Hello,

I am wondering, does any web host block all non used ports?

What ports do you recommend blocking?

iptables -A INPUT -p tcp --dport n:n -j DROP

20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096 --> these port need to open...otherwise it depend on you what you want to open....but these ports above for sure need to be open

What about passive ftp? does that use the high ports?

Hey PhilG
http://www.webhostgear.com has a great tutorial on this subject.
Hope this helps
P.S. If you are using cPanel becarefull not to block the ports it is using.

Is this the article:

http://www.webhostgear.com/61.html

What is the heighiest Port?

I haven't seen it use higher than 50000 myself.. I'm not sure of the specifics, however.

make sure you block port 80...

Just kidding, yeah i've seen that tutorial before.

What about passive ftp? does that use the high ports?

Passive FTP can be set to use higher port numbers like 30000++
It depends on your setup.

Reject ALL ports except for - the usual ports - smtp ftp imap pop3 (etc) is pretty much the way to go.

The question isn't what ports to block... it's what ports NOT to block. We normally block all ports below 1024 (these are usually privileged port) except for those that are needed, such as smtp, http, https, etc. We usually leave the ports above 1024 open for FTP.

for the latest in security, just set ur ip and gateway to 0.0.0.0, unplug the net cable, and turn off the machine (even better to unplug it).

really tho, the best way to figure out what you needa do is do EVERYTHING you'd ever want to do with ur box all at once, run netstat, and block any port that's not listed there. If you don't need or don't recognize some ports that appear to be listened on, research them and block them if it's safe.

Originally posted by traixanha
20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096 --> these port need to open...otherwise it depend on you what you want to open....but these ports above for sure need to be open These ports are for C-Panel servers only: 2082 2083 2087 2095

I'm not too sure about ports 465 993 and 995, but I'm pretty sure they don't "need" to be open... Find out what they are and leave them open if you really do "need" them. Otherwise, leave them closed.

If you are using ProFTPD as your FTP software (default for Plesk, I think), you can edit the passive ports it uses: "vi /usr/local/etc/proftpd.conf", and look for the section "PassivePorts"... then set your firewall appropriatelly.

ProFTPd is the default. Plesk also uses 8443 as opposed to 2082, 2083, 2087, and 2095.

What about blocking connection to remote Port 25 on Non-mail servers?

I run a single primary mail server(Linux) and several windows servers. We don't allow our web servers to send email except via our mail server.

This prevents SPAM attacks from customers using bulkmail scripts on a webhosting account

Okay guys, here is what I've come up with.. Please note that I have a red hat linux box with no control panel.

iptables -A INPUT -p tcp --dport 23:24 -j DROP
iptables -A INPUT -p tcp --dport 26:79 -j DROP
iptables -A INPUT -p tcp --dport 81:109 -j DROP
iptables -A INPUT -p tcp --dport 111:142 -j DROP
iptables -A INPUT -p tcp --dport 144:442 -j DROP
iptables -A INPUT -p tcp --dport 444:3305 -j DROP
iptables -A INPUT -p tcp --dport 3307:19999 -j DROP
iptables -A INPUT -p tcp --dport 20501:49999 -j DROP

This allows the following ports:

21 - FTP
22 - SSH
25 - SMTP
80 - HTTP
110 - POP3
143 - IMAP
443 - HTTPS
3306 - MYSQL
20000:20500 - FTP PASSIVE DOWNLOADS
50000:65535 - MYSQL

I hope this info helps out others that wish to do the same thing.