Do I really need to keep port 22 open?

Help with Setup
#1

After setting up MiaB, I left all the posts open on my firewall, since the documentation mentions that MiaB has it’s own firewall.

For my own piece of mind though, I want to block the ports that are not necessary on my firewall also.

As per the documentation the following ports must be open:

22 (SSH), 25 (SMTP), 53 (DNS; must be open for both tcp & udp), 80 (HTTP), 443 (HTTPS), 587 (SMTP submission), 993 (IMAP), 995 (POP) and 4190 (Sieve).

My only concern is port 22. I usually block that for everyone except my own WAN IP.

Does it really need to be open? Is SSH used for emails?

Thanks

#2

SSH (secure shell) should be open to allow you to login to your server. You can set up passwordless login which requires you to have a cryptographic key which you store on your laptop in this case. This prevents others trying passwords on the SSH port. The port is also rate limited by fail2ban if I remember correctly.

This is all assuming the server is remote, eg a VPS.

SSH isn’t used for email as you say.

#3

great, so I can block 22 from everywhere except my IP.

I’m assuming 80,443 and 995 are not needed either if I don’t use webmail and POP.

#4

80 and 995 could be closed. But what about reaching the admin screens which will need 443 open.

#5

No, and no. Most security conscious sysadmins move the SSH port to a completely different port.

Blocking the port in your firewall is fine, as long as you can unblock it when needed. Restricting access to a specific IP is also fine.

#6

You need either port 80 or port 443 for automatic renewal of Let’s Encrypt SSL certificates. I am fairly certain that it is port 80.

1 Like
#7

ok, I’ll leave both 80 and 443 open

Greenshot 2021-02-22 15.04.59
Greenshot 2021-02-22 15.04.591364×352 55.2 KB

1 Like
#8

Note that if you are using IPv6, the “security through obscurity” practice of assigning SSH to a different port is no longer a valid tactic, as anyone can get a quadrillion IPv6 addresses basically for free and you only have 65,535 ports. It’s one of many reasons not to use IPv6 unless you have some very specific reason to do so.

Also, the bad guys can ping your server over time and track which ports you have open. It is a simple script requiring almost no resources that can run in-between other jobs.

#9

While this is indeed very true, in practice it is irrelevant. The ‘bad guys’ are looking for the low hanging fruit and if port 22 is closed will just move on rather than port scanning. It is not worth the effort in most cases.

Centos OS will report exactly how many brute force attempts are made between shell logins when you log in each time. On the default port 22 that number is usually in the hundreds or thousands of attempts, while on a system that the default ssh port has been changed it will be a handful, if any at all.