Best Practices in Enabling High-Risk Ports
To safeguard your Huawei Cloud resources and help you set up a secure access channel to your Huawei Cloud resources, we recommend the following security policies for enabling high-risk ports.
Configuring Security Groups and Network ACL to Control Inbound Access
You can configure inbound rules in security groups and network ACLs to protect the ECSs in the security group and the subnets associated with the network ACL.
- Go to the Security Groups page.
- Log in to the management console.
- Click in the upper left corner of the management console and select a region and a project.
- In the navigation pane on the left, click and choose Network > Virtual Private Cloud.
- In the navigation pane on the left, choose Access Control > Security Groups.
- Check each security group and delete high-risk port inbound rules.
- On the Security Groups page, locate a security group and click Manage Rule in the Operation column.
Figure 1 Security Groups page
- Click the Inbound Rules tab, check for the protocols and ports listed in Protocol & Port in Table 1, and find the policy whose Action is Allow and Source is 0.0.0.0/0.
Figure 2 Checking security group policies
Table 1 High-risk ports Protocol Port (1)
Service
Protocol Port (2)
Service
TCP: 20, 21
File Transfer Protocol (FTP)
TCP: 3306
MySQL (database)
TCP: 22
Secure Shell (SSH)
TCP: 3389
Windows Remote desktop protocol (RDP)
TCP: 23
Telnet (remote terminal protocol)
TCP: 3690
Subversion (SVN, an open-source version control system)
TCP: 25
Simple Mail Transfer Protocol (SMTP)
TCP: 4848
GlassFish (application server)
TCP/UDP: 53
Domain Name System (DNS)
TCP: 5000
Sybase/DB2 (database)
TCP: 69
Trivial File Transfer Protocol (TFTP)
TCP: 5432
PostgreSQL (database)
TCP: 110
Post Office Protocol 3 (POP3)
TCP: 5900-5902
Virtual Network Console (VNC)
TCP: 111, 2049
Network File System (NFS)
TCP: 5984
CouchDB (database)
TCP: 137, 139, 445
Server Message Block (SMB) protocol (NetBIOS)
TCP: 6379
Redis (database)
TCP: 143
Internet Message Access Protocol (IMAP)
TCP: 7001-7002
WebLogic (web app system)
TCP: 389, 636
Lightweight Directory Access Protocol (LDAP)
TCP: 7199, 7000, 7001, 9160, 9042
Apache Cassandra
TCP: 512-514
Linux rexec (remote login)
TCP: 7778
Kloxo (virtual host management system)
TCP: 873
Rsync (data image backup tool)
TCP: 8000
Ajenti (Linux server management panel)
TCP: 1194
OpenVPN (virtual private channel)
TCP: 8069, 10050-10051
Zabbix (system network monitoring)
TCP: 1352
Lotus
TCP: 8443
Plesk (virtual server management panel)
TCP: 1433
SQL Server (database management system)
TCP:
8080, 28015, 29015
RethinkDB
TCP: 1521
Oracle (database)
TCP: 8080-8089
Jenkins and JBoss (application server)
TCP: 1500
ISPmanager (server control panel)
TCP: 8088, 50010, 50020, 50030, 50070
Hadoop (distributed file system)
TCP: 1723
Point-to-Point Tunneling Protocol (PPTP)
TCP: 8848, 9848, 9849, 7848
Nacos service
TCP: 2082-2083
cPanel (VM control system)
TCP: 9080-9081, 9090
WebSphere (application server)
TCP: 2181
ZooKeeper (reliable coordination service for distributed systems)
TCP: 9200, 9300
Elasticsearch (Lucene search server)
TCP: 2601-2604
Zebra (route)
TCP: 11211
Memcached (cache system)
TCP: 3128
Squid (caching proxy)
TCP: 27017-27018
MongoDB (database)
TCP: 3311-3312
kangle (web server)
TCP: 50000
SAP Management Console
TCP: 8080
DisConf (distributed configuration management platform)
TCP: 60010, 60030
HBase
TCP: 8888
Spring Cloud Config (distributed configuration center)
TCP: 3000
Grafana (data visualization)
TCP: 8761
Eureka (service registration and discovery component)
TCP: 8983
Solr (open-source enterprise-search platform)
TCP: 8500, 8502
Consul (service registration and discovery component)
TCP: 3123-3124, 8081, 6123
Flink (big data processing platform)
TCP: 8070, 8080
Apollo (distributed configuration management platform)
TCP: 4040, 7077, 8080-8081
Spark (big data processing platform)
TCP: 8090
Diamond (distributed configuration management system)
TCP: 8080, 11800, 12800
SkyWalking (distributed system monitoring)
TCP: 2379-2380
Etcd (distributed key-value storage system)
TCP: 8080
WebTTY (Web TTY management page)
TCP: 15672
RabbitMQ (message queue)
TCP: 80, 443
NextCloud (private network hard disk)
TCP: 8161, 61616
ActiveMQ (message queue)
TCP: 9001, 9090
Minio (cloud storage management tool)
TCP: 8083, 8086, 8635
InfluxDB (time series database)
TCP: 18083
EMQX (IoT access platform)
TCP: 6030-6032, 6041
TDengine (time series database)
TCP: 1090, 1099
Java-RMI protocol (Java remote method invocation protocol)
TCP: 9092-9095, 9999
Kafka (distributed stream processing platform)
TCP: 8000
JDWP (Java remote debugging interface)
TCP: 2375
Docker (application container engine)
TCP: 8009
Tomcat AJP protocol (binary communication protocol)
TCP: 5601
Kibana (data visualization)
TCP: 8888
Jupyter Notebook (web applications for interactive computing)
TCP: 177
xmanager/xwin (Linux remote GUI)
TCP: 6443, 8443, 10250-10256
Kubernetes (container orchestration engine)
TCP: 8081
Nexus (repository manager)
TCP: 80/443, 8080
GitLab (code hosting platform)
UDP: 161, 162
Simple Network Management Protocol (SNMP)
TCP: 5555
ADB (Android debugging tool)
TCP: 1883, 8883
MQTT (IoT message protocol)
TCP: 6000-6063
X11 (Linux remote GUI)
TCP: 8888
Napster (P2P file sharing protocol)
-
-
- Check for and eliminate high-risk port policies. You can click Modify or Delete in the Operation column.
Figure 3 High-risk port policies for security groups
- You are advised to delete the Allow policies for ports that do not need to be open to the external network.
- To allow external access from certain IP addresses, you are advised to set Source to the IP addresses in the whitelist. For details, see Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group.
- You are not advised to enable high-risk port policies for all IP addresses.
- On the Security Groups page, locate a security group and click Manage Rule in the Operation column.
- In the navigation pane on the left, choose Access Control > Network ACLs.
- Check all the network ACLs that are enabled and associated with subnets. Delete high-risk port policies from the inbound rules.
- In the network ACL list, locate a rule and click Manage Rule in the Operation column.
Figure 4 Network ACL page
- Click the Inbound Rules tab, check for the protocols and ports listed in Protocol & Port in Table 1, and find the policy whose Action is Allow and Source is 0.0.0.0/0.
Figure 5 Checking network ACL policies
- Check for and eliminate high-risk port policies. You can click Modify or Delete in the Operation column.
- You are advised to delete the Allow policies for ports that do not need to be open to the external network.
- To allow external access from certain IP addresses, you are advised to set Source to the IP addresses in the whitelist.
- You are not advised to open high-risk ports to all IP addresses.
- In the network ACL list, locate a rule and click Manage Rule in the Operation column.
Using VPN/IPsec to Control Internal Access to Ports
By default, ECSs in a VPC cannot communicate with your physical data center or private network. To connect ECSs in a VPC to your data center or private network, you are advised to use Huawei Cloud Virtual Private Network (VPN).
Using Huawei Cloud Native Services to Enhance Security
Our cloud native services provide a range of features to enhance security.
Databases
Relational Database Service (RDS) provides a comprehensive performance monitoring system, implements a range of security measures, and offers a professional database management platform, allowing you to easily configure and scale databases on the cloud. On the RDS console, you can perform almost all necessary tasks and no programming is required. The console simplifies operations and reduces routine O&M workloads, so you can stay focused on application and service development.
Application middleware
Distributed Cache Service (DCS) provides multiple features to improve the reliability and security of tenant data, such as VPC, security group, whitelist, SSL encrypted connection for public network access, automatic backup, data snapshot, and cross-AZ deployment.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot