Locking down ports

[MustangV10]

The default ports allowed by CSF are:
20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,30000:35000

Just curious, what other ports (if any) do you think are important to lock down and why?

 

[gcawood]

Best practices would say that you should only open the ports on a server that are being used by an application. Doing anything else is bad news. Also, best practices say that you should not run a server that is doing tons of different services. i.e., run separate servers for mail, dns, web, ftp etc... However, as so many people run multi-use web servers like cPanel that have gobs of ports open by default, I recommend the following port configuration.

# PORT 21 FTP
# PORT 22 SSH
# PORT 25 SMTP
# PORT 54 DNS
# PORT 80 httpd
# PORT 110 POP3
# PORT 143 IMAP
# PORT 443 SSL
# PORT 2082 cPanel
# PORT 2083 cPanel
# PORT 2086 WHM
# PORT 2087 WHM

This was from memory, so I may of missed some.

 

[MustangV10]

Yeah, someone else suggested what you said about only opening ports you need..I thought that could cause problems though since I might close ports that people need. I'll look further into this though, thanks.

 

[mrnothersan]

I would only open ports I need if it's a personal website, but for larger websites it would probably cause problems in the future

 

[DaReaper]

The default ports allowed by CSF are:
20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,30000:35000

Just curious, what other ports (if any) do you think are important to lock down and why?

The Ports you have to allow and block depends on the kind of Webhosting/ Applications you are running on your web server.

Here's an example of the list of ports i would normally allow :

1) The SSH Port - Default is 22, but if you've changed it to something else in sshd config, you should allow that so that you can connect to your SSH.

2) Domain, FTP and DNS and HTTPS ports : 80, 21, 53, 443 - These in order. These are to be allowed as a must unless you're not using any of the following ports.

3) Mails - POP3, IMAP4, SMTP : 110, 143, 25 (POP 3 with SSL uses ports 993/995) - These in order. If you're using them make sure to allow them open or else you wouldn't require them.

4) Gaming Ports and VOIP apps or Other application's ports : Usually Gaming Ports vary and they have their own defaults, same for VOIP messenger servers like Mumble's server -Murmur has a default port of -64738 and varies per application.

5) Control Panels - For CPanel and WHM ( Assuming that you manage the VPS and have WHM running) - Ports are 2082, 2083,2086,2087 ( SSL ports - 2083 and 2087) .

- For Kloxo Panel it is 7777 and 7778 (SSL -7777) : Ports on Kloxo are configurable and changable.
6) If you want to allow any specific Port ranges you can use - Portnumber1ortnumber100 (Like you have in your list 30000:35000). It is best to not allow such a huge port range open.

So if you're not using any particular application, you can have those port numbers removed from CSF's allow Default ports list.

 

[diegosuse]

Always deny ALL ports and open just the needed ones. Hope helps

 

[scotty]

For a server, I always say all IRC ports should be locked down, as they are the most common botnet ports. But as a general rule, anything you are not using, should be closed down.