Hi all,
I have been portscanned a number of times recently by the same computer. I've
used a combination of nslookup and finger and have the name of the culprit. It
is being dealt with.
This has prompted me to look even more closely at my firewalling. Ports <1024
are OK, as they are totally blocked, but those >1023 are pretty much open.
Although virtually every single service is commented out in inetd.conf, I still
want to block and log any connect attempts to 'special' ports.
At the moment, these are the high numbered ports I block:
1433 Microsoft SQL
2049 NFS
5432 PostgreSQL
5999:6010 X-Windows
7100 X Font Server
12345:12346 NetBus
31337 Back Orifice
I was having a look at the high numbered ports that he was scanning, and was
wondering what the significance of these ports was (I couldn't see anything in
/etc/services). By the way, the following are the high numbered ports that he
tried to scan, have any ideas what they are used for?
5190
5191
5192
5193
5631
5632
5800
5900
8000
8010
8080
9100
25867
31787
33333
And finally, are there any other high numbered ports that you think could be
potentially damaging (eg webmin - which port is that on)? Even if I'm not
running that service, I would still like to know which ones pose a security
threat so that I can block them anyway (in case I'm playing and start webmin,
for example, without realilsing it).
Is it generally considered safe to open up most high numbered ports? What do
the people on these lists do? Do you close them all and open some, or open all
and close some (all meaning all ports >1023)?
One last question - I keep on coming around to this one every so often. If
someone wants to connect to me using ICQ, they connect to a port >1023. I am
assuming that ICQ doesn't have a daemon or anything listening on every possible
port, so how does it know when another ICQ user is trying to connect? This
isn't an ICQ specific question - I'm just using it as an example - it could
apply to any remotely opened connection to a port >1023. How is this handled
(how does the computer know whether ICQ should handle the connect attempt or
whether it should be handled by some other process)?
Thanks in advance,
Chris
--
__ _
-o)/ / (_)__ __ ____ __ Chris Reeves
/\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005
_\_v __/_/_//_/\_,_/ /_/\_\