On Thu, 04 Jan 2018 19:45:44 +0000, The Natural Philosopher wrote:

> Basically I have unlimited access from my (fixed) home address - I had
> opened ssh up so I could access it from  abroad, but I am back home now,
> so I have shut the lot down.
>
Fair comment

> Now the only globally open ports are smtp, ssmtp, pop3, http and https.
> And one other I won't mention.
>
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:ssmtp ACCEPT     tcp  --  anywhere             anywhere
> tcp dpt:smtp ACCEPT     tcp  --  anywhere             anywhere
>  tcp dpt:pop3 ACCEPT     tcp  --  anywhere             anywhere
>   tcp dpt:https ACCEPT     tcp  --  anywhere             anywhere
>     tcp dpt:xxxxx REJECT     all  --  anywhere             anywhere
>       reject-with icmp-port-unreachable
>
> On the internet the default should always be 'only let in what you
> absolutely need, and then only once you have worked out how to hack it,
> and blocked that too'
>
Most of these are obvious and sensible given that you're running a
webserver and, presumably, a mainserver that accepts SMTP connections.

Indeed, but one has me curious: why is pop3 open?

I assume you're running a public or semi-public POP3 server, since using
it to collect mail from an ISP doesn't require an externally accessible
POP3 port.


--
Martin    | martin at
Gregorie  | gregorie
          | dot org

--- SoupGate-Win32 v1.05