new Centos 7 install with virtualmin on VPS open ports

I did a new install with Centos 7 ( minimal from I believe they spun up for me). From a base install and did yum update then installed wget and perl and ran the virtualmin install script.
Everything went super. I usually run these in environments where I control the router so I pay little attention to the open ports after a fresh install of virtualmin.

Since this install is on a VPS and is completely open to the world, after doing nmap I found all these ports open.

21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
110/tcp open pop3
113/tcp closed ident
143/tcp open imap
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
2000/tcp open cisco-sccp
2222/tcp open EtherNetIP-1
5060/tcp open sip
10000/tcp open snet-sensor-mgmt
20000/tcp open dnp

I’m curious to know why would some of these be open? specifically - SIP:5060, dnp:20000, EtherNetIP-1:2222, cisco-sccp:2000
I don’t recall setting up anything about telecommunications or want to have these services on the server.
My only focus is to have a web server and mail (httpd, PHP, Mysql, postfix / Dovecot)

I am new to firewalld so I will have to learn how to shutdown some of these ports open for no reason that I can explain.
If someone can comment about fail2ban with firewalld being a good idea I’d also appreciate it.

Thanks for any feedback.

So, the stable installer for Virtualmin (what you get when you download from the /download page here at does not change the firewall on your system, except to open the ports for the services it manages. If you don’t have a firewall running it won’t do anything firewall-related. But, since I see all of the ports our installer opens in your list, you did have a firewall, and Virtualmin opened its usual list of ports.

The new Virtualmin 6 does include setting up a standard firewall with only the ports for Virtualmin related services open (firewalld, specifically, for modern systems with systemd, iptables for old systems with initscripts).

Anyway, most of those ports were opened by Virtualmin; but a few were not.

The ones that Virtualmin did not open are: 2000, 2222, 5060. I don’t know why they’re open on your system (maybe they’re open by default on all CentOS systems, I dunno. I don’t recognize those services though…2222 is often used as a secondary ssh port for VMs or for FTP over ssh using a different daemon than openssh.)

The rest are services related to a Virtualmin system. If you don’t use them, you can close them. 10000 is Virtualmin/Webmin itself, and 20000 is Usermin webmail.

But, you should also know that if nothing is running on a port, it doesn’t really matter whether it is open in the firewall (assuming no kernel network security bugs, which are exceedingly rare). It’s just one of many small precautions one might take to secure a server; firewalls just aren’t that interesting for world-facing servers. The only ports that matter are the ones that have services on them, and the only way for them to provide a service is for the port to be open…so, you’ve effectively got not firewall on your service ports…so, if something exploitable is running on the port, it is exposed. It gets more interesting if you’re sharing a database across several machines, and you only want those other machines to be able to connect; then a firewall is super handy. Otherwise, the database shouldn’t even be listening on public interfaces.

Hope that clears things up a little bit.

The new VM6 installer will setup firewalld. It’s a pretty good option; easy enough to use once you understand it, Webmin has a good module for it (which has gotten some enhancements for the upcoming Virtualmin 6 release), and there’s lots of documentation about it. Virtualmin 6 also sets up fail2ban; again, good Webmin module for it, and good docs on the web. I provided the steps for configuring an existing Virtualmin installation with the configuration we put onto new systems in VM6 here in the forums:

Thanks for your comments Joe. I suspected vm wouldn’t be doing anything like that.
I’ve pushed myself to use firewalld to get used to it, but I must say, however they say comprehensive it is I’m still struggling to have it working even while reading up the docs.

It is weird how nmap shows port 5060. And if I ncat it seem open. Firewalld doesn’t show this port open or says it isn’t. I’m sure if I stare at it long enough I’ll find out what’s going on… or slowly go insane.

I’ve had good luck with APF and BFD (rather than fail2ban) and use them on my servers.

APF is highly configurable and easy to use.