Hi all, Assuming I didn't miss anything, can someone confirm please that the following are the required ports on a multi-server setup that needs to be opened? 1. Controlpanel server with PHPMyAdmin/Roundcube/webFTP installed on it to communicate with the other servers TCP ports: 21,22,80,53,443,8080 UDP ports: 53 2. Web servers TCP ports: 20,21,22,53,80,443,40110:40210 (for passive ftp) UDP ports: 53 3. Email servers TCP ports: 22,53,110,143,443,993,995 UDP ports: 53 3. DB servers TCP ports: 22,53 UDP ports: 53 4. DNS servers TCP ports: 22,53 UDP ports: 53 Questions: I don't want MySQL accessible outside of my IPs/private network (10.0.0.0/16) and this is why I didn't include the 3306 port under the above listing on DB servers. How & where can I put a rule on ISPconfig to achieve this? I don't want to limit access by editing MySQL users, need through the firewall. Is there a way also to add 3 IPs (not within my private network) to bypass any firewall rule? Last but not least, if I want to replace ufw firewall which is currently installed with CSF apart from removing it via apt-get & also deleting the rules through the ISPconfig interface, do I need to do anything else? For example, is somehow fail2ban related to it? Do I need to remove that too? Thanks
You know you don't need port 8080 for all servers and just the master for ISPConfig GUI if you use it, right? For database, which should be there on each server, if I'm not mistaken, only they shall have access to master (and not vice versa) and to limit this acess, you need to add their ip manually to the master server firewall rules.
Let's start with a short list of ports and what they are for: SSH: 22 (TCP) HTTP(S) (web traffic): 80, 443 (TCP) ISPConfig GUI: 8080, 8081 (TCP) (I don't use 8081 personally and you can leave it closed) MySQL DB: 3306 (TCP) DNS: 53 (TCP and UDP) FTP: 20, 21 (TCP) (and your passive ports ofcourse) SMTP: 25 (TCP), 465 (SSL submission) (TCP), 587 (TLS submission) (TCP) IMAP: 143 (non-encrypted) (TCP), 993 (SSL) (TCP) POP3: 110 (non-encrypted) (TCP), 995 (SSL) (TCP) I personally don't use ISPConfig to manage my firewall rules. If you use UFW, you can allow only a local range for the database using this command: Code: ufw allow from 10.0.0.0/16 to any port 3306 proto tcp This has to be done on every server. Remember to add the local adresses along with the hostname to your /etc/hosts file, so your servers connect internally instead of through the public IP address. This should be the config for your server. 1. Controlpanel server with PHPMyAdmin/Roundcube/webFTP installed on it to communicate with the other servers TCP ports: 22,80,443,8080 2. Web servers TCP ports: 20,21,22,80,443,40110:40210 (for passive ftp) 3. Email servers TCP ports: 22,25,110,143,465,587,993,995 3. DB servers TCP ports: 22 4. DNS servers TCP ports: 22,53 UDP ports: 53 Yes, using UFW: Code: ufw allow from 8.8.8.8 Replace 8.8.8.8 with the correct IP No, I don't think so. But afaik CSF is not supported by ISPConfig, so you'd have to configure it through the CLI. I like UFW personally, it's easy to use and works well.
It is currently not necessary for ISPConfig but I do it as I trust my local network and some applications do need access to a DB on a slave server. So you can leave it out for every server except the master and database server(s), but I would add it.
@Th0m thank you for the very detailed answer. My /etc/hosts contain both IPs, the public and the internal like: 10.0.0.6 dns1.mydomain.com dns1 88.198.1.1 dns1.mydomain.com dns1 Would that cause a problem in resolving? I guess no?
No problem You should remove the second entry just to be sure, because if the server would connect to your public IP, it would not be able to go through your firewall rule for 3306.
A couple corrections to your initial list, you don't need to allow incoming port 20 anywhere; it is used as the server's source port when originating active mode connections, nothing every connects *to* port 20; you also don't need port 53 opened on all your servers, only those which accept DNS queries from other machines (ie. typically just your public dns servers). For security, limit all incoming port 22 connections to your admin addresses if you can, only opening 22 to the internet for web servers, so your clients can connect and manage files, etc. Same idea with port 3306, I only open it where it's needed/used.
You could also set other than port 22 for ssh for you and your client but do read this discussion first on whether to change it: https://security.stackexchange.com/...default-ssh-port-on-linux-servers/32311#32311
Thanks for all the posts. SSH is accessible only with a private key so no need to change any port. This is what I currently have in terms of firewall rules: 1. Controlpanel server with PHPMyAdmin/Roundcube/webFTP installed on it to communicate with the other servers TCP ports: 22,80,443,8080 2. Web servers TCP ports: 21,22,80,443,40110:40210 3. Email servers TCP ports: 22,25,110,143,465,587,993,995 3. DB servers TCP ports: 22 4. DNS servers TCP ports: 22,53 UDP ports: 53 MySQL is accessible from outside my local network only through 3 specific IPs from a VPN. Kind regards
