Closing Port 80: Security Benefit?

TL;DR

Closing port 80 (the standard HTTP port) on your server can improve security, but it’s not a magic bullet. It forces users to use HTTPS (port 443), which encrypts their connection. However, you *must* redirect all traffic from port 80 to port 443 for this to work effectively.

Why Port 80 Can Be a Security Risk

Port 80 is used for unencrypted web traffic (HTTP). Data sent over HTTP can be intercepted and read by attackers. Modern websites should always use HTTPS, which encrypts the data using SSL/TLS.

Steps to Improve Security by Closing Port 80

1. Check if Port 80 is Open: Use a port scanner tool like netstat or an online port checker.
• Using netstat (Linux):

  sudo netstat -tulnp | grep ':80'

  This will show you if anything is listening on port 80.

• Online Port Checker: Search for ‘online port checker’ and enter your website address to see if port 80 is open.
2. Configure Your Firewall: Block incoming traffic on port 80 using your server’s firewall (e.g., iptables, firewalld, or a cloud provider’s security group).
• Using UFW (Ubuntu):

  sudo ufw deny 80

  Then reload the firewall:

  sudo ufw reload

• Using firewalld (CentOS/RHEL):

  sudo firewall-cmd --permanent --remove-port=80/tcp

  Then reload the firewall:

  sudo firewall-cmd --reload

3. Set Up a Redirect from Port 80 to Port 443: This is the *most important* step. If port 80 is closed but not redirected, users will see an error page when they try to access your site using HTTP. You need to configure your web server (e.g., Apache or Nginx) to redirect all incoming requests on port 80 to HTTPS (port 443).
• Apache: Add the following to your virtual host configuration file (.htaccess or site config):

  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

• Nginx: Add the following to your server block configuration file:

  server {
    listen 80;
    return 301 https://$host$request_uri;
  }

4. Test the Redirect: After configuring the redirect, try accessing your website using both HTTP (e.g., http://yourwebsite.com) and HTTPS (e.g., https://yourwebsite.com). You should be automatically redirected to the HTTPS version.
5. Verify SSL/TLS Configuration: Ensure your SSL/TLS certificate is valid and properly configured. Use an online SSL checker tool to verify this.

Important Considerations

• HTTPS is Essential: Closing port 80 only helps if you have a correctly configured HTTPS setup on port 443.
• HSTS: Consider enabling HTTP Strict Transport Security (HSTS) to further improve security by telling browsers to *always* use HTTPS for your site.
• Content Security Policy (CSP): Implement CSP to mitigate cross-site scripting (XSS) attacks.