Critical Ports to Secure
| Port | Service | Risk Level | Common Attacks |
|---|---|---|---|
| 21 | FTP | High | Unencrypted transmission, brute force, bounce attacks |
| 22 | SSH | Medium | Brute force, weak credentials, exploits |
| 23 | Telnet | Critical | Unencrypted, credential sniffing, MitM |
| 25 | SMTP | Medium | Spam relay, email spoofing |
| 53 | DNS | Medium | DNS amplification, cache poisoning, zone transfer |
| 80 | HTTP | Medium | MitM, session hijacking, XSS, injection |
| 443 | HTTPS | Low | SSL/TLS vulnerabilities, weak ciphers |
| 445 | SMB | High | EternalBlue, ransomware, lateral movement |
| 3306 | MySQL | High | Unauthorized access, SQL injection, data theft |
| 3389 | RDP | High | Brute force, BlueKeep, credential theft |
| 5432 | PostgreSQL | High | Unauthorized access, SQL injection |
| 6379 | Redis | High | Unauthorized access, data exfiltration |
| 27017 | MongoDB | High | Unauthorized access, ransomware |
Port-Specific Security Hardening
Port 22 - SSH
Service: Secure Shell
Risk: Brute force attacks, weak credentials
Hardening Steps:
# Edit /etc/ssh/sshd_config
# 1. Change default port
Port 2222
# 2. Disable root login
PermitRootLogin no
# 3. Use key-based authentication only
PasswordAuthentication no
PubkeyAuthentication yes
# 4. Limit user access
AllowUsers username1 username2
# 5. Disable empty passwords
PermitEmptyPasswords no
# 6. Set login grace time
LoginGraceTime 30
# 7. Max authentication attempts
MaxAuthTries 3
# 8. Use Protocol 2 only
Protocol 2
# Restart SSH service
sudo systemctl restart sshd
Additional Security:
• Install fail2ban to block repeated failed attempts
• Use key-based authentication with strong passphrases
• Implement IP whitelisting if possible
• Enable two-factor authentication (2FA)
Port 3389 - RDP (Remote Desktop Protocol)
Service: Windows Remote Desktop
Risk: Brute force, BlueKeep vulnerability, credential theft
Hardening Steps:
# PowerShell commands
# 1. Enable Network Level Authentication (NLA)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1
# 2. Change default port (optional, not security through obscurity alone)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "PortNumber" -Value 3390
# 3. Enable firewall rules for specific IPs only
New-NetFirewallRule -DisplayName "RDP-Restricted" -Direction Inbound -LocalPort 3389 -Protocol TCP -RemoteAddress 192.168.1.100 -Action Allow
# 4. Disable RDP if not needed
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 1
Additional Security:
• Use VPN instead of exposing RDP to internet
• Implement account lockout policies
• Use strong, unique passwords
• Enable Windows Defender Credential Guard
• Keep Windows patched (especially for BlueKeep)
Port 445 - SMB (Server Message Block)
Service: File sharing (Windows)
Risk: EternalBlue, ransomware, WannaCry, lateral movement
Hardening Steps:
# PowerShell commands
# 1. Disable SMBv1 (vulnerable to EternalBlue)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# 2. Verify SMBv1 is disabled
Get-SmbServerConfiguration | Select EnableSMB1Protocol
# 3. Enable SMB signing
Set-SmbServerConfiguration -RequireSecuritySignature $true -EnableSecuritySignature $true
# 4. Enable SMB encryption
Set-SmbServerConfiguration -EncryptData $true
# 5. Block port 445 at firewall for external traffic
New-NetFirewallRule -DisplayName "Block SMB" -Direction Inbound -LocalPort 445 -Protocol TCP -Action Block
Additional Security:
• Never expose SMB to the internet
• Use VPN for remote file access
• Implement strong authentication
• Regular Windows updates
• Monitor for unusual SMB traffic
Port 3306 - MySQL
Service: MySQL Database
Risk: Unauthorized access, SQL injection, data theft
Hardening Steps:
# MySQL configuration (/etc/mysql/my.cnf)
# 1. Bind to localhost only (if remote access not needed)
bind-address = 127.0.0.1
# 2. Disable remote root login
# In MySQL console:
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
FLUSH PRIVILEGES;
# 3. Remove anonymous users
DELETE FROM mysql.user WHERE User='';
FLUSH PRIVILEGES;
# 4. Remove test database
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;
# 5. Use strong passwords
ALTER USER 'root'@'localhost' IDENTIFIED BY 'StrongP@ssw0rd!';
# 6. Create specific user accounts
CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'StrongP@ss';
GRANT SELECT, INSERT, UPDATE, DELETE ON mydb.* TO 'appuser'@'localhost';
FLUSH PRIVILEGES;
Firewall Rules:
# Only allow specific IPs if remote access needed
sudo ufw allow from 192.168.1.100 to any port 3306
# Or block external access entirely
sudo ufw deny 3306
Port 27017 - MongoDB
Service: MongoDB Database
Risk: Unauthorized access, ransomware attacks, data exposure
Hardening Steps:
# MongoDB configuration (/etc/mongod.conf)
# 1. Bind to localhost
net:
bindIp: 127.0.0.1
port: 27017
# 2. Enable authentication
security:
authorization: enabled
# 3. Create admin user (in mongo shell)
use admin
db.createUser({
user: "admin",
pwd: "StrongP@ssw0rd!",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
})
# 4. Create application user
use mydb
db.createUser({
user: "appuser",
pwd: "AppP@ssw0rd!",
roles: [ { role: "readWrite", db: "mydb" } ]
})
# 5. Enable TLS/SSL
net:
ssl:
mode: requireSSL
PEMKeyFile: /path/to/mongodb.pem
General Port Security Best Practices
1. Port Scanning & Discovery
# Scan your own system for open ports
sudo nmap -sS -sV localhost
# Check listening ports
sudo netstat -tulpn
# Or using ss (modern alternative)
sudo ss -tulpn
# Check open ports (Linux)
sudo lsof -i -P -n | grep LISTEN
2. Firewall Configuration
# UFW (Ubuntu/Debian)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
# iptables (Advanced)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Windows Firewall
New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "Allow HTTPS" -Direction Inbound -LocalPort 443 -Protocol TCP -Action Allow
3. Close Unnecessary Ports
# Stop and disable unused services (Linux)
sudo systemctl stop service_name
sudo systemctl disable service_name
# Windows
Stop-Service -Name "ServiceName"
Set-Service -Name "ServiceName" -StartupType Disabled
Security Checklist
☐ Scan for open ports regularly
☐ Close all unnecessary ports
☐ Use firewall to restrict access
☐ Change default ports where appropriate
☐ Implement strong authentication
☐ Enable encryption (TLS/SSL)
☐ Use VPN for remote access to sensitive services
☐ Monitor logs for unauthorized access attempts
☐ Keep all services updated
☐ Implement intrusion detection (fail2ban, etc.)