Best Practices in Enabling High-Risk Ports

Configuring Security Groups and Network ACL to Control Inbound Access

You can configure inbound rules in security groups and network ACLs to protect the ECSs in the security group and the subnets associated with the network ACL.

1. Go to the Security Groups page.
   1. Log in to the management console.
   2. Click in the upper left corner of the management console and select a region and a project.
   3. In the navigation pane on the left, click and choose Network > Virtual Private Cloud.
   4. In the navigation pane on the left, choose Access Control > Security Groups.

2. Check each security group and delete high-risk port inbound rules.
   1. On the Security Groups page, locate a security group and click Manage Rule in the Operation column.
      Figure 1 Security Groups page
      
   2. Click the Inbound Rules tab, check for the protocols and ports listed in Protocol & Port in Table 1, and find the policy whose Action is Allow and Source is 0.0.0.0/0.
      Figure 2 Checking security group policies
      

      Table 1 High-risk ports

      Protocol Port (1)	Service	Protocol Port (2)	Service
      TCP: 20, 21	File Transfer Protocol (FTP)	TCP: 3306	MySQL (database)
      TCP: 22	Secure Shell (SSH)	TCP: 3389	Windows Remote desktop protocol (RDP)
      TCP: 23	Telnet (remote terminal protocol)	TCP: 3690	Subversion (SVN, an open-source version control system)
      TCP: 25	Simple Mail Transfer Protocol (SMTP)	TCP: 4848	GlassFish (application server)
      TCP/UDP: 53	Domain Name System (DNS)	TCP: 5000	Sybase/DB2 (database)
      TCP: 69	Trivial File Transfer Protocol (TFTP)	TCP: 5432	PostgreSQL (database)
      TCP: 110	Post Office Protocol 3 (POP3)	TCP: 5900-5902	Virtual Network Console (VNC)
      TCP: 111, 2049	Network File System (NFS)	TCP: 5984	CouchDB (database)
      TCP: 137, 139, 445	Server Message Block (SMB) protocol (NetBIOS)	TCP: 6379	Redis (database)
      TCP: 143	Internet Message Access Protocol (IMAP)	TCP: 7001-7002	WebLogic (web app system)
      TCP: 389	Lightweight Directory Access Protocol (LDAP)	TCP: 7199, 7000, 7001, 9160, 9042	Apache Cassandra
      TCP: 512-514	Linux rexec (remote login)	TCP: 7778	Kloxo (virtual host management system)
      TCP: 873	Rsync (data image backup tool)	TCP: 8000	Ajenti (Linux server management panel)
      TCP: 1194	OpenVPN (virtual private channel)	TCP: 8069	Zabbix (system network monitoring)
      TCP: 1352	Lotus	TCP: 8443	Plesk (virtual server management panel)
      TCP: 1433	SQL Server (database management system)	TCP: 8080, 28015, 29015	RethinkDB
      TCP: 1521	Oracle (database)	TCP: 8080-8089	Jenkins and JBoss (application server)
      TCP: 1500	ISPmanager (server control panel)	TCP: 8088, 50010, 50020, 50030, 50070	Hadoop (distributed file system)
      TCP: 1723	Point-to-Point Tunneling Protocol (PPTP)	TCP: 9080-9081, 9090	WebSphere (application server)
      TCP: 2082-2083	cPanel (VM control system)	TCP: 9200, 9300	Elasticsearch (Lucene search server)
      TCP: 2181	ZooKeeper (reliable coordination service for distributed systems)	TCP: 11211	Memcached (cache system)
      TCP: 2601-2604	Zebra (route)	TCP: 27017-27018	MongoDB (database)
      TCP: 3128	Squid (caching proxy)	TCP: 50000	SAP Management Console
      TCP: 3311-3312	kangle (web server)	TCP: 60010, 60030	HBase

   3. Check for and eliminate high-risk port policies. You can click Modify or Delete in the Operation column.
      Figure 3 High-risk port policies for security groups
      
      

      • You are advised to delete the Allow policies for ports that do not need to be open to the external network.
      • To allow external access from certain IP addresses, you are advised to set Source to the IP addresses in the whitelist. For details, see Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group.
      • You are not advised to enable high-risk port policies for all IP addresses.

3. In the navigation pane on the left, choose Access Control > Network ACLs.
4. Check all the network ACLs that are enabled and associated with subnets. Delete high-risk port policies from the inbound rules.
   1. In the network ACL list, locate a rule and click Manage Rule in the Operation column.
      Figure 4 Network ACL page
      
   2. Click the Inbound Rules tab, check for the protocols and ports listed in Protocol & Port in Table 1, and find the policy whose Action is Allow and Source is 0.0.0.0/0.
      Figure 5 Checking network ACL policies
      
   3. Check for and eliminate high-risk port policies. You can click Modify or Delete in the Operation column.
      

      • You are advised to delete the Allow policies for ports that do not need to be open to the external network.
      • To allow external access from certain IP addresses, you are advised to set Source to the IP addresses in the whitelist.
      • You are not advised to open high-risk ports to all IP addresses.

Using VPN/IPsec to Control Internal Access to Ports

By default, ECSs in a VPC cannot communicate with your physical data center or private network. To connect ECSs in a VPC to your data center or private network, you are advised to use Huawei Cloud Virtual Private Network (VPN).

Using Huawei Cloud Native Services to Enhance Security

Our cloud native services provide a range of features to enhance security.

Databases

Relational Database Service (RDS) provides a comprehensive performance monitoring system, implements a range of security measures, and offers a professional database management platform, allowing you to easily configure and scale databases on the cloud. On the RDS console, you can perform almost all necessary tasks and no programming is required. The console simplifies operations and reduces routine O&M workloads, so you can stay focused on application and service development.

Application middleware

Distributed Cache Service (DCS) provides multiple features to improve the reliability and security of tenant data, such as VPC, security group, whitelist, SSL encrypted connection for public network access, automatic backup, data snapshot, and cross-AZ deployment.