greenchilli
asked on
Closing Ports for website audit
We are in the process of getting our website compliance ready.
All that is left is to close most ports down - whilst still allowing ourselves access - and restricting others.
The auditors are suggesting whitelisting our WAN through a firewall to allow all system ports access by our organisation.
We are hosting the site on a dedicated virtual server with it's own IP address on Plesk 10.
At this stage we are not too sure what the best way to approach this would be.
We need to access the plesk control panel and the website backend remotely, would this involve setting up a VPN?
Thanks in advance.
All that is left is to close most ports down - whilst still allowing ourselves access - and restricting others.
The auditors are suggesting whitelisting our WAN through a firewall to allow all system ports access by our organisation.
We are hosting the site on a dedicated virtual server with it's own IP address on Plesk 10.
At this stage we are not too sure what the best way to approach this would be.
We need to access the plesk control panel and the website backend remotely, would this involve setting up a VPN?
Thanks in advance.
IanTh
http://kb.parallels.com/en/391
can vpn be configured remotely it should be able to and llok at your router as the is an easyier way these days for site to site in some soho routers
Not quite clear what you are asking or what you are being told by the auditors.
The general practice is to use the external router to port forward requests on public IP port 80 to the internal server that has an internal IP and port 80.
It sounds that your setup is such that the "internal system" uses the public ip such that a software firewall on the system has to be enable and used to limit access to only port 80.
A dedicated firewall appliance often provides the maximum flexibility in supporting many more devices/systems while having fewer public IPs.
The general practice is to use the external router to port forward requests on public IP port 80 to the internal server that has an internal IP and port 80.
It sounds that your setup is such that the "internal system" uses the public ip such that a software firewall on the system has to be enable and used to limit access to only port 80.
A dedicated firewall appliance often provides the maximum flexibility in supporting many more devices/systems while having fewer public IPs.
ASKER
Just to simplify things down, basically, if we go ahead and close the ports through the Plesk firewall, we will lose access to ftp, ssh, mail and plesk cp.
At the moment we don't have a VPN or an external router and are really not sure of what options to take.
At the moment we don't have a VPN or an external router and are really not sure of what options to take.
If you need FTP access, consider FTP over ssl. Sftp
I think the suggestions deal with closing ports that are unnecessary/not used.
I.e if your server is NLB emailing out, it does not need the port open?
I think the suggestions deal with closing ports that are unnecessary/not used.
I.e if your server is NLB emailing out, it does not need the port open?
ASKER
This is a list of ports that need to be closed according to the auditors:
21/tcp
22/tcp
25/tcp
106/tcp
110/tcp
143/tcp
465/tcp
993/tcp
995/tcp
3306/tcp
4643/tcp
8443/tcp
8880/tcp
Could probably sort the ftp/ssh ports through ssl as you suggested.
Not too sure about 8443 and 4643 which is used by Plesk to run the CP on, how would that be filtered out?
21/tcp
22/tcp
25/tcp
106/tcp
110/tcp
143/tcp
465/tcp
993/tcp
995/tcp
3306/tcp
4643/tcp
8443/tcp
8880/tcp
Could probably sort the ftp/ssh ports through ssl as you suggested.
Not too sure about 8443 and 4643 which is used by Plesk to run the CP on, how would that be filtered out?
You should close 106, 3306 unless you need to have your MySQL server open to the outside.
You can use ssh tunnels to gain access to ports if VPN is not an option or a complex endevour.
The ssh tunnel, when configured and will enable you to access the 3306, 106, 4634, 8443 if needed. What do you have on 8880 or is it where you have tomcat running??
You could define worker process within apache to access/proxy the tomcat sites/applications such that you would have the data without exposing the tomcat server to direct access.
You can use ssh tunnels to gain access to ports if VPN is not an option or a complex endevour.
The ssh tunnel, when configured and will enable you to access the 3306, 106, 4634, 8443 if needed. What do you have on 8880 or is it where you have tomcat running??
You could define worker process within apache to access/proxy the tomcat sites/applications such that you would have the data without exposing the tomcat server to direct access.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It worked