LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Improved Server Security By Closing Ports With nmap Monitoring

Tags: , , , , Date/Time: June 7, 2020 @ 4:48 am, by raindog308

A cardinal rule of security is to avoid running services you don’t need.  A logical extension of that rule is to not expose ports to the public Internet unnecessarily.

You may have a very good reason to run MySQL, however you may not need to expose MySQL to the public Internet.  If you have a package that requires Samba as a dependency, you want to make sure Samba is not up and running on your public IP.  On many VPSes, nothing beyond sshd and a web server need to be publicly facing. 

Take a moment to scan your system to determine what ports are publicly facing.  The easiest way to do this is with the nmap tool:

    apt-get install nmap (Debian)
    yum -y install nmap (CentOS)

Then:

    nmap <your public IP>

It will provide a report of what ports are open.  For example:

    Starting Nmap 7.40 ( https://nmap.org ) at 2020-04-01 16:35 PDT
    Nmap scan report for myvps.example.com (x.x.x.x)
    Host is up (0.0000030s latency).
    Not shown: 992 closed ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    25/tcp   open  smtp
    80/tcp   open  http
    111/tcp  open  rpcbind
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    587/tcp  open  submission
    3306/tcp open  mysql

In this case, many services can be reconfigured to enhance security:

  • ssh could be moved to a different port
  • if the system is not designed to accept mail, smtp shouldn’t be listening on ports 25 and 587
  • rpcbind is unneeded in most cases
  • netbios-ssn and microsoft-ds are Samba and should be disabled or restricted to private IPs
  • mysql should be reconfigured to listen on localhost (127.0.0.1) only

Note that nmap does not scan all 65536 ports by default.  If you want a comprehensive scan:

    nmap -p1-65535 <your public IP>

Be advised that scanning your VPS from another VPS will sometimes trip your provider’s intrusion detection systems, so it’s best to scan from the VPS itself.

You can also automate checking if new ports are opened by running nmap periodically and reporting any differences.  Here is a script to accomplish this.

     #!/bin/bash
     EMAIL=someone@example.com 
     PUBLIC_IP=<your public ip>
     prev_file=/root/nmap.last.scan.txt
     if [ ! -f $prev_file ] ; then
         nmap -p1-65535 $PUBLIC_IP | grep open > $prev_file
         exit 0
     fi
     temp_file=$(mktemp)
     nmap -p1-65535 $PUBLIC_IP | grep open > $temp_file
     cmp $prev_file $temp_file > /dev/null
     if [ $? -ne 0 ] ; then
         mailx -s "nmap output has changed on $(hostname)!" $EMAIL < $temp_file
     fi
     mv $temp_file $prev_file

To deploy this script:

  1. Change the EMAIL and PUBLIC_IP to appropriate values
  2. Save the script as /root/nmap_checker.sh (or wherever you would like) and make it executable (chmod 755 /root/nmap_checker.sh)
  3. Add the following line to root’s crontab.  In this example it’s configured to run every day at 4am:
        0 4 * * *   /root/nmap_checker.sh

From that point forward you should get an email whenever the nmap scan of your VPS changes.

 

I'm Andrew, techno polymath and long-time LowEndTalk community Moderator. My technical interests include all things Unix, perl, python, shell scripting, and relational database systems. I enjoy writing technical articles here on LowEndBox to help people get more out of their VPSes.

1 Comment

  1. lebreader:

    Hello Andrew,

    But doesn’t providers disallow port scanning? Can I install nmap on a vps and scan my other one? Or can I install on 1 vps only and scan it?

    Does nmap require vz or kvm? Thanks!

    June 19, 2020 @ 11:24 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *