Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Common Ports
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Common Ports

Nick_ANick_A Member, Top Host, Host Rep
edited June 2012 in General

What are the most common ports that people want to have open? We're playing around with a highly customized iptables setup.

«1

Comments

  • 22 or custom - ssh
    80 - http
    8080 - second server
    443 - ssl
    21 - if they're ignorant enough to run FTP :P

  • Nick_ANick_A Member, Top Host, Host Rep

    @djvdorp said: 21 - if they're ignorant enough to run FTP :P

    We'll probably be disabling FTP just because of that possibility :)

    Thanked by 1djvdorp
  • NickMNickM Member

    Um, all of them. If I have a VPS, I expect that the provider isn't blocking anything.

  • @NickM said: Um, all of them. If I have a VPS, I expect that the provider isn't blocking anything.

    ^ That.

    Thanked by 1jcaleb
  • Nick_ANick_A Member, Top Host, Host Rep

    We're mulling over a few ideas for blocking SMTP at the host node and then enabling it upon request per container. This thread is related to that goal.

    Thanked by 1marrco
  • NickMNickM Member

    I shouldn't have to ask for permission to send mail from my VPS.

  • Nick_ANick_A Member, Top Host, Host Rep

    @NickM said: I shouldn't have to ask for permission to send mail from my VPS.

    IP blacklisting is not fun.

  • marrcomarrco Member
    edited June 2012

    @RamNode better limiting that completely disabling outgoing connections to --dport 25. You can do that at node level via iptables. I've seen a few discussions and samples about that, but i can't remember on what forum.

    getting back to common ports, here the relevant part from iptables on a vps of mine:

    
    #  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
    
    #  Accepts all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #  Allows all outbound traffic
    #  You can modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT
    
    # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp --dport 53 -j ACCEPT
    -A INPUT -p udp --dport 53 -j ACCEPT
    -A INPUT -p tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp --dport 465 -j ACCEPT
    -A INPUT -p tcp --dport 587 -j ACCEPT
    -A INPUT -p tcp --dport 4949 -j ACCEPT
    
    #  Allows SSH connections (only 4 attempts by an IP every 3 minutes, drop the rest to prevent SSH attacks)
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP
    -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
    
    # Allow ping
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    
    # log iptables denied calls
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    
    # Reject all other inbound - default deny unless explicitly allowed policy
    -A INPUT -j REJECT
    -A FORWARD -j REJECT
    

    port 4949 is standard for munin-node, 25/465/587 for smtp, 53 tcp/udp for dns, 22 with rate limiting for ssh (requires recent module), 80/443 http/s

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @RamNode said: IP blacklisting is not fun.

    Check users details before they pay, it's simple.

    If someone signs up with sketchy details and can't explain them then they're likely up to no good. I'm pretty sure @Aldryic can count on his 2 hooves how many blacklist entries he has had to clear this year

    Fran

  • NickMNickM Member
    edited June 2012

    @RamNode said: IP blacklisting is not fun.

    Default should be to allow all traffic and monitor. If there's a spike or suspicious amount traffic on port 25 from a particular container, then DROP outgoing port 25 on that container and send an email to the customer.

  • port 6667 is also nice :3

  • raindog308raindog308 Administrator, Veteran

    @RamNode said: IP blacklisting is not fun.

    Welcome to being a VPS provider.

    @marrco said: -A INPUT -p tcp --dport 53 -j ACCEPT

    -A INPUT -p udp --dport 53 -j ACCEPT

    I'm curious - this is only necessary if you're running a DNS server, right? I don't open 53 on non-DNS-server VPSes and have never had any problems using DNS, as the queries are caught by the ESTABLISHED rule.

    @marrco said: -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

    I never run SSH on port 22...because whenever I do people tediously knock on the door.

  • efballefball Member

    daytime 13/tcp
    daytime 13/udp
    time 37/tcp
    time 37/udp
    ntp 123/udp
    I sometimes run web servers on alternate ports: 591, 777, 8008

  • On a VPS no ports should be blocked except maybe common IRC ports only if you don't allow IRC.

  • MaouniqueMaounique Host Rep, Veteran

    I would only reluctantly accept blocking of port 25. I can use 465 with SSL if i really need to with my own SMTP server some place else, but that provider will already have a - in my book.
    I mean, no rDNS by default, fine, port 25 blocked, f-fine, but this speaks volumes about the host's abilities to handle **** when it happens.
    If it is a very good deal, I take it, otherwise, no.
    M

  • @RamNode said: @djvdorp said: 21 - if they're ignorant enough to run FTP :P

    We'll probably be disabling FTP just because of that possibility :)

    At the risk of starting a war :) I have to say I disagree.

    The inherent security risk of FTP -- transmitting credentials in plain text -- is easily resolved by configuring the FTP daemon to use SSL encryption. e.g., for vsftpd:

    ssl_enable=YES
    force_local_data_ssl=NO
    force_local_logins_ssl=YES

    Free FTP clients like FileZilla and CoreFTP readily support this. For a multi-user system (where many people are uploading) I prefer this to SFTP because:

    • I can disable all shell access (except me of course)
    • FTP transfer is faster and incurs much less overhead (memory & CPU) than anything-over-SSH.
  • @sleddog i think its also possible to give sftp acces but no shell by limiting them other ways but I'm not entirely sure. Performance wise it is faster and less overhead indeed.

    Anyways, you sound like you know what you're doing so you weren't my real audience. When made secure, I don't have any problem with it at all. Its just that most default ftp installs are so insecure and full of leaks ;)

  • taiprestaipres Member
    edited June 2012

    Ports 1-65535 because port blocking is weak sauce.

  • raindog308raindog308 Administrator, Veteran

    @sleddog said: I prefer this to SFTP because:

    I didn't think that you had to give shell access to give sftp access. I seem to recall you could set the user's shell to /bin/false and they could still sftp?

    I could very easily be wrong, though.

    I use vsftpd as you do :-)

  • @djvdorp said: @sleddog i think its also possible to give sftp acces but no shell by limiting them other ways but I'm not entirely sure.

    There's things like scponly shell which I last tried a couple years ago... I couldn't get it to chroot users to their homedir. Maybe that's fixed/easier to do now.

    And that's another point I'll add to the bullet-list above... chrooting users is extremely easy with FTP.

    @djvdorp said: Its just that most default ftp installs are so insecure and full of leaks ;)

    Can't argue with that :) But I don't think that FTP should be labelled, "Insecure! Don't use it." in the same fashion as, say, telnet.

  • @raindog308 said: I didn't think that you had to give shell access to give sftp access. I seem to recall you could set the user's shell to /bin/false and they could still sftp?

    sftp and scp are "over-ssh" and require a valid user shell like /bin/sh, /bin/bash, etc. Or at least that's the way it was the last time I checked....

  • Nick_ANick_A Member, Top Host, Host Rep

    @taipres said: Ports 1-65535 because port blocking is weak sauce.

    Well, we're at least going to do some rate limiting. Still on the fence about blocking anything by default.

  • Nick_ANick_A Member, Top Host, Host Rep

    @Maounique said: I would only reluctantly accept blocking of port 25. I can use 465 with SSL if i really need to with my own SMTP server some place else, but that provider will already have a - in my book.

    I mean, no rDNS by default, fine, port 25 blocked, f-fine, but this speaks volumes about the host's abilities to handle **** when it happens.
    If it is a very good deal, I take it, otherwise, no.
    M

    We would enable it per request if we go that route.

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    It passed my mind to block SMTP as well, however desided not to go that route, atleast for now. For the past 1 year, had only 2-3 IPs blacklisted. Its acceptable, its under 1% of my allocations.

  • CoreyCorey Member

    @djvdorp said: 22 or custom - ssh
    80 - http
    8080 - second server
    443 - ssl
    21 - if they're ignorant enough to run FTP :P

    What's so bad about ftp?

  • MrAndroidMrAndroid Member
    edited June 2012

    @Corey said: What's so bad about ftp?

    There's no s before or after it.

  • CoreyCorey Member

    @Daniel oh, how many times has someone sniffed anything over external ftp?

  • MrAndroidMrAndroid Member
    edited June 2012

    @Corey said: @Daniel oh, how many times has someone sniffed anything over external ftp?

    I don't know, but do you want to take the risk?

    SFTP is widely supported now, no reason not to use it. My MC panel even recommends it over FTP.

  • nabonabo Member
    edited June 2012

    @Corey said: oh, how many times has someone sniffed anything over external ftp?

    Following this reasoning we could all go back and use Telnet instead of SSH.

    Thanked by 1klikli
  • AlexBarakovAlexBarakov Patron Provider, Veteran

    We force our clients of shared hosting to connect through sftp..

Sign In or Register to comment.