securing digitalocean ports - hosting

I have an app deployed on DigitalOcean
When I run ufw status
this is the output,
Status: active
To Action From
-- ------ ----
Nginx Full ALLOW Anywhere
5432/tcp ALLOW Anywhere
22/tcp LIMIT Anywhere
53 ALLOW Anywhere
25/tcp ALLOW Anywhere
587/tcp ALLOW Anywhere
993/tcp ALLOW Anywhere
995/tcp ALLOW Anywhere
4190/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
25 ALLOW Anywhere
587 ALLOW Anywhere
Nginx Full (v6) ALLOW Anywhere (v6)
5432/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) LIMIT Anywhere (v6)
53 (v6) ALLOW Anywhere (v6)
25/tcp (v6) ALLOW Anywhere (v6)
587/tcp (v6) ALLOW Anywhere (v6)
993/tcp (v6) ALLOW Anywhere (v6)
995/tcp (v6) ALLOW Anywhere (v6)
4190/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
25 (v6) ALLOW Anywhere (v6)
587 (v6) ALLOW Anywhere (v6)
I need to close all extra ports and secure my server.
What should I do about this?
Any help would be appreciated as I am new in the world of hosting.

Remove the unwanted rules with the delete command
sudo ufw delete allow 25/tcp
See Linuxize How to List and Delete UFW Firewall Rules

Related

can't access my spring-boot end-points from public ip address

i built a java project (spring-boot)
which works perfectly on my localhost.
I expose some end-points with GET verb, like :
http://localhost:8193/v1/interactive/live/check
I choosed port 8193 to be accessed from the internet,
as my internet provider let me do a port forwarding on my internet box.
(authorized range is 8193 to 16383 so i choosed 8193)
So i made a port forwarding as :
external port 8193 ==> internal port 8193 ==> my localhost.
Then, i configured my linux firewall to let port 8193 to come 'in'.
The result of command
sudo ufw status
is
To Action From
---- ------ --
8193/tcp ALLOW Anywhere
8193 ALLOW Anywhere
8193/tcp (v6) ALLOW Anywhere (v6)
8193 (v6) ALLOW Anywhere (v6)
Finally,
when i use this internet tool to check if the port can be accessed from the internet,
it says to me it's ok :
https://www.yougetsignal.com/tools/open-ports/
But, i can't access the end-point with :
http://87.89.666.777:8193/v1/interactive/live/check
(87.89.666.777 is my fake public adress)
So, what could be bad with my configuration ?

Can't access ec2 instance via fsockopen in PHP pointed at my ec2 public IP and designated port

Before anything else, I have read about 30+ StackOverflow answers and none of them seem to address my particular flavour of this problem. Below I list all the answers I have already tried before asking for more advice.
I am trying to access my ec2 instance via socket in PHP from a different machine via fsockopen, pointed at my ec2 public IP (I have an Elastic fixed IP address 54.68.166.28) and designated port.
Behaviour: I can access the instance and the ChatScript application running inside from within the instance, via the public IP directly on the browser. But if I run the exact same webpage with the exact same socket call on an external machine targeting my instance's IP address (double checked it is the correct one) I get a 500 Internal Server Error when connecting on port 1024 (for my custom TCP connection), another 500 on port 443 (HTTPS). On port 80 (HTTP) it hangs 20+ seconds then gives me status 200 success, except it does not connect properly to the application and responds with nothing.
Troubleshooting:
I have set up my security group rules to accept incoming TCP from anywhere:
HTTP (80) TCP 80 0.0.0.0/0
HTTP (80) TCP 80 ::/0
HTTPS (443) TCP 443 0.0.0.0/0
HTTPS (443) TCP 443 ::/0
Custom (1024) TCP 1024 0.0.0.0/0
Custom (1024) TCP 1024 ::/0
Outbound rules span port range 0 - 65535 with destination 0.0.0.0/0, so should work.
I ssh every time without problems into the instance on port 22. SCP also works fine.
Checked $sudo service httpd status: running, which is why my UI displays there fine.
Checked $sudo /sbin/iptables -L and all my policies are set to ACCEPT with no rules
Checked $ netstat --listen -p and the app I am targeting is listening on port 0.0.0.0.0:1024.
Checked Network Utility and ports 80 and 1024 are registered as open. Port 443 is not. Pinging did not work for any of them, with 100% packet loss.
Checked my instance is associated to the security group with all the permissions - it is. IP is clearly correct or I could neither ssh nor serve webpages... which I can.
I stopped and restarted the instance.
I replaced the instance.
I think this is due diligence before asking for help... now I need it!
I realised my configuration was correct: the problem was that the hosted domain I used for the GUI, like most hosted domains, does not open custom ports, so tcp did not work.

Exchange server behind Cisco router

I have Cisco 2801 router with public IP and NAT enabled effectively providing Internet access to users behind it.
How to publish Exchange server behind the router using above mentioned Public IP so users can send/receive emails while not in the office using Outlook as well as with OWA and Mobile ActiveSync.
BR,
Oleg
You will need to open ports that are required for Inbound access on the Cisco 2801. Assuming that you want to open port 443 for the OWA on server 10.1.1.1, you will enter something like the following
ip nat inside source static tcp 10.1.1.1 443 interface Fa 0/0 443
Where Fa 0/0 is the Interface connected to the Internet.
Be careful when you open ports; you need to have good understanding of Firewalls and Security design of your Network.
You will add Destination nat on cisco router for users can access to your Exchange server from internet. and you must create Access list for open necessary port for Exchange server like https, smtp, pop3, imap , TCP/587, tcp/993, tcp/995 and by default other things will block with hidden rule on ACL.
Destination NAT
ip nat inside source static
Access list
ip access-list extended OUTSIDE-TO-INSIDE_AL
10 permit tcp any eq 443
.
.
.
.
You can use Zone-Base firewall, if your device and IOS are support it.

Tinyproxy Reverse Proxy "Access denied"

I'm using tinyproxy to reverse proxy. I have three subdomains pointed to the same server, and we need them to point to specific ports internally. That is, port 80 from any particular subdomain, mapped to a particular port. See the config example below.
The config looks like this:
Port 80
#Allow 127.0.0.1
#ReverseOnly yes
upstream 127.0.0.1:8115 "website.example.com"
upstream 127.0.0.1:3000 "api.example.com"
upstream 127.0.0.1:9000 "socket.example.com"
When I pull up any subdomain, all I get is:
Access denied
The administrator of this proxy has not configured it to service requests from your host.
Generated by tinyproxy version 1.8.3.
I cannot find adequate documentation anywhere. I'm thinking of contacting the maintainers. Please help.
I hope you already got the answer, but if you have not, here is the setting to allow client connecting to your proxy:
#
# Allow: Customization of authorization controls. If there are any
# access control keywords then the default action is to DENY. Otherwise,
# the default action is ALLOW.
#
# The order of the controls are important. All incoming connections are
# tested against the controls based on order.
#
Allow 127.0.0.1
#Allow 192.168.0.0/16
#Allow 172.16.0.0/12
#Allow 10.0.0.0/8
Allow 0.0.0.0/0
In my example here, I allow 0.0.0.0/0 because I'm configuring a reverse proxy from the Internet to my other VPS.
Also, your configuration above is for forward proxy, not reverse proxy.
To enable reverse proxy function, you need at least the following:
ConnectPort 80
ConnectPort 443
ReversePath "/" "http://<your server IP>:8080/"
ReverseOnly Yes
ReverseMagic Yes

AWS free-tier instance port discrepancy from Security Group specifications

My Ubuntu Server 11.04 free-tier instance security group opens SSH, HTTP, HTTPS to the public web and nothing else (not even the inter-group TCP/UDP/ICMP ports enabled by the default sec group).
But when I Nmap my server's public dns, it shows HTTP & HTTPS closed, with ftp (21), rtsp (554), and realserver (7070) all open. This would, of course, explain why I can't view the website I'm running on that instance, so I need to fix it.
This is a cross-post from the AWS EC2 forum, but since I've got no replies yet, I'm hoping for better luck here.
my SecGroup (no other rules for UDP or ICMP):
TCP
Port (Service) Source Action
22 (SSH) 0.0.0.0/0 Delete
80 (HTTP) 0.0.0.0/0 Delete
443 (HTTPS) 0.0.0.0/0 Delete
Nmap:
kurtosis#kurtosis-laptop:~/bin/AWS$ nmap ec2-184-73-70-26.compute-1.amazonaws.com
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-14 23:27 PDT
Interesting ports on ec2-184-73-70-26.compute-1.amazonaws.com (184.73.70.26):
Not shown: 994 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp closed http
443/tcp closed https
554/tcp open rtsp
7070/tcp open realserver
Nmap done: 1 IP address (1 host up) scanned in 8.52 seconds
Why are http and https closed when my security group specifies they should be open, and why is ftp, rtsp, and realserver open when my security group does not include them at all? Anyone know why the discrepancy?
Are you sure your instance is a member of the security group you're modifying? In the EC2 Console you can see this by clicking on the Instance, it'll list the security groups it's a member of as "sg-12345".
Alternatively it may be an issue with just that instance - try terminating that instance and starting a new one to see if the problem persists.

Resources