Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14
Hi I want to disable all the ports other than 80, 8080 and custom ssh port. (I have decided to change 22 for something for security reason) How do i ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66

    How to disable ports?


    Hi

    I want to disable all the ports other than 80, 8080 and custom ssh port. (I have decided to change 22 for something for security reason)

    How do i do it?

    If OS matters, It will be CentOS 6

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    You need to discover what services are using those ports, then disable those services. Here are some commands to get you started:
    Code:
    lsof -i
    nmap -n localhost
    netstat -tulnp
    Check out /etc/services for a list of service-to-port-number listings.

    You can also look into implementing a firewall (iptables) to simply drop/reject any traffic coming in on any network interface that you wish.

  3. #3
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    First you have to set the default input policy to drop all packets:
    Code:
    iptables -P INPUT DROP
    and then add a rule for each port you want to allow:
    Code:
    iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
    You can do the same for SSH, or you could do the following:
    Code:
    iptables -A INPUT -i eth0 -p tcp -s 72.48.64.92 --dport 22 -j ACCEPT
    This would allow SSH connections through, but only from that particular address. How strong you want the firewall to be is up to you.

  4. #4
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66
    Port 80 and Port 8080 : Apart from those two ports, anything required to users to browse the website without any problem?

    I have dynamic IP address.
    xxx.xxx.variable.variable

    How can i add this into iptables?

  5. #5
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    The source address is the address of the machine that you will be SSH'ing in from, not the machine you want to SSH into. If I were to SSH into your computer from here, then you would create a rule on your machine that allowed me in using my address (the source). If you want to set up a way to get into you computer even though you have a dynamic IP, then you can use a service such as dyndns.org (it's free).

    I use dyndns at home and my router takes care of updating the records if there's an IP change.

    Additionally only port 80 is really required for web browsing. Port 8080 is typically used for proxies.

  6. #6
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66
    I am little confused.
    Lets assume that i have a dedicated server at United States.
    The IP is : 72.48.64.92

    In such a case
    Code:
    iptables -A INPUT -i eth0 -p tcp -s 72.48.64.92 --dport 22 -j ACCEPT
    Which means everyone allowed to use this SSH port of 72.48.64.92. Is that right?
    Is that secured to allow everyone to use it?

  7. #7
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    No, the source address is to specify where a connection is coming from. If I created the following rules on my server 192.168.0.1:
    Code:
    iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -s 192.168.0.3 --dport 22 -j ACCEPT
    then I would be allowing access to port 22 on 192.168.0.1 for 192.168.0.2 and 192.168.0.3. You have to create a seperate rule for each IP you want to allow to connect to the server.

    If you want to allow all connections to port 22 to go through, then use this rule:
    Code:
    iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

  8. #8
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66
    ok, I got it. My server has static IP. I have dynamic ip in home. As you said, I should use dyndns

  9. #9
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66
    dyndns, is it paid version?
    Is there any other way to use
    Code:
    iptables -A INPUT -i eth0 -p tcp --dport xx -j ACCEPT
    to accept only connections from me? (i have dynamic ip as i said)

  10. #10
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    You should be able to replace xx in your iptables command with the appropriate dyndns domain name, once you get it (i.e. iptables will resolve hostnames to ip addresses so that you don't have to rely on knowing the ip address).

    DynDNS as far as I know still offers free services. The last time I had to re-register (less than a year ago) it was free for two hostnames. They offer paid services too of course, which are more feature-rich and reliable (they don't disappear on you if you forget to update, etc.).

    There is also No-IP.com, too.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •