Help Center/ Security Technologies and Applications/ Best Practices/ Best Practices in Enabling High-Risk Ports
Updated on 2024-11-12 GMT+08:00

Best Practices in Enabling High-Risk Ports

To safeguard your Huawei Cloud resources and help you set up a secure access channel to your Huawei Cloud resources, we recommend the following security policies for enabling high-risk ports.

Configuring Security Groups and Network ACL to Control Inbound Access

You can configure inbound rules in security groups and network ACLs to protect the ECSs in the security group and the subnets associated with the network ACL.

  1. Go to the Security Groups page.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region and a project.
    3. In the navigation pane on the left, click and choose Network > Virtual Private Cloud.
    4. In the navigation pane on the left, choose Access Control > Security Groups.

  2. Check each security group and delete high-risk port inbound rules.

    1. On the Security Groups page, locate a security group and click Manage Rule in the Operation column.
      Figure 1 Security Groups page
    2. Click the Inbound Rules tab, check for the protocols and ports listed in Protocol & Port in Table 1, and find the policy whose Action is Allow and Source is 0.0.0.0/0.
      Figure 2 Checking security group policies
      Table 1 High-risk ports

      Protocol Port (1)

      Service

      Protocol Port (2)

      Service

      TCP: 20, 21

      File Transfer Protocol (FTP)

      TCP: 3306

      MySQL (database)

      TCP: 22

      Secure Shell (SSH)

      TCP: 3389

      Windows Remote desktop protocol (RDP)

      TCP: 23

      Telnet (remote terminal protocol)

      TCP: 3690

      Subversion (SVN, an open-source version control system)

      TCP: 25

      Simple Mail Transfer Protocol (SMTP)

      TCP: 4848

      GlassFish (application server)

      TCP/UDP: 53

      Domain Name System (DNS)

      TCP: 5000

      Sybase/DB2 (database)

      TCP: 69

      Trivial File Transfer Protocol (TFTP)

      TCP: 5432

      PostgreSQL (database)

      TCP: 110

      Post Office Protocol 3 (POP3)

      TCP: 5900-5902

      Virtual Network Console (VNC)

      TCP: 111, 2049

      Network File System (NFS)

      TCP: 5984

      CouchDB (database)

      TCP: 137, 139, 445

      Server Message Block (SMB) protocol (NetBIOS)

      TCP: 6379

      Redis (database)

      TCP: 143

      Internet Message Access Protocol (IMAP)

      TCP: 7001-7002

      WebLogic (web app system)

      TCP: 389, 636

      Lightweight Directory Access Protocol (LDAP)

      TCP: 7199, 7000, 7001, 9160, 9042

      Apache Cassandra

      TCP: 512-514

      Linux rexec (remote login)

      TCP: 7778

      Kloxo (virtual host management system)

      TCP: 873

      Rsync (data image backup tool)

      TCP: 8000

      Ajenti (Linux server management panel)

      TCP: 1194

      OpenVPN (virtual private channel)

      TCP: 8069, 10050-10051

      Zabbix (system network monitoring)

      TCP: 1352

      Lotus

      TCP: 8443

      Plesk (virtual server management panel)

      TCP: 1433

      SQL Server (database management system)

      TCP:

      8080, 28015, 29015

      RethinkDB

      TCP: 1521

      Oracle (database)

      TCP: 8080-8089

      Jenkins and JBoss (application server)

      TCP: 1500

      ISPmanager (server control panel)

      TCP: 8088, 50010, 50020, 50030, 50070

      Hadoop (distributed file system)

      TCP: 1723

      Point-to-Point Tunneling Protocol (PPTP)

      TCP: 8848, 9848, 9849, 7848

      Nacos service

      TCP: 2082-2083

      cPanel (VM control system)

      TCP: 9080-9081, 9090

      WebSphere (application server)

      TCP: 2181

      ZooKeeper (reliable coordination service for distributed systems)

      TCP: 9200, 9300

      Elasticsearch (Lucene search server)

      TCP: 2601-2604

      Zebra (route)

      TCP: 11211

      Memcached (cache system)

      TCP: 3128

      Squid (caching proxy)

      TCP: 27017-27018

      MongoDB (database)

      TCP: 3311-3312

      kangle (web server)

      TCP: 50000

      SAP Management Console

      TCP: 8080

      DisConf (distributed configuration management platform)

      TCP: 60010, 60030

      HBase

      TCP: 8888

      Spring Cloud Config (distributed configuration center)

      TCP: 3000

      Grafana (data visualization)

      TCP: 8761

      Eureka (service registration and discovery component)

      TCP: 8983

      Solr (open-source enterprise-search platform)

      TCP: 8500, 8502

      Consul (service registration and discovery component)

      TCP: 3123-3124, 8081, 6123

      Flink (big data processing platform)

      TCP: 8070, 8080

      Apollo (distributed configuration management platform)

      TCP: 4040, 7077, 8080-8081

      Spark (big data processing platform)

      TCP: 8090

      Diamond (distributed configuration management system)

      TCP: 8080, 11800, 12800

      SkyWalking (distributed system monitoring)

      TCP: 2379-2380

      Etcd (distributed key-value storage system)

      TCP: 8080

      WebTTY (Web TTY management page)

      TCP: 15672

      RabbitMQ (message queue)

      TCP: 80, 443

      NextCloud (private network hard disk)

      TCP: 8161, 61616

      ActiveMQ (message queue)

      TCP: 9001, 9090

      Minio (cloud storage management tool)

      TCP: 8083, 8086, 8635

      InfluxDB (time series database)

      TCP: 18083

      EMQX (IoT access platform)

      TCP: 6030-6032, 6041

      TDengine (time series database)

      TCP: 1090, 1099

      Java-RMI protocol (Java remote method invocation protocol)

      TCP: 9092-9095, 9999

      Kafka (distributed stream processing platform)

      TCP: 8000

      JDWP (Java remote debugging interface)

      TCP: 2375

      Docker (application container engine)

      TCP: 8009

      Tomcat AJP protocol (binary communication protocol)

      TCP: 5601

      Kibana (data visualization)

      TCP: 8888

      Jupyter Notebook (web applications for interactive computing)

      TCP: 177

      xmanager/xwin (Linux remote GUI)

      TCP: 6443, 8443, 10250-10256

      Kubernetes (container orchestration engine)

      TCP: 8081

      Nexus (repository manager)

      TCP: 80/443, 8080

      GitLab (code hosting platform)

      UDP: 161, 162

      Simple Network Management Protocol (SNMP)

      TCP: 5555

      ADB (Android debugging tool)

      TCP: 1883, 8883

      MQTT (IoT message protocol)

      TCP: 6000-6063

      X11 (Linux remote GUI)

      TCP: 8888

      Napster (P2P file sharing protocol)

      -

      -

    3. Check for and eliminate high-risk port policies. You can click Modify or Delete in the Operation column.
      Figure 3 High-risk port policies for security groups
      • You are advised to delete the Allow policies for ports that do not need to be open to the external network.
      • To allow external access from certain IP addresses, you are advised to set Source to the IP addresses in the whitelist. For details, see Enabling Specified IP Addresses to Remotely Access ECSs in a Security Group.
      • You are not advised to enable high-risk port policies for all IP addresses.

  3. In the navigation pane on the left, choose Access Control > Network ACLs.
  4. Check all the network ACLs that are enabled and associated with subnets. Delete high-risk port policies from the inbound rules.

    1. In the network ACL list, locate a rule and click Manage Rule in the Operation column.
      Figure 4 Network ACL page
    2. Click the Inbound Rules tab, check for the protocols and ports listed in Protocol & Port in Table 1, and find the policy whose Action is Allow and Source is 0.0.0.0/0.
      Figure 5 Checking network ACL policies
    3. Check for and eliminate high-risk port policies. You can click Modify or Delete in the Operation column.
      • You are advised to delete the Allow policies for ports that do not need to be open to the external network.
      • To allow external access from certain IP addresses, you are advised to set Source to the IP addresses in the whitelist.
      • You are not advised to open high-risk ports to all IP addresses.

Using VPN/IPsec to Control Internal Access to Ports

By default, ECSs in a VPC cannot communicate with your physical data center or private network. To connect ECSs in a VPC to your data center or private network, you are advised to use Huawei Cloud Virtual Private Network (VPN).

Using Huawei Cloud Native Services to Enhance Security

Our cloud native services provide a range of features to enhance security.

Databases

Relational Database Service (RDS) provides a comprehensive performance monitoring system, implements a range of security measures, and offers a professional database management platform, allowing you to easily configure and scale databases on the cloud. On the RDS console, you can perform almost all necessary tasks and no programming is required. The console simplifies operations and reduces routine O&M workloads, so you can stay focused on application and service development.

Application middleware

Distributed Cache Service (DCS) provides multiple features to improve the reliability and security of tenant data, such as VPC, security group, whitelist, SSL encrypted connection for public network access, automatic backup, data snapshot, and cross-AZ deployment.