Closing Ports for website audit

greenchilli
greenchilli used Ask the Experts™
on
We are in the process of getting our website compliance ready.
All that is left is to close most ports down - whilst still allowing ourselves access - and restricting others.
The auditors are suggesting whitelisting our WAN through a firewall to allow all system ports access by our organisation.
We are hosting the site on a dedicated virtual server with it's own IP address on Plesk 10.

At this stage we are not too sure what the best way to approach this would be.
We need to access the plesk control panel and the website backend remotely, would this involve setting up a VPN?

Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
can vpn be configured remotely it should be able to and llok at your router as the is an easyier way these days for site to site in some soho routers
Distinguished Expert 2017

Commented:
Not quite clear what you are asking or what you are being told by the auditors.

The general practice is to use the external router to port forward requests on public IP port 80 to the internal server that has an internal IP and port 80.

It sounds that your setup is such that the "internal system" uses the public ip such that a software firewall on the system has to be enable and used to limit access to only port 80.

A dedicated firewall appliance often provides the maximum flexibility in supporting many more devices/systems while having fewer public IPs.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Author

Commented:
Just to simplify things down, basically, if we go ahead and close the ports through the Plesk firewall, we will lose access to ftp, ssh, mail and plesk cp.

At the moment we don't have a VPN or an external router and are really not sure of what options to take.
Distinguished Expert 2017

Commented:
If you need FTP access, consider FTP over ssl. Sftp
I think the suggestions deal with closing ports that are unnecessary/not used.
I.e if your server is NLB emailing out, it does not need the port open?

Author

Commented:
This is a list of ports that need to be closed according to the auditors:
21/tcp
22/tcp
25/tcp
106/tcp
110/tcp
143/tcp
465/tcp
993/tcp
995/tcp
3306/tcp
4643/tcp
8443/tcp
8880/tcp

Could probably sort the ftp/ssh ports through ssl as you suggested.
Not too sure about 8443 and 4643 which is used by Plesk to run the CP on, how would that be filtered out?
Distinguished Expert 2017

Commented:
You should close 106, 3306 unless you need to have your MySQL server open to the outside.
You can use ssh tunnels to gain access to ports if VPN is not an option or a complex endevour.

The ssh tunnel, when configured and will enable you to access the 3306, 106, 4634, 8443 if needed. What do you have on 8880 or is it where you have tomcat running??
You could define worker process within apache to access/proxy the tomcat sites/applications such that you would have the data without exposing the tomcat server to direct access.
Solution found by acquiring a static IP address of the current network and applying filters through the Plesk firewall settings to the ports.

Author

Commented:
It worked

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial