Link to home
Start Free TrialLog in
Avatar of greenchilli

asked on

Closing Ports for website audit

We are in the process of getting our website compliance ready.
All that is left is to close most ports down - whilst still allowing ourselves access - and restricting others.
The auditors are suggesting whitelisting our WAN through a firewall to allow all system ports access by our organisation.
We are hosting the site on a dedicated virtual server with it's own IP address on Plesk 10.

At this stage we are not too sure what the best way to approach this would be.
We need to access the plesk control panel and the website backend remotely, would this involve setting up a VPN?

Thanks in advance.
Avatar of IanTh
Flag of United Kingdom of Great Britain and Northern Ireland image

can vpn be configured remotely it should be able to and llok at your router as the is an easyier way these days for site to site in some soho routers
Avatar of arnold
Not quite clear what you are asking or what you are being told by the auditors.

The general practice is to use the external router to port forward requests on public IP port 80 to the internal server that has an internal IP and port 80.

It sounds that your setup is such that the "internal system" uses the public ip such that a software firewall on the system has to be enable and used to limit access to only port 80.

A dedicated firewall appliance often provides the maximum flexibility in supporting many more devices/systems while having fewer public IPs.
Avatar of greenchilli


Just to simplify things down, basically, if we go ahead and close the ports through the Plesk firewall, we will lose access to ftp, ssh, mail and plesk cp.

At the moment we don't have a VPN or an external router and are really not sure of what options to take.
If you need FTP access, consider FTP over ssl. Sftp
I think the suggestions deal with closing ports that are unnecessary/not used.
I.e if your server is NLB emailing out, it does not need the port open?
This is a list of ports that need to be closed according to the auditors:

Could probably sort the ftp/ssh ports through ssl as you suggested.
Not too sure about 8443 and 4643 which is used by Plesk to run the CP on, how would that be filtered out?
You should close 106, 3306 unless you need to have your MySQL server open to the outside.
You can use ssh tunnels to gain access to ports if VPN is not an option or a complex endevour.

The ssh tunnel, when configured and will enable you to access the 3306, 106, 4634, 8443 if needed. What do you have on 8880 or is it where you have tomcat running??
You could define worker process within apache to access/proxy the tomcat sites/applications such that you would have the data without exposing the tomcat server to direct access.
Avatar of greenchilli

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It worked