Hello, The perfect ISPC3 on Ubuntu 20.04: Why port 20 is open, do we need it open? Code: :~# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 20/tcp ALLOW IN Anywhere [ 2] 21/tcp ALLOW IN Anywhere [ 3] 22/tcp ALLOW IN Anywhere [ 4] 25/tcp ALLOW IN Anywhere [ 5] 53/tcp ALLOW IN Anywhere [ 6] 80/tcp ALLOW IN Anywhere [ 7] 110/tcp ALLOW IN Anywhere [ 8] 143/tcp ALLOW IN Anywhere [ 9] 443/tcp ALLOW IN Anywhere [10] 465/tcp ALLOW IN Anywhere [11] 587/tcp ALLOW IN Anywhere [12] 993/tcp ALLOW IN Anywhere [13] 995/tcp ALLOW IN Anywhere [14] 3306/tcp ALLOW IN Anywhere [15] 8080/tcp ALLOW IN Anywhere [16] 8081/tcp ALLOW IN Anywhere [17] 10000/tcp ALLOW IN Anywhere [18] 53/udp ALLOW IN Anywhere [19] 3306/udp ALLOW IN Anywhere What are the best practices to secure the server in general? I was thinking of port knocking? any feedback is appreciated.
more specifically, port 20 is used for ftp in active mode. which is nice, since you don't have to leave a whole range of ports open for passive mode ftp, and you can block inbound connections being initiated to port 20, since it's the server that should start the connection to the client. but it's also a pain in the arse, as you'll probably spend all your time on the phone telling your clients how to open their firewall to allow the inbound connection from your server, and how to configure their ftp client to use active mode. also, according to your list of ports, passive mode won't work as you haven't opened a range of ports for the ftp client to connect to. also, unless your allowing external clients to connect directly to mysql (best not to unless they have a really good reason), you don't need port 3306 open, unless it's a multi-server setup. even then it's best to just allow specific ip's to connect, rather than from anywhere.
https://www.faqforge.com/linux/whic...g-3-server-and-shall-be-open-in-the-firewall/ https://www.faqforge.com/linux/cont...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/