allow only from the vpn access to the unsecure application. That way if the vpn is secure there are no open vulnerabilities to the internet.

I am not the one who will be connecting to this program. It will be accepting connects to addresses that I cannot know beforehand. The risk here is that this program may have flaws, and an unknown attacker might utilize vulnerabilities to access my PC or otherwise cause problems. I want to secure the program from the rest of my system (with AA), and restrict the use of the port to that program alone.

Originally Posted by 3rdalbum

Do you understand what I mean? If you want to restrict incoming connections on that port to one particular program, then simply don't have any other programs listening on that port.

Yes, I understand this. But what worries me—and maybe I just don't understand enough about all of this—is that other applications on my system might utilize that port without my knowing (unless I look). I guess a better question is how can I know what programs are using what ports, and make sure this doesn't happen?

Originally Posted by 3rdalbum

Securing the service with AppArmour is a great way of limiting risk. You do need to know exactly what that program does, however, otherwise you'll either make the AppArmour profile too loose or so restrictive that the program won't work properly.

Yeah, I've begun reading AA's documentation, and it looks like quite the learning curve. I'm not expecting to learn this overnight, but hopefully I can work something out that will work well enough.

**ant2ne** · March 10th, 2014

open the port on your server but only when the source is your workstations IP.

something like
iptables -A INPUT -s YOURIP -p tcp --dport 22 -j ACCEPT