[SOLVED] A question about ports: which ones can I safely close or move?

5 posts / 0 new
Last post
#1 Tue, 01/26/2016 - 16:05
No Expert

[SOLVED] A question about ports: which ones can I safely close or move?

Hi,

I have a question about which ports on my Centos 6.7 VPS I can safely close or move to harden the server a bit. I should say that there are only two users with only email accounts, so no FTP or anything like that.

Also, I have the following fail2ban jails activated:

[sshd]
[sshd-ddos]
[apache-auth]
[apache-noscript]
[apache-botsearch]
[apache-fakegooglebot]
[apache-modsecurity]
[apache-shellshock]
[php-url-fopen]
[webmin-auth]
[postfix]
[sendmail-auth]
[sendmail-reject]
[dovecot]
[postfix-sasl]
[mysqld-auth]
[named-refused-udp]
[named-refused-tcp]

These are the open ports:

Port 53
The TCP /UDP DNS port. I don't believe this can be moved or closed?

Port 443
TLS/SSL (HTTPS) I don't believe this can be moved?

Port 80
UDP HTTP I don't believe this can be moved or closed?

Port 110
POP3 Can I / should I move this by changing the port and then also changing the port on the users side? Will this break email?

Port 587
SMTP Can I / should I move this by changing the port and then also changing the port on the users side? Will this break email?

Port 25
SMTP I tried to close this in the past and I could no longer receive emails, so I'm leaving it as it is.

Any help appreciated.

Thanks

Tue, 01/26/2016 - 23:34
andreychek

Howdy,

The ports you have open there are all very normal.

In fact that's quite a bit less than on a typical system, which would also have things like SSH (amongst others).

I think having those ports should be fine though!

-Eric

Sat, 01/30/2016 - 05:59
No Expert

Hi Eric and thanks for replying.

I'm only concerned about port 25 which is constantly hammered by brute force attacks:

/var/log/messages
Jan 30 10:20:34 web saslauthd[879]: do_auth         : auth failure: [user=jwilliams] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

/var/log/maillog
Jan 30 10:20:04 web postfix/anvil[5520]: statistics: max connection rate 1/60s for (smtp:70.61.34.42) at Jan 30 10:16:41
Jan 30 10:20:04 web postfix/anvil[5520]: statistics: max connection count 1 for (smtp:70.61.34.42) at Jan 30 10:16:41
Jan 30 10:20:04 web postfix/anvil[5520]: statistics: max cache size 1 at Jan 30 10:16:41
Jan 30 10:20:31 web postfix/smtpd[5616]: warning: 202.47.1.214: address not listed for hostname unregistered.netregistry.net
Jan 30 10:20:31 web postfix/smtpd[5616]: connect from unknown[202.47.1.214]
Jan 30 10:20:34 web postfix/smtpd[5616]: warning: unknown[202.47.1.214]: SASL Login authentication failed: authentication failure
Jan 30 10:20:35 web postfix/smtpd[5616]: lost connection after AUTH from unknown[202.47.1.214]
Jan 30 10:20:35 web postfix/smtpd[5616]: disconnect from unknown[202.47.1.214]

Of course these are blocked by fail2ban but they use bandwidth and slow down the server:

/var/log/fail2ban.log
2016-01-30 10:20:34,964 fail2ban.filter         [3328]: INFO    [postfix-sasl] Found 202.47.1.214

I'd like to move the SMTP port to another port, but I don't want to break my email!
I've found some instructions here.

Would it be OK to move the port and would I still be able to receive emails?

Thank you

Mon, 02/01/2016 - 15:52
cruiskeen

If you move the SMTP port no external systems will be able to send you email. How would they have any idea how to send it?

Mon, 02/01/2016 - 16:44
No Expert

Indeed, you're right.... I guess I'll stick with fail2ban in that case.

Thank you.