|Just how many ports should be open vs. closed on a web server?|
The PCI Security Standards Council said close your ports. Do it or not?
In reference to an earlier post - [webmasterworld.com...]
So, the feed back I'm getting from the pci folks is that some of the ports on the server are open which should be closed. I found a directory of what the ports are.
Thanks to Wikipedia here is the list - [iana.org...] In looking through the list and what they are, it's quite an interesting study, even if I have no idea what most of them are.
Anyone have a feel for which port(s) I should leave open?
If PCI folks are checking your site, you are probably doing credit card transactions or accepting or storing other sensitive information. In that case I would try to have the following security policy on my server:
Open 443 for the world (HTTPS protocol)
Open 22, only for your own IP(s) (SSH and SFTP)
All other ports closed
The problem is that other ports may be currently safe to open for a particular service, but you never know when a zero day exploit for that service is launched. Less ports open is less attack vectors.
What about Port 20 & 80?
I though port 443 was more specific for AOL, is that not right?
In looking at the list of Port numbers which IANA hast listed shows port
1776 for the Federal Emergency Management Information System.
Coincidence.... I don't think so.
|Open 22, only for your own IP(s) (SSH and SFTP) |
I would advise that you define a non default port (not 22) for SSH. You wouldn't believe the amount of brute force attempts that are made on port 22.
Port 20 is standard FTP. Unless you use a piece of FTP server and client software which encrypts the whole control and data stream, port 20 is unsafe by design.
Port 443 is encrypted HTTP traffic, while port 80 is unencrypted. If your website needs a PCI audit, chances are that you aren't serving any information over port 80.
Reassigning port 22 to another number won't work. Port scanners (and a PCI audit) will find it anyway. It is the concept of security through obscurity, which won't stop any of the hardcore hackers. Adding firewall rules to block access to port 22 for all IPs except your own is much better, because even if hackers manage to get your password or certificate you use to authenticate yourself, they won't be able to enter the system from a remote location.
As an alternative for a firewall setup, you can use the /etc/hosts.allow and /etc/hosts.deny files on a Linux host as a cheap and easy way to allow only SSH access from predefined IPs.
|Reassigning port 22 to another number won't work. Port scanners (and a PCI audit) will find it anyway. It is the concept of security through obscurity, which won't stop any of the hardcore hackers. |
Very true, but regardless of that point changing the port from the default port 22 in my case, drastically reduced the amount people "knocking" on that door.
|port 22 for all IPs except your own is much better, because even if hackers manage to get your password or certificate you use to authenticate yourself, |
I agree, it is just I implore both. However sometimes when on the go with my laptop I have to disable to IP stuff so I can get in from my hotel or the beach :)
You shed an excellent light on the subject though.
|I agree, it is just I implore both. However sometimes when on the go with my laptop I have to disable to IP stuff so I can get in from my hotel or the beach |
Not wanting to stray offtopic, but maybe you should consider a VPN connection to your office whenever you need to work while on the beach.
And, yes: your firewall should be blocking those silly knocks.
Closing all your unused ports is the best route, but it takles a while to get right because of dependencies and your own requirements i.e Ping,Monitoring.
If you do need insecure ports open like FTP, SMTP then limit the risk with IP range and web filters.
Make sure you implement an outbound policy too because when, not if, you are hacked, they will need outbound ports.
|Reassigning port 22 to another number |
Security by obscurity can help guard against non-automated ameteur hacking i.e the ex employee, and can reduce errors so is sometimes useful.