On Mon, 29 Nov 1999, Chris Reeves wrote:
Hi all,
I have been portscanned a number of times recently by the same computer. I've used a combination of nslookup and finger and have the name of the culprit. It is being dealt with. "Dealt with..."
Big deal, you speak of port scans like they are something illegal! There is nothing illegal about port scanning. D. Clemens
This has prompted me to look even more closely at my firewalling. Ports <1024 are OK, as they are totally blocked, but those >1023 are pretty much open. Although virtually every single service is commented out in inetd.conf, I still want to block and log any connect attempts to 'special' ports.
At the moment, these are the high numbered ports I block:
1433 Microsoft SQL 2049 NFS 5432 PostgreSQL 5999:6010 X-Windows 7100 X Font Server 12345:12346 NetBus 31337 Back Orifice
I was having a look at the high numbered ports that he was scanning, and was wondering what the significance of these ports was (I couldn't see anything in /etc/services). By the way, the following are the high numbered ports that he tried to scan, have any ideas what they are used for?
5190 5191 5192 5193 5631 5632 5800 5900 8000 8010 8080 9100 25867 31787 33333
And finally, are there any other high numbered ports that you think could be potentially damaging (eg webmin - which port is that on)? Even if I'm not running that service, I would still like to know which ones pose a security threat so that I can block them anyway (in case I'm playing and start webmin, for example, without realilsing it).
Is it generally considered safe to open up most high numbered ports? What do the people on these lists do? Do you close them all and open some, or open all and close some (all meaning all ports >1023)?
One last question - I keep on coming around to this one every so often. If someone wants to connect to me using ICQ, they connect to a port >1023. I am assuming that ICQ doesn't have a daemon or anything listening on every possible port, so how does it know when another ICQ user is trying to connect? This isn't an ICQ specific question - I'm just using it as an example - it could apply to any remotely opened connection to a port >1023. How is this handled (how does the computer know whether ICQ should handle the connect attempt or whether it should be handled by some other process)?
Thanks in advance, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com