[SOLVED] A question about ports: which ones can I safely close or move?

No_Expert · January 26, 2016, 10:05pm

Hi,

I have a question about which ports on my Centos 6.7 VPS I can safely close or move to harden the server a bit. I should say that there are only two users with only email accounts, so no FTP or anything like that.

Also, I have the following fail2ban jails activated:
[sshd] [sshd-ddos] [apache-auth] [apache-noscript] [apache-botsearch] [apache-fakegooglebot] [apache-modsecurity] [apache-shellshock] [php-url-fopen] [webmin-auth] [postfix] [sendmail-auth] [sendmail-reject] [dovecot] [postfix-sasl] [mysqld-auth] [named-refused-udp] [named-refused-tcp]

These are the open ports:

Port 53
The TCP /UDP DNS port.
I don’t believe this can be moved or closed?

Port 443
TLS/SSL (HTTPS)
I don’t believe this can be moved?

Port 80
UDP HTTP
I don’t believe this can be moved or closed?

Port 110
POP3
Can I / should I move this by changing the port and then also changing the port on the users side?
Will this break email?

Port 587
SMTP
Can I / should I move this by changing the port and then also changing the port on the users side?
Will this break email?

Port 25
SMTP
I tried to close this in the past and I could no longer receive emails, so I’m leaving it as it is.

Any help appreciated.

Thanks

Eric · January 27, 2016, 5:34am

Howdy,

The ports you have open there are all very normal.

In fact that’s quite a bit less than on a typical system, which would also have things like SSH (amongst others).

I think having those ports should be fine though!

-Eric

No_Expert · January 30, 2016, 11:59am

Hi Eric and thanks for replying.

I’m only concerned about port 25 which is constantly hammered by brute force attacks:
/var/log/messages Jan 30 10:20:34 web saslauthd[879]: do_auth : auth failure: [user=jwilliams] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

/var/log/maillog
Jan 30 10:20:04 web postfix/anvil[5520]: statistics: max connection rate 1/60s for (smtp:70.61.34.42) at Jan 30 10:16:41
Jan 30 10:20:04 web postfix/anvil[5520]: statistics: max connection count 1 for (smtp:70.61.34.42) at Jan 30 10:16:41
Jan 30 10:20:04 web postfix/anvil[5520]: statistics: max cache size 1 at Jan 30 10:16:41
Jan 30 10:20:31 web postfix/smtpd[5616]: warning: 202.47.1.214: address not listed for hostname unregistered.netregistry.net
Jan 30 10:20:31 web postfix/smtpd[5616]: connect from unknown[202.47.1.214]
Jan 30 10:20:34 web postfix/smtpd[5616]: warning: unknown[202.47.1.214]: SASL Login authentication failed: authentication failure
Jan 30 10:20:35 web postfix/smtpd[5616]: lost connection after AUTH from unknown[202.47.1.214]
Jan 30 10:20:35 web postfix/smtpd[5616]: disconnect from unknown[202.47.1.214]

Of course these are blocked by fail2ban but they use bandwidth and slow down the server:
/var/log/fail2ban.log 2016-01-30 10:20:34,964 fail2ban.filter [3328]: INFO [postfix-sasl] Found 202.47.1.214

I’d like to move the SMTP port to another port, but I don’t want to break my email!
I’ve found some instructions here.

Would it be OK to move the port and would I still be able to receive emails?

Thank you

cruiskeen · February 1, 2016, 9:52pm

If you move the SMTP port no external systems will be able to send you email. How would they have any idea how to send it?

No_Expert · February 1, 2016, 10:44pm

Indeed, you’re right…
I guess I’ll stick with fail2ban in that case.

Thank you.