Best Practices in Enabling High-Risk Ports

To safeguard your Huawei Cloud resources and help you set up a secure access channel to your Huawei Cloud resources, we recommend the following security policies for enabling high-risk ports.

Configuring Security Groups and Network ACL to Control Inbound Access

You can configure inbound rules in security groups and network ACLs to protect the ECSs in the security group and the subnets associated with the network ACL.

Go to the Security Groups page.
1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region and a project.
3. In the navigation pane on the left, click and choose Network > Virtual Private Cloud.
4. In the navigation pane on the left, choose Access Control > Security Groups.

Check each security group and delete high-risk port inbound rules.

On the Security Groups page, locate a security group and click Manage Rule in the Operation column.
Figure 1 Security Groups page

Click the Inbound Rules tab, check for the protocols and ports listed in Protocol & Port in Table 1, and find the policy whose Action is Allow and Source is 0.0.0.0/0.

Figure 2 Checking security group policies

**Table 1** High-risk ports
Protocol Port (1)	Service	Protocol Port (2)	Service
TCP: 20, 21	File Transfer Protocol (FTP)	TCP: 3306	MySQL (database)
TCP: 22	Secure Shell (SSH)	TCP: 3389	Windows Remote desktop protocol (RDP)
TCP: 23	Telnet (remote terminal protocol)	TCP: 3690	Subversion (SVN, an open-source version control system)
TCP: 25	Simple Mail Transfer Protocol (SMTP)	TCP: 4848	GlassFish (application server)
TCP/UDP: 53	Domain Name System (DNS)	TCP: 5000	Sybase/DB2 (database)
TCP: 69	Trivial File Transfer Protocol (TFTP)	TCP: 5432	PostgreSQL (database)
TCP: 110	Post Office Protocol 3 (POP3)	TCP: 5900-5902	Virtual Network Console (VNC)
TCP: 111, 2049	Network File System (NFS)	TCP: 5984	CouchDB (database)
TCP: 137, 139, 445	Server Message Block (SMB) protocol (NetBIOS)	TCP: 6379	Redis (database)
TCP: 143	Internet Message Access Protocol (IMAP)	TCP: 7001-7002	WebLogic (web app system)
TCP: 389, 636	Lightweight Directory Access Protocol (LDAP)	TCP: 7199, 7000, 7001, 9160, 9042	Apache Cassandra
TCP: 512-514	Linux rexec (remote login)	TCP: 7778	Kloxo (virtual host management system)
TCP: 873	Rsync (data image backup tool)	TCP: 8000	Ajenti (Linux server management panel)
TCP: 1194	OpenVPN (virtual private channel)	TCP: 8069, 10050-10051	Zabbix (system network monitoring)
TCP: 1352	Lotus	TCP: 8443	Plesk (virtual server management panel)
TCP: 1433	SQL Server (database management system)	TCP: 8080, 28015, 29015	RethinkDB
TCP: 1521	Oracle (database)	TCP: 8080-8089	Jenkins and JBoss (application server)
TCP: 1500	ISPmanager (server control panel)	TCP: 8088, 50010, 50020, 50030, 50070	Hadoop (distributed file system)
TCP: 1723	Point-to-Point Tunneling Protocol (PPTP)	TCP: 8848, 9848, 9849, 7848	Nacos service
TCP: 2082-2083	cPanel (VM control system)	TCP: 9080-9081, 9090	WebSphere (application server)
TCP: 2181	ZooKeeper (reliable coordination service for distributed systems)	TCP: 9200, 9300	Elasticsearch (Lucene search server)
TCP: 2601-2604	Zebra (route)	TCP: 11211	Memcached (cache system)
TCP: 3128	Squid (caching proxy)	TCP: 27017-27018	MongoDB (database)
TCP: 3311-3312	kangle (web server)	TCP: 50000	SAP Management Console
TCP: 8080	DisConf (distributed configuration management platform)	TCP: 60010, 60030	HBase
TCP: 8888	Spring Cloud Config (distributed configuration center)	TCP: 3000	Grafana (data visualization)
TCP: 8761	Eureka (service registration and discovery component)	TCP: 8983	Solr (open-source enterprise-search platform)
TCP: 8500, 8502	Consul (service registration and discovery component)	TCP: 3123-3124, 8081, 6123	Flink (big data processing platform)
TCP: 8070, 8080	Apollo (distributed configuration management platform)	TCP: 4040, 7077, 8080-8081	Spark (big data processing platform)
TCP: 8090	Diamond (distributed configuration management system)	TCP: 8080, 11800, 12800	SkyWalking (distributed system monitoring)
TCP: 2379-2380	Etcd (distributed key-value storage system)	TCP: 8080	WebTTY (Web TTY management page)
TCP: 15672	RabbitMQ (message queue)	TCP: 80, 443	NextCloud (private network hard disk)
TCP: 8161, 61616	ActiveMQ (message queue)	TCP: 9001, 9090	Minio (cloud storage management tool)
TCP: 8083, 8086, 8635	InfluxDB (time series database)	TCP: 18083	EMQX (IoT access platform)
TCP: 6030-6032, 6041	TDengine (time series database)	TCP: 1090, 1099	Java-RMI protocol (Java remote method invocation protocol)
TCP: 9092-9095, 9999	Kafka (distributed stream processing platform)	TCP: 8000	JDWP (Java remote debugging interface)
TCP: 2375	Docker (application container engine)	TCP: 8009	Tomcat AJP protocol (binary communication protocol)
TCP: 5601	Kibana (data visualization)	TCP: 8888	Jupyter Notebook (web applications for interactive computing)
TCP: 177	xmanager/xwin (Linux remote GUI)	TCP: 6443, 8443, 10250-10256	Kubernetes (container orchestration engine)
TCP: 8081	Nexus (repository manager)	TCP: 80/443, 8080	GitLab (code hosting platform)
UDP: 161, 162	Simple Network Management Protocol (SNMP)	TCP: 5555	ADB (Android debugging tool)
TCP: 1883, 8883	MQTT (IoT message protocol)	TCP: 6000-6063	X11 (Linux remote GUI)
TCP: 8888	Napster (P2P file sharing protocol)	-	-

Check for and eliminate high-risk port policies. You can click Modify or Delete in the Operation column.
Figure 3 High-risk port policies for security groups
- You are advised to delete the Allow policies for ports that do not need to be open to the external network.
- To allow external access from certain IP addresses, you are advised to set Source to the IP addresses in the whitelist. For details, see Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group.
- You are not advised to enable high-risk port policies for all IP addresses.

In the navigation pane on the left, choose Access Control > Network ACLs.
Check all the network ACLs that are enabled and associated with subnets. Delete high-risk port policies from the inbound rules.
1. In the network ACL list, locate a rule and click Manage Rule in the Operation column.
  Figure 4 Network ACL page
2. Click the Inbound Rules tab, check for the protocols and ports listed in Protocol & Port in Table 1, and find the policy whose Action is Allow and Source is 0.0.0.0/0.
  Figure 5 Checking network ACL policies
3. Check for and eliminate high-risk port policies. You can click Modify or Delete in the Operation column.
  - You are advised to delete the Allow policies for ports that do not need to be open to the external network.
  - To allow external access from certain IP addresses, you are advised to set Source to the IP addresses in the whitelist.
  - You are not advised to open high-risk ports to all IP addresses.

Using VPN/IPsec to Control Internal Access to Ports

By default, ECSs in a VPC cannot communicate with your physical data center or private network. To connect ECSs in a VPC to your data center or private network, you are advised to use Huawei Cloud Virtual Private Network (VPN).

Using Huawei Cloud Native Services to Enhance Security

Our cloud native services provide a range of features to enhance security.

Databases

Relational Database Service (RDS) provides a comprehensive performance monitoring system, implements a range of security measures, and offers a professional database management platform, allowing you to easily configure and scale databases on the cloud. On the RDS console, you can perform almost all necessary tasks and no programming is required. The console simplifies operations and reduces routine O&M workloads, so you can stay focused on application and service development.

Application middleware

Distributed Cache Service (DCS) provides multiple features to improve the reliability and security of tenant data, such as VPC, security group, whitelist, SSL encrypted connection for public network access, automatic backup, data snapshot, and cross-AZ deployment.

Previous topic: Best Practices for Using Huawei Accounts

Next topic: Disposal of Spam Mails Sent to External Systems