How to disable ports?

[agriz]

Hi

I want to disable all the ports other than 80, 8080 and custom ssh port. (I have decided to change 22 for something for security reason)

How do i do it?

If OS matters, It will be CentOS 6

[atreyu]

You need to discover what services are using those ports, then disable those services. Here are some commands to get you started:

Code:

lsof -i
nmap -n localhost
netstat -tulnp

Check out /etc/services for a list of service-to-port-number listings.

You can also look into implementing a firewall (iptables) to simply drop/reject any traffic coming in on any network interface that you wish.

[Krendoshazin]

First you have to set the default input policy to drop all packets:

Code:

iptables -P INPUT DROP

and then add a rule for each port you want to allow:

Code:

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT

You can do the same for SSH, or you could do the following:

Code:

iptables -A INPUT -i eth0 -p tcp -s 72.48.64.92 --dport 22 -j ACCEPT

This would allow SSH connections through, but only from that particular address. How strong you want the firewall to be is up to you.

[agriz]

Port 80 and Port 8080 : Apart from those two ports, anything required to users to browse the website without any problem?

I have dynamic IP address.
xxx.xxx.variable.variable

How can i add this into iptables?

[Krendoshazin]

The source address is the address of the machine that you will be SSH'ing in from, not the machine you want to SSH into. If I were to SSH into your computer from here, then you would create a rule on your machine that allowed me in using my address (the source). If you want to set up a way to get into you computer even though you have a dynamic IP, then you can use a service such as dyndns.org (it's free).

I use dyndns at home and my router takes care of updating the records if there's an IP change.

Additionally only port 80 is really required for web browsing. Port 8080 is typically used for proxies.

[agriz]

I am little confused.
Lets assume that i have a dedicated server at United States.
The IP is : 72.48.64.92

In such a case

Code:

iptables -A INPUT -i eth0 -p tcp -s 72.48.64.92 --dport 22 -j ACCEPT

Which means everyone allowed to use this SSH port of 72.48.64.92. Is that right?
Is that secured to allow everyone to use it?

[Krendoshazin]

No, the source address is to specify where a connection is coming from. If I created the following rules on my server 192.168.0.1:

Code:

iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 192.168.0.3 --dport 22 -j ACCEPT

then I would be allowing access to port 22 on 192.168.0.1 for 192.168.0.2 and 192.168.0.3. You have to create a seperate rule for each IP you want to allow to connect to the server.

If you want to allow all connections to port 22 to go through, then use this rule:

Code:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

[agriz]

ok, I got it. My server has static IP. I have dynamic ip in home. As you said, I should use dyndns

[agriz]

dyndns, is it paid version?
Is there any other way to use

Code:

iptables -A INPUT -i eth0 -p tcp --dport xx -j ACCEPT

to accept only connections from me? (i have dynamic ip as i said)

[atreyu]

You should be able to replace xx in your iptables command with the appropriate dyndns domain name, once you get it (i.e. iptables will resolve hostnames to ip addresses so that you don't have to rely on knowing the ip address).

DynDNS as far as I know still offers free services. The last time I had to re-register (less than a year ago) it was free for two hostnames. They offer paid services too of course, which are more feature-rich and reliable (they don't disappear on you if you forget to update, etc.).

There is also No-IP.com, too.