Hi,
I have a question about which ports on my Centos 6.7 VPS I can safely close or move to harden the server a bit. I should say that there are only two users with only email accounts, so no FTP or anything like that.
Also, I have the following fail2ban jails activated:
[sshd]
[sshd-ddos]
[apache-auth]
[apache-noscript]
[apache-botsearch]
[apache-fakegooglebot]
[apache-modsecurity]
[apache-shellshock]
[php-url-fopen]
[webmin-auth]
[postfix]
[sendmail-auth]
[sendmail-reject]
[dovecot]
[postfix-sasl]
[mysqld-auth]
[named-refused-udp]
[named-refused-tcp]
These are the open ports:
Port 53
The TCP /UDP DNS port.
I don't believe this can be moved or closed?
Port 443
TLS/SSL (HTTPS)
I don't believe this can be moved?
Port 80
UDP HTTP
I don't believe this can be moved or closed?
Port 110
POP3
Can I / should I move this by changing the port and then also changing the port on the users side?
Will this break email?
Port 587
SMTP
Can I / should I move this by changing the port and then also changing the port on the users side?
Will this break email?
Port 25
SMTP
I tried to close this in the past and I could no longer receive emails, so I'm leaving it as it is.
Any help appreciated.
Thanks
Howdy,
The ports you have open there are all very normal.
In fact that's quite a bit less than on a typical system, which would also have things like SSH (amongst others).
I think having those ports should be fine though!
-Eric
Hi Eric and thanks for replying.
I'm only concerned about port 25 which is constantly hammered by brute force attacks:
/var/log/messages
Jan 30 10:20:34 web saslauthd[879]: do_auth : auth failure: [user=jwilliams] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
/var/log/maillog
Jan 30 10:20:04 web postfix/anvil[5520]: statistics: max connection rate 1/60s for (smtp:70.61.34.42) at Jan 30 10:16:41
Jan 30 10:20:04 web postfix/anvil[5520]: statistics: max connection count 1 for (smtp:70.61.34.42) at Jan 30 10:16:41
Jan 30 10:20:04 web postfix/anvil[5520]: statistics: max cache size 1 at Jan 30 10:16:41
Jan 30 10:20:31 web postfix/smtpd[5616]: warning: 202.47.1.214: address not listed for hostname unregistered.netregistry.net
Jan 30 10:20:31 web postfix/smtpd[5616]: connect from unknown[202.47.1.214]
Jan 30 10:20:34 web postfix/smtpd[5616]: warning: unknown[202.47.1.214]: SASL Login authentication failed: authentication failure
Jan 30 10:20:35 web postfix/smtpd[5616]: lost connection after AUTH from unknown[202.47.1.214]
Jan 30 10:20:35 web postfix/smtpd[5616]: disconnect from unknown[202.47.1.214]
Of course these are blocked by fail2ban but they use bandwidth and slow down the server:
/var/log/fail2ban.log2016-01-30 10:20:34,964 fail2ban.filter [3328]: INFO [postfix-sasl] Found 202.47.1.214
I'd like to move the SMTP port to another port, but I don't want to break my email!
I've found some instructions here.
Would it be OK to move the port and would I still be able to receive emails?
Thank you
If you move the SMTP port no external systems will be able to send you email. How would they have any idea how to send it?
Indeed, you're right.... I guess I'll stick with fail2ban in that case.
Thank you.