Avatar of greenchilli
greenchilli
 asked on

Closing Ports for website audit

We are in the process of getting our website compliance ready.
All that is left is to close most ports down - whilst still allowing ourselves access - and restricting others.
The auditors are suggesting whitelisting our WAN through a firewall to allow all system ports access by our organisation.
We are hosting the site on a dedicated virtual server with it's own IP address on Plesk 10.

At this stage we are not too sure what the best way to approach this would be.
We need to access the plesk control panel and the website backend remotely, would this involve setting up a VPN?

Thanks in advance.
Network OperationsSoftware FirewallsWeb Servers

Avatar of undefined
Last Comment
greenchilli

8/22/2022 - Mon
IanTh

IanTh

can vpn be configured remotely it should be able to and llok at your router as the is an easyier way these days for site to site in some soho routers
arnold

Not quite clear what you are asking or what you are being told by the auditors.

The general practice is to use the external router to port forward requests on public IP port 80 to the internal server that has an internal IP and port 80.

It sounds that your setup is such that the "internal system" uses the public ip such that a software firewall on the system has to be enable and used to limit access to only port 80.

A dedicated firewall appliance often provides the maximum flexibility in supporting many more devices/systems while having fewer public IPs.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
greenchilli

ASKER
Just to simplify things down, basically, if we go ahead and close the ports through the Plesk firewall, we will lose access to ftp, ssh, mail and plesk cp.

At the moment we don't have a VPN or an external router and are really not sure of what options to take.
arnold

If you need FTP access, consider FTP over ssl. Sftp
I think the suggestions deal with closing ports that are unnecessary/not used.
I.e if your server is NLB emailing out, it does not need the port open?
greenchilli

ASKER
This is a list of ports that need to be closed according to the auditors:
21/tcp
22/tcp
25/tcp
106/tcp
110/tcp
143/tcp
465/tcp
993/tcp
995/tcp
3306/tcp
4643/tcp
8443/tcp
8880/tcp

Could probably sort the ftp/ssh ports through ssl as you suggested.
Not too sure about 8443 and 4643 which is used by Plesk to run the CP on, how would that be filtered out?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
arnold

You should close 106, 3306 unless you need to have your MySQL server open to the outside.
You can use ssh tunnels to gain access to ports if VPN is not an option or a complex endevour.

The ssh tunnel, when configured and will enable you to access the 3306, 106, 4634, 8443 if needed. What do you have on 8880 or is it where you have tomcat running??
You could define worker process within apache to access/proxy the tomcat sites/applications such that you would have the data without exposing the tomcat server to direct access.
ASKER CERTIFIED SOLUTION
greenchilli

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
greenchilli

ASKER
It worked