Nahashon

Binding to ports lower than 1024 in Linux

Privileged ports

 

In Linux, root privileges are required to bind to ports lower than 1024.

These ports are generally referred to as privileged ports and are normally reserved for common services like ftp on port 21, ssh on port 22, http and https on ports 80 and 443 respectively.

 

This prevents unprivileged users or malicious software from impersonating the services.

 

 

Using privileged ports without root

 

Running an application as root is a security risk.

There are a couple of different approaches that can be taken to use the privileged ports without root privileges:

 

1. Port Forwarding

 

This is by far one of the simplest approaches.

 

You can start your application in a higher port like 8080.

Once this is done, firewall rules can be used to forward traffic from the desired lower port to the higher port the application is listening on.

 

 

# forward https traffic from port 443 to port 8080

firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080

# manipulate NAT table to forward traffic from port 443 to port 8080 on the same machine
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080

 

 

2. Proxies

 

Another easy approach is to use a reverse proxy.

A reverse proxy is a server that sits in front of another server and its main job is to forward client traffic to the server at the back.

 

 

 

There are several tools you can use for this.

Apache and nginx are among the most popular and easy to configure.

 

# Apache virtualhost to forward all incoming traffic on port 80 to application listening on port 8080

<VirtualHost *:80>
    ProxyRequests Off
    ProxyPreserveHost On

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
</VirtualHost>
# nginx virtualhost to forward all incoming traffic on port 80 to application listening on port 8080

server {
    listen 80;

    location / {
        proxy_pass http://localhost:8080;
    }
}

 

 

3. Linux Capabilities

 

Most Processes on a Unix-like systems run with either standard user privileges or root user privileges.

This is a simple view of privileges; a standard user is limited in what they can do and a super user is unlimited.

 

The Linux kernel breaks down privileges into more fine-grained privileges called capabilities.

A process is assigned only a small number of these capabilities so that even if its compromised, the attacker can do nothing beyond what the limited process can do.

 

Linux capabilites can be assigned to a process in one of the following ways:

 

a. Systemd service

Systemd unit files allow you to specify the capabilities of the process via AmbientCapabilities parameter.

 

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

 

b. setcap command

You can directly grant your application the cap_net_bind_service capability.

For this to work, the filesystem on which the executable resides needs to support capabilities.

 

setcap 'cap_net_bind_service=+eip' /path/to/executable


 


 
Share this article
 X Facebook LinkedIn Reddit