Cpl small queries - Open Ports and MariaDb

Thering1975 · September 1, 2021, 8:53pm

So im getting down to the final checks and a couple of things are annoying my brain, i like to try and understand why just so i know its all good

Firstly Maria DB

This is purely cosmetic, if i visit the settings tab it shows MariaDB as stopped and does not react to any of the controls. However doing Systemctl status mariadb it shows as loaded and active and everything is working fine, and in taks monitor advanced the DB section is fine

SO i presume this is just a minor cosmetic issue on my setup.

Open Ports

This one i cant get my head around so need help seeing the logic

So all my domains are setup as - Nginx Static no cache - Php 7.4 FPM templates, so pretty standard

If i do a Nmap Scan it shows open ports

80 / 443 nginx
8080 / 8443 Apache

CSF only has ports 80 and 443 open and not the latter 2 ports.

Is this correct?

So im wondering if Nmap can see these ports as when they scan they are forwarded from Nginx to Apache?

Or if not how can it see ports 8080/8443 if csf is not set to open them.

eris · September 1, 2021, 9:09pm

8080 and 8443 should be not open. It is also not needed…

Thering1975 · September 1, 2021, 9:12pm

That’s what I thought hence wondered why nmap could see them.

And that’s why I’m confused because they are not open in csf so shouldn’t be accessible at all anyway.

I will dig further tomorrow to see if I can find out how it’s bypassing the firewall

eris · September 1, 2021, 9:15pm

MariaDB made some changes in their config structure we still need some changes due to the code…

Thering1975 · September 1, 2021, 9:22pm

Thanks least it wasn’t me this time that tinkered and broke it lol so I’ll just look into the apache ports may reinstall tomorrow but try deb 10 or ubuntu instead see if I get a different result.

pluto · September 2, 2021, 3:10am

If you run the nmap scan from the server hestia is installed on, then the Apache ports might appear open. Are you doing it from a remote server?

Ultimately the best way to satisfy yourself that the firewall rules are in place, is to look at the output of
v-list-firewall
iptables -L -n | grep ACCEPT

Thering1975 · September 2, 2021, 7:33am

Yep i have a Kali linux vm running on my server at home so it is a remote test. I will check that command out next, thanks.

Thering1975 · September 2, 2021, 7:59am

Okay Im gonna Leave this up because its always good to remind yaself how much of an idiot one can be when you focus on a problem which actually is not there and miss the blindingly obvious.

CSF auto inputs your setup ip in csf.allow. So this got me thinking when i typed the above reply, as my vm is running on my home ip is it seeing more than a remote scanner would

And yep i fired up Google’s free cloud console (how handy is that free tool!!) installed Nmap did a scan and what a surprise only ports 80 and 443 are showing.

Now i am wondering if this forum has a badge for the most idiotic thread started by a user, because i should be awarded it.

Raphael · September 2, 2021, 8:02am

Honestly, I think we could count that under “Normal Thread” - if you would be with us a longer time, you would understand that there are a few other threads which should get that badge on…

Thanks for keeping us up to date! <3