HPE Community
Operating System - Linux
1828912 Members
2638 Online
109986 Solutions
New Discussion

Safe LINUX TCP Port

 
SOLVED
Go to solution
Jojo Castro
Regular Advisor

‎06-20-2009 12:33 AM

‎06-20-2009 12:33 AM

Safe LINUX TCP Port

Hi all,

I have 3 questions:

1.) What is the maximum tcp connections a LINUX box can cater or accept?

2.) What are the kernel parameters and factors involve?

3.) What is the safest TCP port that an application can use to start with?
0 Kudos
3 REPLIES 3
Matti_Kurkela
Honored Contributor

‎06-20-2009 05:18 AM

‎06-20-2009 05:18 AM

Solution

Re: Safe LINUX TCP Port

1.)
Limited only by available memory, processing capacity and the limitations of appropriate protocol standards.

2.)
* A TCP connection is identified by a 4-tuple of (source IP address, source port, destination IP address, destination port). If a TCP port is in LISTENING state, it may handle any number of incoming connections; but for outgoing connections, only 1 connection per port is allowed. Because there is only 65535 port numbers available, this works out to a maximum of 65535 connections from one client host to one server host. At that point, the client is maxed out, but the server can still handle more incoming connections.

* A TCP socket requires a file descriptor. There are both per-user (or per-application, in case of a server application) and system-wide limits for the number of active file descriptors. The per-user limits can be checked and modified by the "ulimit" command: the default limit is 1024, but it can be increased.
The system-wide limit can be controlled by "/sbin/sysctl fs.file-max". The default value is usually > 100 000.

Often the most practical limit is when your application runs out of processing capacity to handle incoming data, and new connections begin to fail because of time-out errors because the system cannot service them fast enough. Of course, this depends mainly on how much processing your application needs to do for each connection.

3.)
Safest in what sense?
Access to ports 0-1023 requires special privileges (root permissions or other special arrangements) so it would be preferable if the application would not need that.

Beyond that, there are no inherently "safe" ports: various worms and other malware will automatically scan all ports of every networked computer they can detect. This can happen even in a firewalled and isolated network too, because people use laptops: if someone plugs a worm-infected laptop to your intranet, no port is safe.

Your application should perform any applicable sanity checks to any data received from the network before acting on it. "Is this the data I'm expecting or just some random nonsense?"

MK
MK
0 Kudos
Jojo Castro
Regular Advisor

‎06-21-2009 08:00 PM

‎06-21-2009 08:00 PM

Re: Safe LINUX TCP Port

Hi Matti, actually you have answered all my queries. As for the safest port, i am actually referring to ports I can give to our developer for them to use.

Thanks! :)
0 Kudos
rick jones
Honored Contributor

‎06-22-2009 08:33 AM

‎06-22-2009 08:33 AM

Re: Safe LINUX TCP Port

As far as picking port numbers goes, it would be best to consider the assigned numbers RFCs, which would be archived on www.ietf.org. Also, make *certain* your developers do *NOT* hardcode their port numbers, but use service names and lookups (eg "netperf" rather than port number 12345) so should it become necessary, there can be local customization of the port numbers used...
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.