Mailinglist Archive: opensuse-security (174 mails)
|< Previous||Next >|
Re: [suse-security] portscanning and high ports
- From: -|D|- <cloud9@xxxxxxxxxxxx>
- Date: Mon, 29 Nov 1999 14:32:49 -0700 (MST)
- Message-id: <Pine.LNX.4.03.9911291431150.13391-100000@xxxxxxxxxxxxxxxxxxx>
On Mon, 29 Nov 1999, Chris Reeves wrote:
Hi all,"Dealt with..."
I have been portscanned a number of times recently by the same computer. I've
used a combination of nslookup and finger and have the name of the culprit. It
is being dealt with.
Big deal, you speak of port scans like they are something illegal! There
is nothing illegal about port scanning.
This has prompted me to look even more closely at my firewalling. Ports <1024
are OK, as they are totally blocked, but those >1023 are pretty much open.
Although virtually every single service is commented out in inetd.conf, I
want to block and log any connect attempts to 'special' ports.
At the moment, these are the high numbered ports I block:
1433 Microsoft SQL
7100 X Font Server
31337 Back Orifice
I was having a look at the high numbered ports that he was scanning, and was
wondering what the significance of these ports was (I couldn't see anything in
/etc/services). By the way, the following are the high numbered ports that he
tried to scan, have any ideas what they are used for?
And finally, are there any other high numbered ports that you think could be
potentially damaging (eg webmin - which port is that on)? Even if I'm not
running that service, I would still like to know which ones pose a security
threat so that I can block them anyway (in case I'm playing and start webmin,
for example, without realilsing it).
Is it generally considered safe to open up most high numbered ports? What do
the people on these lists do? Do you close them all and open some, or open all
and close some (all meaning all ports >1023)?
One last question - I keep on coming around to this one every so often. If
someone wants to connect to me using ICQ, they connect to a port >1023. I am
assuming that ICQ doesn't have a daemon or anything listening on every
port, so how does it know when another ICQ user is trying to connect? This
isn't an ICQ specific question - I'm just using it as an example - it could
apply to any remotely opened connection to a port >1023. How is this handled
(how does the computer know whether ICQ should handle the connect attempt or
whether it should be handled by some other process)?
Thanks in advance,
-o)/ / (_)__ __ ____ __ Chris Reeves
/\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005
_\_v __/_/_//_/\_,_/ /_/\_\
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
|< Previous||Next >|