Skip to content

Change Database Default Port

Description

Configuring a database to run on a non-default port avoids quick network scans to identify databases. An attacker who probes that specific system can still find and identify the new port. This should be considered only defense in depth, not providing strong security.

Rationale

Using non-default ports will prevent a system from being found with routine network sweeps.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const { getServerSetting } = module
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the database uses non default port
 */
function validate(databaseSettings) {
    const port = getServerSetting(databaseSettings, 'tcpport')
    const success = port && port !== "1433"

    return {
        success,
    }
}

validate(databaseSettings)