Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Portscanned domain, does this look reasonably secure?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6639
Location: The soundosphere

PostPosted: Tue Oct 30, 2012 3:00 pm    Post subject: Portscanned domain, does this look reasonably secure? Reply with quote

I portscanned a domain I own. I don't know if this is enough information to go on, but I was wondering if anything leaps out at you that I should fix/close/patch:

Code:

Not shown: 989 closed ports
PORT      STATE    SERVICE  VERSION
22/tcp    open     ssh      OpenSSH 5.9p1-hpn13v11 (protocol 2.0)
25/tcp    filtered smtp
80/tcp    open     http     Apache httpd
110/tcp   open     pop3     Cyrus pop3d 2.3.16
143/tcp   open     imap     Cyrus imapd 2.3.16
443/tcp   open     ssl/http Apache httpd
587/tcp   open     smtp     Postfix smtpd
993/tcp   open     ssl/imap Cyrus imapd
995/tcp   open     ssl/pop3 Cyrus pop3sd
8000/tcp  open     http     Icecast streaming media server
10025/tcp open     smtp     Postfix smtpd

_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Tue Oct 30, 2012 4:33 pm    Post subject: Reply with quote

Run sshd on a randomly-chosen port, to easily thwart everyone attacking the default port 22.

Example option in /etc/ssh/sshd_config:
Code:
Port 2186
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21490

PostPosted: Wed Oct 31, 2012 1:15 am    Post subject: Reply with quote

Do you need to offer unencrypted POP/IMAP? If no, you should disable those so that users do not accidentally configure their mail clients to use unencrypted connections.
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Wed Oct 31, 2012 10:02 am    Post subject: Reply with quote

Do you really need both - IMAP and POP3? I would chose one (nowadays imap) and disable the other completely. That goes in addition to Hu comment about unencrypted connections.

10025 sounds like a postfix forward for spamassassin or amavisd. IMO those should not be accessible from the outside, but only from localhost.


V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6639
Location: The soundosphere

PostPosted: Wed Oct 31, 2012 1:18 pm    Post subject: Reply with quote

Thanks for the tips! :)
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 259

PostPosted: Sun Nov 04, 2012 1:57 am    Post subject: Reply with quote

Using something like fail2ban to block multiple password scans could also help. Anyone running sshd will likely get attacked in some way. Blocking of the ip after 10 failed attempts does help then.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sun Nov 04, 2012 10:02 am    Post subject: Reply with quote

concur with Hu and Veldrin

nuke the non-ssl stuff. I personally keep them listening, but only allow access from within my LAN, e.g. i only have iptables allowing 993/995 from the outside, and drop 110/143

and then Postfix - this should be listening on 127.0.0.1:10025, not 0.0.0.0:10025. This postfix listener is only for internal transmission, and should be listening as such.

Otherwise, looks fine. And even ssh, if you're using key-based auth only, 22 is a non-issue. Scan my shit all you like, if you aint in ~/.ssh/authorized_keys, you aint getting in.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6639
Location: The soundosphere

PostPosted: Mon Nov 05, 2012 7:48 pm    Post subject: Reply with quote

Yeah, it's key-only, but I didn't know that about the postfix stuff. Thanks! :)
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum