Quote:
|
Originally Posted by mikea Port State Service
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
143/tcp open imap2
389/tcp open ldap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3310/tcp open unknown
3784/tcp open unknown
7025/tcp open unknown
7070/tcp open realserver
7071/tcp open unknown
7075/tcp open unknown
7110/tcp open unknown
7143/tcp open unknown
7389/tcp open unknown
7443/tcp open unknown
7993/tcp open unknown
7995/tcp open unknown
8009/tcp open ajp13
My question is.. Can I bind everything that's not actually serving data to the internet to localhost? Does LDAP really need to be open to the world? At the very least, could I block access to these ports via iptables? Do the 70** addresses need to be available to the public, or does the iptables redirect act as a proxy?
What ports does the web application connect to? |
You can restrict lots of ports to be local only if you have a single node install. Many things need to be open in a multi-node install. In those cases we expect you to have a firewall that will open only your SSL service port to the internet.
In general all you need is to open 80/443 for the web then rest can be closed off unless you need IMAP/POP external.