4

I have a web server running pleks and get attacked a lot every day. I configured a firewall, and there are some predefined services such as www, and ftp, etc.

I am planning to block all the ports except for the www port and the PLESK port. When I need ftp or ssh access for example i will open the ports in PLESK and then start to work.

Is this a good thing to do or are there some downsides on doing this.

There are some ports I am not sure of, such as SMTP,POP3,IMAP, DNS. Can i close these ports or is there no need to do so.

Saif Bechan
  • 10,892
  • 10
  • 40
  • 63

3 Answers3

7

You will probably be ok, but you might be better off leaving a hole for your IP, just in case something goes wrong. You might also want to make sure you don't block connections from 127.0.0.1, as that is the localhost IP and may be necessary for internal services to connect to themselves to keep things working properly (it depends on what type of stuff you have running on the system).

As far as the ports you mention, here is what those are, you can close them if you don't use them:

SMTP: Email (Server to server or incoming) (needed to accept email if this server receives email for your domain)

POP3: Email clients (needed if this server has email clients that connect to it)

IMAP: Email clients (needed if this server has email clients that connect to it)

DNS: Domain Name services (needed if this server acts is the primary for the domains it hosts)

Good luck,

--jed

Jed Daniels
  • 7,172
  • 2
  • 33
  • 41
  • Thank you for the quick response. This was the exactly my guess but i asked just to be sure. I have services running so my internal ports are not blocked. One question tho. "leaving a hole for your IP". Do you mean the ip of the server, or do you mean the remote system I use to log in to the server. The IP's of the remote machines I use are always different, so that is no option for me. And can you explain the point of leaving a hole for the server itself. Can the server connect to itself? – Saif Bechan Mar 23 '10 at 05:04
  • I was referring to the IP of the system you are connecting from at the time you block all the ports. Just in case something goes wrong when you make the edits you want to be able to get back in to fix them. Yes, servers can connect to themselves, and many do (for example, if you have a web server running an application that uses mysql or some other database, the web-server will access the database over a network connection to and from 127.0.0.1). This is why I also recommend making sure you don't accidentally cut off this type of traffic. Cheers, --jed – Jed Daniels Mar 23 '10 at 05:30
3

A prudent approach would be to deny all connections by default, and only open up ports when they are demonstrated to be needed for some valid purpose.

Beware of being too unresponsive to user requests, though: make sure that when any user asks for a port to be opened that the user's request is heeded promptly, visibly, and seriously for all users to see, otherwise you'll just end up with a userbase working around the block list by tunnelling through the ports you do open.

bignose
  • 942
  • 10
  • 20
0

why not open ssh for your IP range only.. that way if plesk crashes you aren't locked out..

Plus you can use ssh keys to make it even more secure and deny password logins.

Mike
  • 21,910
  • 7
  • 55
  • 79