StackShield

Nmap Port Scanning

Hard

Comprehensive network and port scanning with service version detection using Nmap.

Estimated fix time: 1 hour

What is Port Security?

Open ports expose services running on your server. Unnecessary open ports provide attack vectors for unauthorized access, service exploitation, and DDoS attacks.

Security Impact

Severity: High

  • Unauthorized service access
  • Service exploitation
  • DDoS attacks
  • Data interception
  • Lateral movement in network

Essential Ports Only

Required ports for web applications:

  • 80 (HTTP)
  • 443 (HTTPS)
  • 22 (SSH - restricted to specific IPs)

Should be closed:

  • 3306 (MySQL)
  • 5432 (PostgreSQL)
  • 6379 (Redis)
  • 27017 (MongoDB)
  • All other ports

How to Fix with UFW (Ubuntu)

# Install UFW
sudo apt-get install ufw

# Deny all incoming by default
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (from specific IP)
sudo ufw allow from YOUR_IP to any port 22

# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

How to Fix with iptables

# Flush existing rules
sudo iptables -F

# Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH (from specific IP)
sudo iptables -A INPUT -p tcp -s YOUR_IP --dport 22 -j ACCEPT

# Save rules
sudo iptables-save > /etc/iptables/rules.v4

Cloud Provider Firewalls

AWS Security Groups

# Allow HTTP
aws ec2 authorize-security-group-ingress \
    --group-id sg-xxxxx \
    --protocol tcp \
    --port 80 \
    --cidr 0.0.0.0/0

# Allow HTTPS
aws ec2 authorize-security-group-ingress \
    --group-id sg-xxxxx \
    --protocol tcp \
    --port 443 \
    --cidr 0.0.0.0/0

DigitalOcean Firewall

Configure via UI or API to allow only:

  • Inbound: 80, 443
  • Inbound: 22 (from your IP)
  • Outbound: All

Database Security

Never expose database ports publicly. Use:

  1. Localhost binding:
# MySQL
bind-address = 127.0.0.1

# PostgreSQL
listen_addresses = 'localhost'
  1. Private networks:
# Allow only from app server
sudo ufw allow from APP_SERVER_IP to any port 3306

Verification Steps

# Scan your server
nmap -sS -sV yourdomain.com

# Should only show 80, 443 as open
  • IP Reputation
  • DNS Security
  • SSL/TLS Security

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

IP Reputation

Checks if the domain IP is listed in abuse databases.

Medium

DNS Security

Checks DNS configuration and security settings.

Medium