Mailinglist Archive: opensuse-security (174 mails)
| < Previous | Next > |
Re: [suse-security] portscanning and high ports
- From: Chris Reeves <chris.reeves@xxxxxxxxx>
- Date: Mon, 29 Nov 1999 21:44:35 +0000
- Message-id: <3842F3C3.2A09DFFE@xxxxxxxxx>
Hi Roman,
Roman Drahtmueller wrote:
This was definitely a portscan, the ports tried included low-numbered ports,
but I didn't show those here, because I knew what they all were.
<snipped>
Ah! This could be a very useful file. It has now been saved for future
reference! Thanks.
Point taken. However, this isn't such a problem in my case, as I only have a
small few machine home network, and at the moment this computer isn't connected
to it. The "established flag" - is that the same as blocking SYN packets? It's
probably not, is it. I'll have a look into that.
Thanks a lot,
Chris
--
__ _
-o)/ / (_)__ __ ____ __ Chris Reeves
/\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005
_\_v __/_/_//_/\_,_/ /_/\_\
Roman Drahtmueller wrote:
Be sure you really had a portscan on your box. It may as well have been
some ftp transfer, where a server actively opens tcp connections to a
client in your network for each file to be transferred. It should however
be possible to distinguish these connections from others by the source
port (20).
This was definitely a portscan, the ports tried included low-numbered ports,
but I didn't show those here, because I knew what they all were.
nmap used to come with a quite exhaustive services-file (can be found on
ftp.uni-freiburg.de:/pub/linux/misc/etc/services.nmap). It says:
<snipped>
Ah! This could be a very useful file. It has now been saved for future
reference! Thanks.
Is it generally considered safe to open up most high numbered ports? What do
the people on these lists do? Do you close them all and open some, or open
all
and close some (all meaning all ports >1023)?
This discussion reduces itself to the necessity of allowing people to open
connections from the outside to the inside in the first place.
Everyone inside can tunnel/reflect ports from a higher port to a lower
one, which renders "full control of all opening connections" to an
illusion (there is no difference in whether a user inside "allows" for a
connection from outside to inside to be established or not. The fact (it
is possible) remains.).
From this standpoint, solely filtering ports doesn't improve "security"
as much as people often think it would. You need a more thouroughly
designed concept, because the sole port number doesn't tell anything about
the vulnerability of the whole system or even network. (access to an
X-server could be accomplished by connecting to ssh-spoofed X-servers on
the ssh-daemon-side. These ports default to the range above 6010.) If it
is impossible for you to combine your packet filter with other concepts of
restricting traffic/information flow, you might want to think of filtering
packets matching what is called the "established flag".
Point taken. However, this isn't such a problem in my case, as I only have a
small few machine home network, and at the moment this computer isn't connected
to it. The "established flag" - is that the same as blocking SYN packets? It's
probably not, is it. I'll have a look into that.
Thanks a lot,
Chris
--
__ _
-o)/ / (_)__ __ ____ __ Chris Reeves
/\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005
_\_v __/_/_//_/\_,_/ /_/\_\
| < Previous | Next > |