Every server at AlpineWeb has at least one software firewall to protect your server from malicious connections and communications. The firewall we most commonly use on Linux servers is ConfigServer Security & Firewall (CSF). If you have a Cloud based Virtual Private Server (VPS), you also have a Cloud firewall that can be configured through your AlpineWeb account.
What do firewalls do?
Firewalls looks at anything attempting to access your server and compares it to a set of rules. If it breaks the rules, your firewall won't allow the traffic through. Your firewall can also block certain IP addresses from connecting to your server if your firewall decides they don't follow the rules.
Of course, you do want traffic like email, to be delivered to your server. To help direct traffic, different services (like email) use different ports in your firewall. Ports are points of entry, like a "doorway" in your firewall that various services use when communicating with a server. There are many firewall rules in place, and each port has its own set of rules, making your firewall more efficient.
What ports do what?
It's important to have the ports for the services that you need to be open, but also to not leave unnecessary ports open. Having extra ports open leaves your server vulnerable to attacks. The best practice is to start with all the ports closed and then only open the ones you need. When you set up your server, some ports are automatically opened to make your server work. These include port 53, which lets DNS traffic through. (Without DNS, you'd have no websites at all!)
Here are some common port numbers and the services they primarily work with. Wikipedia has a much longer list of all assigned or commonly used port numbers.
- Port 20: FTP data transfer
- Port 21: FTP control
- Port 22: Secure shell (SSH)
- Port 25: Simple mail transfer protocol (SMTP)
- Port 43: WHOIS protocol
- Port 53: Domain name system (DNS)
- Port 80: Hypertext transfer protocol (HTTP)
- Port 110: Post office protocol v3 (POP3)
- Port 123: Network time protocol (NTP)
- Port 143: Internet message access protocol (IMAP)
- Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
- Port 465: URL Rendesvous Directory for SSM (Cisco)
- Port 587: Email message submission (SMTP)
- Port 993: Internet message access protocol over SSL (IMAPS)
As you can see, there are hundreds of ports used for many different services. Depending on your website, you may need to open or close a port in the firewall for a service to be available. Each port you open makes your server and website more vulnerable to attack. Make sure to research other options before you open a firewall port. And, if you stop using services, be sure to close the ports you no longer need.
Opening and Closing Firewall Ports
The easiest way to open and close firewall ports in CSF is through WHM.
- Log into WHM. You can log into WHM through the AlpineWeb Customer Backroomor by going to:
http://www.my-web-site.com/whm
Remember to replace https://www.my-web-site.com with your domain. - The ConfigServer Security & Firewall is under located in the Plugins section in the left-hand navigation. Or, search for “Firewall” in the search bar. Next, click on ConfigServer Security & Firewall.
- After entering CSF, scroll down and click on Firewall Configuration. This page has all the settings for CSF. This is exactly the same file you'd see if you use the command line interface to edit this configuration file, but laid out graphically.
- Scroll down to IPv4 Port Settings. The important settings are TCP_IN and TCP_OUT.
- Add the port number to TCP_IN to allow incoming traffic on a port.
- Add the port number to TCP_OUT to allow outgoing traffic through a port.
- Remove a port number from TCP_IN to block incoming traffic.
- Remove a port from TCP_OUT to block outgoing traffic.
TCP: Transfer Control Protocol
TCP stands for Transfer Control Protocol. When TCP information packets move around, they have a packet header (kind of like an email headers) that tells your firewall important information about the packet. Your firewall uses this header to see if the packet follows the firewall rules.
- Once you've added your ports, scroll to the bottom of the page and click Change.
- Your changes will be confirmed and you will be presented with a button to restart your firewall to put your changes into action. Click Restart csf+ltd.
- CSF will restart and the changes you made will be live. You can click Return at the bottom of the page to go back to the main CSF configuration page.