This page is an archive of my old blog. Please visit DavidTucker.net for my current blog.
This site is no longer being maintained and commenting is disabled.

Linux Commandment 1 – Close Thy Ports

Linux adoption seems to be going through the roof as of late. What does this bring us – a lot of new Linux users. I would be willing to bet that some of those users have set up a basic web server – for development, testing, or even production purposes. When I first set up a Linux web server (in 2000), my machine got hacked in two days. I got an email from a research institute in California saying that my server was attempting to log into their servers. I had to pull the plug. The first tip for aspiring server administrators (and one that could have saved me in 2000) is to close all unnecessary ports.

Definition:
Necessary Ports – any port that is needed by the general public to view the content on your machine (there is only 1 exception to this rule)

As I said – there is one exception to this rule, port 22 (for SSH). If you have a single server that is remote – you will need to have this port open. However, if you know that you login from the same IP address each time, you can limit port 22 to that IP address. This is the port that we will use to gain access to all of the other ports that we need to use on the machine. This process is know as SSH Tunneling, and it is supported by most major SSH clients (including Putty, which is free).

There are many ports that are left open on dedicated servers that don’t need to be open: MySQL (unless you need to access your databases directly from another server), Plesk (unless your hosting customers need to log into it), DNS (if it isn’t a DNS box), and Webmin. These are only the tip of the iceberg. If you rent a dedicated server from a company, it usually will have anywhere from 10-20 ports open for such things as Internet printing and windows file sharing (through Samba). This opens up some BIG security holes that need to be fixed. Here is where SSH Tunneling comes in.

Definition:
SSH Tunneling – allows you to access any port on a remote computer by passing all of your data through the SSH (Secure Shell) port 22. This allows you to block ports to the outside world, but keep them open for you.

Example – Access to MySQL via SSH Tunneling

First, we are going to close the MySQL port on our server so that is only available to localhost. Unless you have changed it, MySQL should operate on port 3306. If you are running a Red Hat Linux, you can comment out the lines in /etc/sysconfig/iptables that have port 3306 listed. This works if you have a properly configured firewall already. Be sure of that first. Get more information about IPTables here. Once you have blocked port 3306 to the outside world, restart IPTables (or the firewall your system uses). In Redhat this can be accomplished by running “service iptables restart” as root.

MySQL has some great tools that you can use to administer your databases, users, and server processes. These come packaged together under MySQL GUI Tools on the MySQL site. To use these tools (if port 3306 is blocked on your firewall) you will have to set up an SSH Tunnel.

If you are using Putty, you can click the “Tunnels” option under “SSH”, you can add ports to tunnel. First, add the port you want to use on your local machine under “Source Port” (this doesn’t have to be the same as the port on the remote computer). Next, add your server hostname and port (like yourserver.com:3306) under the “Destination” field. Once you are done, click “Add” and then “Connect”. You are now tunneling in.

Now, you can access port 3306 on your remote server like below.

This principle can be applied to any port on any remote server that you have SSH access to. You can make your box infinitely more secure by closing all the ports that are not needed by the public. Oh, and Linux Commandment 2 will be – avoid FTP at all costs. This directly related to ports (will explain more in the next post).




3 Responses to “Linux Commandment 1 – Close Thy Ports”

  1. steve says:

    I’ve been trying to secoure my ports on my box recently and have struggled a bit. After reading the above topic, and following it through it all works now. I have remote SSH access SSH, which has made things so much easier.
    Many thanks for the help.

    Steve

  2. Michael says:

    Thank you for this good post.It helps us for our actually problems with the tunneling.
    Michael

  3. Hi there, I consider that your argument is rather observing as it highlights lots of insightful info. On the other hand, was overcurious whether you would willing to interchange links with my website, as I am looking to compile more contacts to further broaden and get better web exposure for my web site. I don’t really mind you setting my contacts at the main page, just having this links on this particular link is good and sufficient. Anyway, would you be kind enough be kind enough to contact me at my web portal if you are interested in swapping links, I would really value that. I would like to thank you and hope to get a reply from you very soon!