Which ports should be allowed for best practice?

alexlii1971 commented 3 weeks ago

Hello,

I am quite new to Hiddify.

After Hddfiy Manager installed by default settings, how many ports should be allowed on UFW please? so that we can set Firewall for security and best practice.

Thanks for clarifying.

prsgh commented 3 weeks ago

Hi Hiddify use reverse proxy in most inbound config, So your ssh port, 80 and 443 is enough for you. But if you want to use some custom inbound like hysteria it will be setup on random port that had to check after set up the config. For better insight, you install net-tools package and use this command to check with port used by hiddify:

$ sudo netstat -tupln

port with local address of 127.0.0.1 is not exposed.

alexlii1971 commented 2 weeks ago

root@Hiddify:~# sudo netstat -tupln

Active Internet connections Proto Recv-Q Send-Q Local Address tcp 0 0 127.0.0.1:2024 tcp 0 0 127.0.0.1:2031 tcp 0 0 127.0.0.1:2021 tcp 0 0 127.0.0.1:2022 tcp 0 0 127.0.0.1:2023 tcp 0 0 127.0.0.1:2032 tcp 0 0 127.0.0.1:2033 tcp 0 0 127.0.0.1:2034 tcp 0 0 127.0.0.1:501 tcp 0 0 127.0.0.1:8181 tcp 0 0 127.0.0.1:502 tcp 0 0 127.0.0.1:2039 tcp 0 0 127.0.0.1:2011 tcp 0 0 127.0.0.1:2012 tcp 0 0 127.0.0.1:2013 tcp 0 0 0.0.0.0:80 tcp 0 0 127.0.0.1:2014 tcp 0 0 127.0.0.1:2000 tcp 0 0 127.0.0.1:438 tcp 0 0 0.0.0.0:22 tcp 0 0 127.0.0.1:10085 tcp 0 0 127.0.0.1:10086 tcp 0 0 127.0.0.1:9000 tcp 0 0 127.0.0.1:6450 tcp 0 0 127.0.0.53:53 tcp 0 0 127.0.0.1:2334 tcp 0 0 127.0.0.1:3306 tcp 0 0 127.0.0.1:6379 tcp 0 0 127.0.0.1:12995 tcp 0 0 127.0.0.1:1234 tcp 0 0 127.0.0.1:6756 tcp 0 0 0.0.0.0:443 tcp6 0 0 :::80 tcp6 0 0 :::26716 tcp6 0 0 :::22 tcp6 0 0 :::443 udp 0 0 0.0.0.0:443 udp 0 0 0.0.0.0:44508 udp 0 0 127.0.0.53:53 udp 0 0 127.0.0.1:1234 udp 0 0 127.0.0.1:6450 udp6 0 0 :::57243 udp6 0 0 :::443 udp6 0 0 :::44508 udp6 0 0 :::60919 udp6 0 0 :::61490 udp6 0 0 :::26689 udp6 0 0 :::42056 udp6 0 0 :::43730 (only servers) Foreign Address State PID/Program name
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48928/nginx: master 0.0.0.0: LISTEN 48912/haproxy
0.0.0.0: LISTEN 48928/nginx: master 0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48912/haproxy
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48928/nginx: master 0.0.0.0: LISTEN 45947/sshd: /usr/sb 0.0.0.0: LISTEN 48950/xray
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 49034/python
0.0.0.0: LISTEN 49079/HiddifyCli
0.0.0.0: LISTEN 560/systemd-resolve 0.0.0.0: LISTEN 49079/HiddifyCli
0.0.0.0: LISTEN 49001/mariadbd
0.0.0.0: LISTEN 48883/redis-server
0.0.0.0: LISTEN 48936/sing-box
0.0.0.0: LISTEN 48950/xray
0.0.0.0: LISTEN 49079/HiddifyCli
0.0.0.0: LISTEN 48912/haproxy
::: LISTEN 48912/haproxy
::: LISTEN 48895/ssh-liberty-b ::: LISTEN 45947/sshd: /usr/sb ::: LISTEN 48912/haproxy
0.0.0.0: 48912/haproxy
0.0.0.0: -
0.0.0.0: 560/systemd-resolve 0.0.0.0: 48950/xray
0.0.0.0: 49079/HiddifyCli
::: 48936/sing-box
::: 48912/haproxy
::: -
::: 49079/HiddifyCli
::: 48950/xray
::: 49079/HiddifyCli
::: 48936/sing-box
:::* 49079/HiddifyCli

So, do I need set rules for the ports like the following ones:

sudo ufw allow 57243/udp sudo ufw allow 60919/udp sudo ufw allow 61490/udp sudo ufw allow 26689/udp sudo ufw allow 42056/udp sudo ufw allow 43730/udp

or, I should only allow TCP for the following ports?

sudo ufw allow 22/tcp sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw allow 26716/tcp

Looking for your clarifying.

hiddify / Hiddify-Manager

Which ports should be allowed for best practice? #4492