View previous topic :: View next topic |
Author |
Message |
audiodef Watchman
Joined: 06 Jul 2005 Posts: 6639 Location: The soundosphere
|
Posted: Tue Oct 30, 2012 3:00 pm Post subject: Portscanned domain, does this look reasonably secure? |
|
|
I portscanned a domain I own. I don't know if this is enough information to go on, but I was wondering if anything leaps out at you that I should fix/close/patch:
Code: |
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1-hpn13v11 (protocol 2.0)
25/tcp filtered smtp
80/tcp open http Apache httpd
110/tcp open pop3 Cyrus pop3d 2.3.16
143/tcp open imap Cyrus imapd 2.3.16
443/tcp open ssl/http Apache httpd
587/tcp open smtp Postfix smtpd
993/tcp open ssl/imap Cyrus imapd
995/tcp open ssl/pop3 Cyrus pop3sd
8000/tcp open http Icecast streaming media server
10025/tcp open smtp Postfix smtpd
|
_________________ decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Oct 30, 2012 4:33 pm Post subject: |
|
|
Run sshd on a randomly-chosen port, to easily thwart everyone attacking the default port 22.
Example option in /etc/ssh/sshd_config:
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Wed Oct 31, 2012 1:15 am Post subject: |
|
|
Do you need to offer unencrypted POP/IMAP? If no, you should disable those so that users do not accidentally configure their mail clients to use unencrypted connections. |
|
Back to top |
|
|
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Wed Oct 31, 2012 10:02 am Post subject: |
|
|
Do you really need both - IMAP and POP3? I would chose one (nowadays imap) and disable the other completely. That goes in addition to Hu comment about unencrypted connections.
10025 sounds like a postfix forward for spamassassin or amavisd. IMO those should not be accessible from the outside, but only from localhost.
V. _________________ read the portage output!
If my answer is too concise, ask for an explanation. |
|
Back to top |
|
|
audiodef Watchman
Joined: 06 Jul 2005 Posts: 6639 Location: The soundosphere
|
|
Back to top |
|
|
msst Apprentice
Joined: 07 Jun 2011 Posts: 259
|
Posted: Sun Nov 04, 2012 1:57 am Post subject: |
|
|
Using something like fail2ban to block multiple password scans could also help. Anyone running sshd will likely get attacked in some way. Blocking of the ip after 10 failed attempts does help then. |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Sun Nov 04, 2012 10:02 am Post subject: |
|
|
concur with Hu and Veldrin
nuke the non-ssl stuff. I personally keep them listening, but only allow access from within my LAN, e.g. i only have iptables allowing 993/995 from the outside, and drop 110/143
and then Postfix - this should be listening on 127.0.0.1:10025, not 0.0.0.0:10025. This postfix listener is only for internal transmission, and should be listening as such.
Otherwise, looks fine. And even ssh, if you're using key-based auth only, 22 is a non-issue. Scan my shit all you like, if you aint in ~/.ssh/authorized_keys, you aint getting in. _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
audiodef Watchman
Joined: 06 Jul 2005 Posts: 6639 Location: The soundosphere
|
|
Back to top |
|
|
|