# Portscanned domain, does this look reasonably secure?

## audiodef

I portscanned a domain I own. I don't know if this is enough information to go on, but I was wondering if anything leaps out at you that I should fix/close/patch:

```

Not shown: 989 closed ports

PORT      STATE    SERVICE  VERSION

22/tcp    open     ssh      OpenSSH 5.9p1-hpn13v11 (protocol 2.0)

25/tcp    filtered smtp

80/tcp    open     http     Apache httpd

110/tcp   open     pop3     Cyrus pop3d 2.3.16

143/tcp   open     imap     Cyrus imapd 2.3.16

443/tcp   open     ssl/http Apache httpd

587/tcp   open     smtp     Postfix smtpd

993/tcp   open     ssl/imap Cyrus imapd

995/tcp   open     ssl/pop3 Cyrus pop3sd

8000/tcp  open     http     Icecast streaming media server

10025/tcp open     smtp     Postfix smtpd

```

----------

## PaulBredbury

Run sshd on a randomly-chosen port, to easily thwart everyone attacking the default port 22.

Example option in /etc/ssh/sshd_config:

```
Port 2186
```

----------

## Hu

Do you need to offer unencrypted POP/IMAP?  If no, you should disable those so that users do not accidentally configure their mail clients to use unencrypted connections.

----------

## Veldrin

Do you really need both - IMAP and POP3? I would chose one (nowadays imap) and disable the other completely. That goes in addition to Hu comment about unencrypted connections. 

10025 sounds like a postfix forward for spamassassin or amavisd. IMO those should not be accessible from the outside, but only from localhost. 

V.

----------

## audiodef

Thanks for the tips!   :Smile: 

----------

## msst

Using something like fail2ban to block multiple password scans could also help. Anyone running sshd will likely get attacked in some way. Blocking of the ip after 10 failed attempts does help then.

----------

## cach0rr0

concur with Hu and Veldrin

nuke the non-ssl stuff. I personally keep them listening, but only allow access from within my LAN, e.g. i only have iptables allowing 993/995 from the outside, and drop 110/143

and then Postfix - this should be listening on 127.0.0.1:10025, not 0.0.0.0:10025. This postfix listener is only for internal transmission, and should be listening as such. 

Otherwise, looks fine. And even ssh, if you're using key-based auth only, 22 is a non-issue. Scan my shit all you like, if you aint in ~/.ssh/authorized_keys, you aint getting in.

----------

## audiodef

Yeah, it's key-only, but I didn't know that about the postfix stuff. Thanks!   :Smile: 

----------

