A cardinal rule of security is to avoid running services you don’t need. A logical extension of that rule is to not expose ports to the public Internet unnecessarily.
You may have a very good reason to run MySQL, however you may not need to expose MySQL to the public Internet. If you have a package that requires Samba as a dependency, you want to make sure Samba is not up and running on your public IP. On many VPSes, nothing beyond sshd and a web server need to be publicly facing.
Take a moment to scan your system to determine what ports are publicly facing. The easiest way to do this is with the nmap tool:
apt-get install nmap (Debian) yum -y install nmap (CentOS)
Then:
nmap <your public IP>It will provide a report of what ports are open. For example:
Starting Nmap 7.40 ( https://nmap.org ) at 2020-04-01 16:35 PDT Nmap scan report for myvps.example.com (x.x.x.x) Host is up (0.0000030s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 587/tcp open submission 3306/tcp open mysql
In this case, many services can be reconfigured to enhance security:
- ssh could be moved to a different port
- if the system is not designed to accept mail, smtp shouldn’t be listening on ports 25 and 587
- rpcbind is unneeded in most cases
- netbios-ssn and microsoft-ds are Samba and should be disabled or restricted to private IPs
- mysql should be reconfigured to listen on localhost (127.0.0.1) only
Note that nmap does not scan all 65536 ports by default. If you want a comprehensive scan:
nmap -p1-65535 <your public IP>Be advised that scanning your VPS from another VPS will sometimes trip your provider’s intrusion detection systems, so it’s best to scan from the VPS itself.
You can also automate checking if new ports are opened by running nmap periodically and reporting any differences. Here is a script to accomplish this.
#!/bin/bash EMAIL=someone@example.com PUBLIC_IP=<your public ip> prev_file=/root/nmap.last.scan.txt if [ ! -f $prev_file ] ; then nmap -p1-65535 $PUBLIC_IP | grep open > $prev_file exit 0 fi temp_file=$(mktemp) nmap -p1-65535 $PUBLIC_IP | grep open > $temp_file cmp $prev_file $temp_file > /dev/null if [ $? -ne 0 ] ; then mailx -s "nmap output has changed on $(hostname)!" $EMAIL < $temp_file fi mv $temp_file $prev_file
To deploy this script:
- Change the EMAIL and PUBLIC_IP to appropriate values
- Save the script as /root/nmap_checker.sh (or wherever you would like) and make it executable (chmod 755 /root/nmap_checker.sh)
- Add the following line to root’s crontab. In this example it’s configured to run every day at 4am:
0 4 * * * /root/nmap_checker.sh
From that point forward you should get an email whenever the nmap scan of your VPS changes.
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
Hello Andrew,
But doesn’t providers disallow port scanning? Can I install nmap on a vps and scan my other one? Or can I install on 1 vps only and scan it?
Does nmap require vz or kvm? Thanks!