homepage Welcome to WebmasterWorld Guest from 184.73.52.98
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Just how many ports should be open vs. closed on a web server?
The PCI Security Standards Council said close your ports. Do it or not?
Propools




msg:4255919
 9:18 pm on Jan 20, 2011 (gmt 0)

In reference to an earlier post - [webmasterworld.com...]

So, the feed back I'm getting from the pci folks is that some of the ports on the server are open which should be closed. I found a directory of what the ports are.

Thanks to Wikipedia here is the list - [iana.org...] In looking through the list and what they are, it's quite an interesting study, even if I have no idea what most of them are.

Anyone have a feel for which port(s) I should leave open?

 

lammert




msg:4255938
 9:43 pm on Jan 20, 2011 (gmt 0)

If PCI folks are checking your site, you are probably doing credit card transactions or accepting or storing other sensitive information. In that case I would try to have the following security policy on my server:

Open 443 for the world (HTTPS protocol)
Open 22, only for your own IP(s) (SSH and SFTP)

All other ports closed

The problem is that other ports may be currently safe to open for a particular service, but you never know when a zero day exploit for that service is launched. Less ports open is less attack vectors.

Propools




msg:4255949
 10:10 pm on Jan 20, 2011 (gmt 0)

What about Port 20 & 80?
I though port 443 was more specific for AOL, is that not right?

In looking at the list of Port numbers which IANA hast listed shows port
1776 for the Federal Emergency Management Information System.
Coincidence.... I don't think so.

Demaestro




msg:4255967
 11:23 pm on Jan 20, 2011 (gmt 0)

Open 22, only for your own IP(s) (SSH and SFTP)


I would advise that you define a non default port (not 22) for SSH. You wouldn't believe the amount of brute force attempts that are made on port 22.

lammert




msg:4255972
 11:50 pm on Jan 20, 2011 (gmt 0)

Port 20 is standard FTP. Unless you use a piece of FTP server and client software which encrypts the whole control and data stream, port 20 is unsafe by design.

Port 443 is encrypted HTTP traffic, while port 80 is unencrypted. If your website needs a PCI audit, chances are that you aren't serving any information over port 80.

@Demaestro:
Reassigning port 22 to another number won't work. Port scanners (and a PCI audit) will find it anyway. It is the concept of security through obscurity, which won't stop any of the hardcore hackers. Adding firewall rules to block access to port 22 for all IPs except your own is much better, because even if hackers manage to get your password or certificate you use to authenticate yourself, they won't be able to enter the system from a remote location.

As an alternative for a firewall setup, you can use the /etc/hosts.allow and /etc/hosts.deny files on a Linux host as a cheap and easy way to allow only SSH access from predefined IPs.

Demaestro




msg:4255976
 11:55 pm on Jan 20, 2011 (gmt 0)

Reassigning port 22 to another number won't work. Port scanners (and a PCI audit) will find it anyway. It is the concept of security through obscurity, which won't stop any of the hardcore hackers.


Very true, but regardless of that point changing the port from the default port 22 in my case, drastically reduced the amount people "knocking" on that door.

port 22 for all IPs except your own is much better, because even if hackers manage to get your password or certificate you use to authenticate yourself,


I agree, it is just I implore both. However sometimes when on the go with my laptop I have to disable to IP stuff so I can get in from my hotel or the beach :)

You shed an excellent light on the subject though.

caribguy




msg:4255999
 1:21 am on Jan 21, 2011 (gmt 0)

I agree, it is just I implore both. However sometimes when on the go with my laptop I have to disable to IP stuff so I can get in from my hotel or the beach


Not wanting to stray offtopic, but maybe you should consider a VPN connection to your office whenever you need to work while on the beach.

And, yes: your firewall should be blocking those silly knocks.

aspdaddy




msg:4256103
 11:35 am on Jan 21, 2011 (gmt 0)

Closing all your unused ports is the best route, but it takles a while to get right because of dependencies and your own requirements i.e Ping,Monitoring.

If you do need insecure ports open like FTP, SMTP then limit the risk with IP range and web filters.

Make sure you implement an outbound policy too because when, not if, you are hacked, they will need outbound ports.

Reassigning port 22 to another number


Security by obscurity can help guard against non-automated ameteur hacking i.e the ex employee, and can reduce errors so is sometimes useful.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved