Discover Centmin Mod today
Register Now

CSF Centmin Mod LEMP stack CSF Firewall default port listing

Discussion in 'Centmin Mod Insights' started by eva2000, Jan 12, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:01 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod LEMP stack was developed originally for my own needs and usage requirements for the web applications and software I use and run, so the default CSF Firewall configured whitelisted TCP/UDP ports was tailored around those needs. Over time, the list of whitelisted TCP/UDP ports evolved to what it is now. Some of the ports whitelisted were also set for web apps I intended to use but may not have gotten around to using out of convenience.

    The current list is below. You can decide for yourself which TCP/UDP ports you want to remain whitelisted and which you want to close up by editing the TCP_IN/TCP_OUT, TCP6_IN/TCP6_OUT, UDP_IN/UDP_OUT, and UDP6_IN/UDP6_OUT comma separate listed of ports in CSF Firewall configuration file at /etc/csf/csf.conf. You'd need to restart CSF Firewall after making changes. I'd backup your csf.conf before editing.

    Backup csf.conf to csf.conf.backup
    Code:
    cp -a /etc/csf/csf.conf /etc/csf/csf.conf.backup
    or
    Code:
    csf --profile backup mybackup
    Restart CSF Firewall
    Code:
    csf -ra

    Background & Info


    • List of TCP and UDP port numbers - Wikipedia, the free encyclopedia
    • some ports were for web apps with custom ports which I no longer can recall what they're for
    • On Dec 13, 2015 I updated Centmin Mod LEMP stack code and removed a few ports from default whitelisting. So if you did a fresh Centmin Mod LEMP stack install after Dec 13, 2015 you will have these ports already removed by default. These ports removed include:
      • 2202,11211,11212,11213,11214
      • 9000,9001
      • 10000,10500,10501
    • If you have an older Centmin Mod LEMP stack install you can follow instructions outlined here (or below) for removing these ports from whitelisting IF you do not use them.

    Bare Minimum Ports List



    A bare minimum ports list for Centmin Mod LEMP stack to work would be the following to be populated in the respective TCP_IN/TCP_OUT, TCP6_IN/TCP6_OUT, UDP_IN/UDP_OUT, and UDP6_IN/UDP6_OUT comma separate listed of ports in CSF Firewall configuration file at /etc/csf/csf.conf
    • TCP = 21, 22, 25, 53, 80, 443, 465, 587, 993, 995, 9418 and for 123.08stable 3000:3050 and for 123.09beta01 30001:50011
    • UDP = 21, 53, 67, 68, 33434:33534
    If you are not running or sending or receiving email, you can also remove 465, 587, 993, 995 ports. You may need these if you use 3rd party transactional email providers like Sendgrid, Amazon SES, Mandrill etc. Or if you're using a mail provider for your forum, or blog's mail sending i.e. using Gmail SMTP for sending email for your web application.


    If you're using Google Cloud Compute, Amazon AWS EC2 or any cloud/VPS provider which has their own Firewall in front of your server, you will need to consult their documentation for also configuring the above whitelisted ports on their respective Firewalls too.

    For Google Cloud Firewall
    For Amazon EC2 Firewall

    CSF Port List for Centmin Mod LEMP stack



    TCP IN
    Code:
    10000       Tungsten Replicator RMI
    1018
    10500       Tungsten Replicator RMI
    10501       Tungsten Replicator RMI
    110         POP3
    1110        GlusterFS / NFS
    11211       Memcached server
    11212       Memcached server
    11213       Memcached server
    11214       Memcached server
    1186        MySQL Cluster Management Node
    1194        OpenVPN
    143         IMAP
    161         SNMP
    21          FTP
    22          SFTP
    2112        Tungsten Replicator History Log
    22          SSH / SCP / SFTP
    22000       Tungsten Replicator History Log
    22001       Tungsten Replicator History Log
    2202        MySQL Cluster Data Node
    2222
    25          SMTP
    3000
    3000:3050   Pure-FTPD Passive Ports
    30001:50011 Pure-FTPD Passive Ports
    30865       Csync2
    3334
    443         HTTPS / TLS / SSL / QUIC
    465         SMTP over TLS/SSL
    53          NSD / BIND / DNS
    587         SMTP
    6081        Varnish Cache
    6082        Varnish Cache
    80          HTTP
    8080        HTTP
    81          HTTP
    8888        HTTP
    9000        PHP-FPM
    9001        PHP-FPM
    9312        SphinxSearch
    9418        Git
    993         IMAP over TLS/SSL
    995         POP3 over TLS/SSL
    TCP OUT
    Code:
    1018
    110         POP3
    1110        GlusterFS / NFS
    113         Authentication Service
    1194        OpenVPN
    21          FTP
    22          SFTP
    22          SSH / SCP / SFTP
    25          SMTP
    43          Whois
    443         HTTPS / TLS / SSL / QUIC
    465         SMTP over TLS/SSL
    53          NSD / BIND / DNS
    587         SMTP
    80          HTTP
    81          HTTP
    9418        Git
    993         IMAP over TLS/SSL
    995         POP3 over TLS/SSL
    
    UDP IN
    Code:
    1110        GlusterFS / NFS
    21          FTP
    33434:33534 Pure-FTPD Passive Ports
    53          NSD / BIND / DNS
    67          DHCP Server
    68          DHCP Client
    UDP OUT
    Code:
    1110        GlusterFS / NFS
    113         Authentication Service
    123         NTPD
    21          FTP
    33434:33534 Pure-FTPD Passive Ports
    53          NSD / BIND / DNS
    67          DHCP Server
    68          DHCP Client
    TCP6 IN
    Code:
    10000       Tungsten Replicator RMI
    10500       Tungsten Replicator RMI
    10501       Tungsten Replicator RMI
    110         POP3
    1110        GlusterFS / NFS
    11211       Memcached server
    11212       Memcached server
    11213       Memcached server
    11214       Memcached server
    1186        GlusterFS
    1194        OpenVPN
    143         IMAP
    161         SNMP
    21          FTP
    2112        Tungsten Replicator History Log
    22          SSH / SCP / SFTP
    22000       Tungsten Replicator History Log
    22001       Tungsten Replicator History Log
    2202        MySQL Cluster Data Node
    2222
    25          SMTP
    3000
    3000:3050   Pure-FTPD Passive Ports
    30001:50011 Pure-FTPD Passive Ports
    30865       Csync2
    3334
    443         HTTPS / TLS / SSL / QUIC
    465         SMTP over TLS/SSL
    53          NSD / BIND / DNS
    587         SMTP
    6081        Varnish Cache
    6082        Varnish Cache
    80          HTTP
    8080        HTTP
    81          HTTP
    8888        HTTP
    9000        PHP-FPM
    9001        PHP-FPM
    9312        SphinxSearch
    9418        Git
    993         IMAP over TLS/SSL
    995         POP3 over TLS/SSL
    TCP6 OUT
    Code:
    110         POP3
    113         Authentication Service
    21          FTP
    22          SSH / SCP / SFTP
    25          SMTP
    443         HTTPS / TLS / SSL / QUIC
    465         SMTP over TLS/SSL
    53          NSD / BIND / DNS
    587         SMTP
    80          HTTP
    993         IMAP over TLS/SSL
    995         POP3 over TLS/SSL
    UDP6 IN
    Code:
    20          FTP
    21          FTP
    53          NSD / BIND / DNS
    UDP6 OUT
    Code:
    113         Authentication Service
    123         NTPD
    21          FTP
    53          NSD / BIND / DNS
     
    Last edited: Jan 12, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:01 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
Thread Status:
Not open for further replies.