how to protect high-numbered ports as if they were well-known

Question

Basically, what I want is the opposite of this. I want to be able to bind a service to a high-numbered port with the peace of mind that comes with knowing the O/S is treating that port the same way it treats a well-known port, and if my service dies some errant process can't just jump in and bind to that port itself.

My gut tells me this is a job for SELinux, but I'm not sure how I'd implement that and I'm curious what you guys come up with.

(I want to do this because automated port scans usually only bother to do the first thousand / 1024 ports, and I want to scatter my services pseudorandomly across the other ~64,000 to make the signal-to-noise ratio lower for separating suspicious activity from highly suspicious activity in the logs, and to make recon more difficult by nearly six (base 2) orders of magnitude.)

Answer 1

To identify suspicious activity,looked at OSSEC, or Snort. These are just a few examples of dedicated tools designed to what you are looking for, and they both do it very well.

Moving ports to high ports is a bad idea. Ports below 1024 can only be opened by root or processes running as root.

Here is an example: When SSH is started on port 22, this is done by root or a root-process since no other user can open that port. But what happens when if you move SSH to port 2222? This port can now be opened without a privileged account, which means anyone can write a simple script that listens to port 2222 and mimics SSH in order to capture your passwords - which can easily be done with simple tools commonly available on every linux system/server. So running SSH on a non-privileged port makes it potentially LESS secure, not MORE. You have no way of knowing if you are talking to the real SSH server or not.

Another issue is many corporations have incoming and outgoing firewalls, that prevent you from going to any site to any random port.