Web Hosting Talk






PDA

View Full Version : For added Security: Bare minimum ports open?

beet
07-07-2004, 12:36 PM
Hi,

On a Cpanel server with only one user (myself), what would be the bare minimum ports open for the server to function properly?

Of the available ports, the only one I want to leave consciously open is port 80. Regarding WHM, Cpanel and SSH ports, I have special rules to only allow my IP to access them.

With that in mind, what other ports are critical to leave open to the internet?

-------

I figure these should be open, but not quite sure for some of them:

2089 cp licence tcp outbound
443 https tcp inbound (My only use for Https is for WHM and Cpanel - is this required for secure connections to them?)
113 ident tcp outbound
25 smtp tcp inbound/outbound
37 rdate tcp outbound
43 whois tcp outbound
53 DNS tcp/udp inbound/outbound (I use my hosts nameservers)

Thanks for any input!
Pheaton
07-07-2004, 01:04 PM
Are you going to be connecting to the server remotely through ssh? If so, you might want to add port 22 to the list or bind ssh to a different port.
Steven
07-07-2004, 01:46 PM
inbound tcp="21,22,25,53,80,110,2082,2083,2086,2087,2095,2096"
inbound udp="53"
outbound tcp="21,53,80,2089"
inbound tcp="53"


This will allow the common services to work, you can remove

2086,2082,2095

if you are going to use cpanel with ssl only.
beet
07-07-2004, 03:30 PM
Thanks.

Do I really need to have port 53 open even though I use my webhosts DNS servers?

I also assume 37, 443, 113, and 43 can be closed off safely?
Steven
07-07-2004, 03:37 PM
Well sometimes you will not be able to resikve things if it is closed.
Pheaton
07-07-2004, 04:14 PM
443 can be closed if you don't plan on having sites with SSL. WHM/cPanel use ports 2083 and 2087 on SSL.

As far as I can tell port 113 (authenticitation service), 37 (RCF time), and 43 (whois) can be closed.
beet
07-07-2004, 05:00 PM
Thanks. Everyone should consider closing as many ports as they can. I was port scanned last night, and my logs showed he/she/it connected to my IMAP. Granted, no harm was done (yet), I didnt even realize until then that it was an unused service conveniently left wide open.
Steven
07-07-2004, 05:12 PM
There are alot of legit uses for imap remotely
zinet
07-07-2004, 08:23 PM
If you are using passive ftp you will need alot of the high numbered ports opened because passive ftp uses random port numbers chosen by the ftp client and not the server, however since the server is yours I would recommend that you use sftpanyway because it encrypts in transit.