Which port use JAMI application ? Are there risk associated on UPnP?

Hello everybody,
I just want to know which ports to open in order to run JAMI. (which is the minimal number of port to be open)
I also want to know which security risk is implies by opening UPnP. It seem to be risky for the user (As I see lot of recommendations say not use UPnP)

Thanks for your answers

I just want to know which ports to open in order to run JAMI. (which is the minimal number of port to be open)

Hello @blueotter By default, Jami uses those ports and protocols

Below is the same reply as above. But with details if you’re interested in those.

If your Jami is behind a router, if your router is configured appropriately, usually there is no need to open port(s). Neither on your router nor on your device. In other words, most of the time, Jami works without opening ports.

It is a significant security risk to open port(s). Including both open or redirect port(s). Before opening any port, I suggest trying all other available and appropriate options. Such as configuring your Jami appropriately.

If you really need to open port(s) and you know what you’re doing, optionally, using Jami configuration, instead of port 5060, you can set any other port to your liking.

Depending on which Jami feature(s) you use, other port(s) might need to be open. For example, but not limited to those ports and protocols:

If UDP is blocked, a dhtproxy can be used to use TCP instead. Note that if UDP is blocked, medias will not work. Because medias only supports UDP.

Related documentation and sources

• Questions fréquentes
  • https://archive.ph/wip/VUaUg ou https://web.archive.org/web/20220814175933/https://docs.jami.net/general/faq.html
• Aide
  • https://archive.ph/8DG2P ou https://web.archive.org/web/20220814174713/https://jami.net/help/

I also want to know which security risk is implies by opening UPnP. It seem to be risky for the user (As I see lot of recommendations say not use UPnP)

Bonjour @blueotter En sommaire, pour la prévention de sécurité et pour une sécurité plus forte, je suggère de ne JAMAIS installer, JAMAIS activé, et JAMAIS utiliser UPnP.

Si tu active et utilise UPnP, la découverte automatique des nouveaux appareils fonctionnerait toujours. Mais elle serait plus lente. Si tu déactive ou enlève UPnP, ton Debian aurait une sécurité PLUS FORTE. Alors ça dépend de tes besoins présent.

Ci-dessous est la même réponse que ci-haut. Mais avec des détails si ceci est d’intérêt.

Speaking for myself only. I do NOT trust UPnP. Because it has a very weak security history. Catastrophically weak security history in fact. Find the examples & sources below. I deactivated my UPnP. Because to me security is more important than speed.

For those not familiar with UPnP, in summary what it does is that it allows networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. The challenge with UPnP is that, for example, routers, printers, and other devices can be remotely commandeered by a new attack that exploits a security flaw in the Universal Plug and Play network protocol. And UPnP has a very long history of weak security.

Examples of security flaws with UPnP:

• June 2020 UPnP flaw exposes millions of network devices to attacks over the Internet | Ars Technica

___• https://archive.md/28Y6i

• October 2019 https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/

___• https://archive.md/3Bnh0

• May 2019 Debian -- Security Information -- DLA-1805-1 minissdpd

• May 2016 Debian -- Security Information -- DLA-454-1 minissdpd

• January 2013 https://www.hdm.io/writing/SecurityFlawsUPnP.pdf

___• https://web.archive.org/web/20200927005146/https://www.hdm.io/writing/SecurityFlawsUPnP.pdf