Topic: (noobie) firewall concern

[mcupples]

New to all this:
1. When I test the ports (www.grc.com) I see that ports 25, 80,113,443,and 465 are open (didn't check above port 1025). How do I make SME more secure from the outside world?
2. Do I need to 'stealth' the ports...and how?
3. How vulnerable am I with these ports open?
4. Before I used a router with SPI and software firewall at each client...had hoped to block stuff at SME before the 2 client computers I have at home here.
Thanks for the help!

[dhardy]

I only have experience of server and gateway mode, running with a real IP on the net.

Your biggest security risk here is your usernames and passwords - if the usernames are names then make the passwords long (8+ characters) and alphanumeric. If your users choose poor passwords, hurt them  

If you just installed SME as a 'Server and gateway' and didn't fiddle with it then you are *probably* secure. By default SME will only relay mail for domains it knows about, so concerns on port 25 can be allayed.

Ports 80 and 443 are http and https so are needed for the webserver thats running. This is not insecure unless you create and upload a poorly designed website.

Port 113 is the ident service. From what I can make out, this is needed for the 'server' side bit of being a webserver - and so it does not represent a security risk on SME.

Port 465 is for secure SMTP, this would allow your clients to connect from the internet and authenticate to send email that is not for your domain, i.e. outgoing email. It is not a problem unless you have poor passwords.

So, in summary, those ports are needed for SME to use for normal email in, out and web serving traffic.

Of course, if you fiddled with it all under the hood, then you should seek more detailed advice - and probably disconnect it if you are unsure.

Finally, GRC.com is showing the results for the server, the clients are presumably on the lan behind the SME Server and are therefore protected. You can run a persoanl firewall on the clients as well, I personally feel that its overkill on small networks where user education is much more important than user confinement .....


Here is an anecdote that may prove the importance of long passwords ....

I once setup an SME server on a public ip which only had one user account, no published MX record and no dns (making it fairly anonymous and only findable by port scanning. After 4 days the one user account had one piece of spam in it - the b*stards had plugged away at the server until they brute-forced the email address david@millfarm.org and it was accepted as a valid incoming email address. The moral is, there is no security in obscurity, they will find you and they will keep trying until they get in or you wear them out .....

David.

[mrothe]

Hi there,
I'm pretty sure the answer to this question is in the FAQs. But just incase it isn't here goes.

The first thing you need to know is that the results that you get from grc.com are based on a port scan done to your server, not the pc that you are viewing the test results on.

 When you run the "all service port" scan at grc.com you get a web page that has alot of green squares and a few red ones, the red ones are the ports that you listed.  If you click on one of the red squares it will take you to a page showing info on that particular port.
Here is a very basic decription of the ports you listed and how they relate to your server.

Port 25 - Email (SMTP-Simple Mail Transfer Protocol)
The Reason this port is showing up is that you most likely have your server set to handle emails. If you close or stealth the port then your sever will not recieve emails!(I think)

Port 80 - Web Site (HTTP-Hyper Text Transfer Protocol)
The reason this port is showing up is that you probably have your server set to be a web server..same idea as above, no port 80 no web page.

Port 113 - Ident (This port normaly is used as a email authentication scheme)
I not sure but I think that when you send or recieve an email to/from your server to another server this port is used to authenticate each other, some mail servers require this port visible before they will recieve your emails, so stealthing this port probably not a good idea. (I think)

Port 443 - https (Secure http protocol)
this is the port used to create a secure connection between your server and the PC connecting to it via their web browser(ever noticed the padlock in the bottom left corner if IE?) , I believe that the webmail package in your server sets up a secure connection with remote PCs

Port 465 - LDAP(gibsons calls it something else)
this is probably the only port that your should mess with if you are running your server as a web and mail
sever as well as a gateway.  This port is used to provide informaition about specefic users on your server(eg. Phone#, Adress Ect.), so if you are conserned with privacy you should probably close this port. To do this you need to...
Open the server-manager and choose Directory under the Configuration catagory, next change the settings on LDAP to Allow only local access.

As far as how vulnrable you are with these ports open, anytime you have open ports or even visible ports you are vulnerable to hackers/viruses. Its a good idea to check your logs to see whats going on with these ports.

I hope this helps

Mike Rothe

[mrothe]

sorry for the bad info
heres a page with info on what port 465 is all about

http://www.cisco.com/en/US/tech/tk828/technologies_q_and_a_item09186a00801bb25d.shtml

Good Luck

Mike Rothe

[mrothe]

Hi just though I would let you know that ran the port scan on my server and 465 is comming up stealth, so you may want to look into that port a bit further.

Mike Rothe

[dhardy]

Port 465 is secure SMTP ...

http://no.longer.valid/phpwiki/index.php/InstallationFAQ#portslist