listen.md: Suggest non-standard STUN port

weiss · badlop · commit c9a51800044f · 2024-11-18T11:47:21.000+01:00
STUN via UDP can easily be abused for reflection/amplification DDoS attacks.
Therefore, suggest a non-standard port to make it harder for attackers to
discover the service.

Modern XMPP clients discover the port via XEP-0215 (mod_stun_disco), so there's
no advantage in sticking to the standard port.
diff --git a/content/admin/configuration/listen.md b/content/admin/configuration/listen.md
@@ -243,11 +243,11 @@ Example configuration with disabled TURN functionality (STUN only):
 ``` yaml
 listen:
   -
-    port: 3478
+    port: 5478
     transport: udp
     module: ejabberd_stun
   -
-    port: 3478
+    port: 5478
     module: ejabberd_stun
   -
     port: 5349
@@ -262,7 +262,7 @@ enabled if TURN is enabled. Here, only UDP section is shown:
 ``` yaml
 listen:
   -
-    port: 3478
+    port: 5478
     transport: udp
     use_turn: true
     turn_ipv4_address: 10.20.30.1
@@ -532,7 +532,7 @@ For example, the following simple configuration defines:
 
 - Port 5269 listens for s2s connections with STARTTLS. The socket is set for IPv6 instead of IPv4.
 
-- Port 3478 listens for STUN requests over UDP.
+- Port 5478 listens for STUN requests over UDP.
 
 - Port 5280 listens for HTTP requests, and serves the HTTP-Bind (BOSH) service.
 
@@ -570,7 +570,7 @@ listen:
     shaper: s2s_shaper
     max_stanza_size: 131072
   -
-    port: 3478
+    port: 5478
     transport: udp
     module: ejabberd_stun
   -

Original file line number	Diff line number	Diff line change
`@@ -243,11 +243,11 @@ Example configuration with disabled TURN functionality (STUN only):`
`243`	`243`	``` yaml
`244`	`244`	`listen:`
`245`	`245`	`-`
`246`		`- port: 3478`
	`246`	`+ port: 5478`
`247`	`247`	`transport: udp`
`248`	`248`	`module: ejabberd_stun`
`249`	`249`	`-`
`250`		`- port: 3478`
	`250`	`+ port: 5478`
`251`	`251`	`module: ejabberd_stun`
`252`	`252`	`-`
`253`	`253`	`port: 5349`
`@@ -262,7 +262,7 @@ enabled if TURN is enabled. Here, only UDP section is shown:`
`262`	`262`	``` yaml
`263`	`263`	`listen:`
`264`	`264`	`-`
`265`		`- port: 3478`
	`265`	`+ port: 5478`
`266`	`266`	`transport: udp`
`267`	`267`	`use_turn: true`
`268`	`268`	`turn_ipv4_address: 10.20.30.1`
`@@ -532,7 +532,7 @@ For example, the following simple configuration defines:`
`532`	`532`
`533`	`533`	`- Port 5269 listens for s2s connections with STARTTLS. The socket is set for IPv6 instead of IPv4.`
`534`	`534`
`535`		`-- Port 3478 listens for STUN requests over UDP.`
	`535`	`+- Port 5478 listens for STUN requests over UDP.`
`536`	`536`
`537`	`537`	`- Port 5280 listens for HTTP requests, and serves the HTTP-Bind (BOSH) service.`
`538`	`538`
`@@ -570,7 +570,7 @@ listen:`
`570`	`570`	`shaper: s2s_shaper`
`571`	`571`	`max_stanza_size: 131072`
`572`	`572`	`-`
`573`		`- port: 3478`
	`573`	`+ port: 5478`
`574`	`574`	`transport: udp`
`575`	`575`	`module: ejabberd_stun`
`576`	`576`	`-`