Safe ports to open? Checklist.

Help! (Home for newbies)
1

Hey guys,

Does this look like a quality setup for firewall with virtualmin?

-A INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j ACCEPT

-A INPUT -p udp -m udp -m state --dport 53 --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport ftp-data -j ACCEPT

-A INPUT -p udp -m udp --dport ftp -j ACCEPT

-A INPUT -p udp -m udp --dport domain -j ACCEPT

-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 10005 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 10004 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 10003 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 10002 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 10001 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT

-A INPUT -p tcp -m tcp --dport https -j ACCEPT

-A INPUT -p tcp -m tcp --dport http -j ACCEPT

-A INPUT -p tcp -m tcp --dport imaps -j ACCEPT

-A INPUT -p tcp -m tcp --dport imap -j ACCEPT

-A INPUT -p tcp -m tcp --dport pop3s -j ACCEPT

-A INPUT -p tcp -m tcp --dport pop3 -j ACCEPT

-A INPUT -p tcp -m tcp --dport ftp-data -j ACCEPT

-A INPUT -p tcp -m tcp --dport ftp -j ACCEPT

-A INPUT -p tcp -m tcp --dport domain -j ACCEPT

-A INPUT -p tcp -m tcp --dport submission -j ACCEPT

-A INPUT -p tcp -m tcp --dport smtp -j ACCEPT

-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Let me know if there is anything I don’t need.

Port 53 is for my nameserver.

FTP doesn’t seem to be needed? works with or without the port. Should I just remove that?

What else will I need for mail other than 143, 25 and 993? Also should mail have TCP or UDP or both?

Thanks.

2

What ports to leave open depends on what application you will use. For FTP you can close standard ports if you are going to use sFTP and if this server will be alone (no connections with other servers) you can close ports 100001-10005. For other ports check https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Security_Guide/ch-ports.html it should give you some idea.

One more thing, you should change default ports of Webmin, Usermin, (s)FTP, SSH because most bruteforce bots are only hitting default ports. This is just a little help to increase the security or at least your log files will have less garbage. Drop password login for SSH and instead use the keys and install Fail2ban, its great software to keep your server secured (and abusers/bots banned).

3

Hey, Thanks Diabolico!

I have already gone no-pass on ssh, (did that immediately) I will definitely change my standard ports for ssh and drop FTP since I am using Sftp with pageant to connect.

Already installed Fail2ban also, very nice tool, was looking through it and its quite the powerhouse.

Any tips on protecting ports that have to be open? like 53 for nameserver? I hear its commonly attacked. Using keys to talk with the bind and DNSSEC with domains.

How can I change the port for login? from 10000? Not sure where to do that, or should it be done through terminal?

What about Kerberos5? Isnt it for weblogin? Do you recommend it?

Thanks!