Hi all, I have been portscanned a number of times recently by the same computer. I've used a combination of nslookup and finger and have the name of the culprit. It is being dealt with. This has prompted me to look even more closely at my firewalling. Ports <1024 are OK, as they are totally blocked, but those >1023 are pretty much open. Although virtually every single service is commented out in inetd.conf, I still want to block and log any connect attempts to 'special' ports. At the moment, these are the high numbered ports I block: 1433 Microsoft SQL 2049 NFS 5432 PostgreSQL 5999:6010 X-Windows 7100 X Font Server 12345:12346 NetBus 31337 Back Orifice I was having a look at the high numbered ports that he was scanning, and was wondering what the significance of these ports was (I couldn't see anything in /etc/services). By the way, the following are the high numbered ports that he tried to scan, have any ideas what they are used for? 5190 5191 5192 5193 5631 5632 5800 5900 8000 8010 8080 9100 25867 31787 33333 And finally, are there any other high numbered ports that you think could be potentially damaging (eg webmin - which port is that on)? Even if I'm not running that service, I would still like to know which ones pose a security threat so that I can block them anyway (in case I'm playing and start webmin, for example, without realilsing it). Is it generally considered safe to open up most high numbered ports? What do the people on these lists do? Do you close them all and open some, or open all and close some (all meaning all ports >1023)? One last question - I keep on coming around to this one every so often. If someone wants to connect to me using ICQ, they connect to a port >1023. I am assuming that ICQ doesn't have a daemon or anything listening on every possible port, so how does it know when another ICQ user is trying to connect? This isn't an ICQ specific question - I'm just using it as an example - it could apply to any remotely opened connection to a port >1023. How is this handled (how does the computer know whether ICQ should handle the connect attempt or whether it should be handled by some other process)? Thanks in advance, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\
On Mon, 29 Nov 1999, Chris Reeves wrote:
Hi all,
I have been portscanned a number of times recently by the same computer. I've used a combination of nslookup and finger and have the name of the culprit. It is being dealt with. "Dealt with..."
Big deal, you speak of port scans like they are something illegal! There is nothing illegal about port scanning. D. Clemens
This has prompted me to look even more closely at my firewalling. Ports <1024 are OK, as they are totally blocked, but those >1023 are pretty much open. Although virtually every single service is commented out in inetd.conf, I still want to block and log any connect attempts to 'special' ports.
At the moment, these are the high numbered ports I block:
1433 Microsoft SQL 2049 NFS 5432 PostgreSQL 5999:6010 X-Windows 7100 X Font Server 12345:12346 NetBus 31337 Back Orifice
I was having a look at the high numbered ports that he was scanning, and was wondering what the significance of these ports was (I couldn't see anything in /etc/services). By the way, the following are the high numbered ports that he tried to scan, have any ideas what they are used for?
5190 5191 5192 5193 5631 5632 5800 5900 8000 8010 8080 9100 25867 31787 33333
And finally, are there any other high numbered ports that you think could be potentially damaging (eg webmin - which port is that on)? Even if I'm not running that service, I would still like to know which ones pose a security threat so that I can block them anyway (in case I'm playing and start webmin, for example, without realilsing it).
Is it generally considered safe to open up most high numbered ports? What do the people on these lists do? Do you close them all and open some, or open all and close some (all meaning all ports >1023)?
One last question - I keep on coming around to this one every so often. If someone wants to connect to me using ICQ, they connect to a port >1023. I am assuming that ICQ doesn't have a daemon or anything listening on every possible port, so how does it know when another ICQ user is trying to connect? This isn't an ICQ specific question - I'm just using it as an example - it could apply to any remotely opened connection to a port >1023. How is this handled (how does the computer know whether ICQ should handle the connect attempt or whether it should be handled by some other process)?
Thanks in advance, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chris,
/etc/services). By the way, the following are the high numbered ports that he tried to scan, have any ideas what they are used for?
5190 5191 5192 5193 5631 5632 5800 5900 8000 8010 8080 9100 25867 31787 33333
Be sure you really had a portscan on your box. It may as well have been some ftp transfer, where a server actively opens tcp connections to a client in your network for each file to be transferred. It should however be possible to distinguish these connections from others by the source port (20). nmap used to come with a quite exhaustive services-file (can be found on ftp.uni-freiburg.de:/pub/linux/misc/etc/services.nmap). It says: aol 5190/tcp # America-Online aol 5190/udp # America-Online aol-1 5191/tcp # AmericaOnline1 aol-1 5191/udp # AmericaOnline1 aol-2 5192/tcp # AmericaOnline2 aol-2 5192/udp # AmericaOnline2 aol-3 5193/tcp # AmericaOnline3 aol-3 5193/udp # AmericaOnline3 jetdirect 9100/tcp # HP JetDirect card
Is it generally considered safe to open up most high numbered ports? What do the people on these lists do? Do you close them all and open some, or open all and close some (all meaning all ports >1023)?
This discussion reduces itself to the necessity of allowing people to open connections from the outside to the inside in the first place. Everyone inside can tunnel/reflect ports from a higher port to a lower one, which renders "full control of all opening connections" to an illusion (there is no difference in whether a user inside "allows" for a connection from outside to inside to be established or not. The fact (it is possible) remains.). From this standpoint, solely filtering ports doesn't improve "security" as much as people often think it would. You need a more thouroughly designed concept, because the sole port number doesn't tell anything about the vulnerability of the whole system or even network. (access to an X-server could be accomplished by connecting to ssh-spoofed X-servers on the ssh-daemon-side. These ports default to the range above 6010.) If it is impossible for you to combine your packet filter with other concepts of restricting traffic/information flow, you might want to think of filtering packets matching what is called the "established flag". Regards, Roman. -- _ _ | Roman Drahtmüller "Caution: Cape does not | CC University of Freiburg enable user to fly." | email: draht@uni-freiburg.de (Batman Costume warning label) | - - People often find it easier to be a result of the past than a cause of the future.
Hi Roman, Roman Drahtmueller wrote:
Be sure you really had a portscan on your box. It may as well have been some ftp transfer, where a server actively opens tcp connections to a client in your network for each file to be transferred. It should however be possible to distinguish these connections from others by the source port (20).
This was definitely a portscan, the ports tried included low-numbered ports, but I didn't show those here, because I knew what they all were.
nmap used to come with a quite exhaustive services-file (can be found on ftp.uni-freiburg.de:/pub/linux/misc/etc/services.nmap). It says:
<snipped> Ah! This could be a very useful file. It has now been saved for future reference! Thanks.
Is it generally considered safe to open up most high numbered ports? What do the people on these lists do? Do you close them all and open some, or open all and close some (all meaning all ports >1023)?
This discussion reduces itself to the necessity of allowing people to open connections from the outside to the inside in the first place.
Everyone inside can tunnel/reflect ports from a higher port to a lower one, which renders "full control of all opening connections" to an illusion (there is no difference in whether a user inside "allows" for a connection from outside to inside to be established or not. The fact (it is possible) remains.). From this standpoint, solely filtering ports doesn't improve "security" as much as people often think it would. You need a more thouroughly designed concept, because the sole port number doesn't tell anything about the vulnerability of the whole system or even network. (access to an X-server could be accomplished by connecting to ssh-spoofed X-servers on the ssh-daemon-side. These ports default to the range above 6010.) If it is impossible for you to combine your packet filter with other concepts of restricting traffic/information flow, you might want to think of filtering packets matching what is called the "established flag".
Point taken. However, this isn't such a problem in my case, as I only have a small few machine home network, and at the moment this computer isn't connected to it. The "established flag" - is that the same as blocking SYN packets? It's probably not, is it. I'll have a look into that. Thanks a lot, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\
Chris Reeves wrote:
I was having a look at the high numbered ports that he was scanning, and was wondering what the significance of these ports was (I couldn't see anything in /etc/services). By the way, the following are the high numbered ports that he tried to scan, have any ideas what they are used for?
5900
5900 and up is used for VNC (virtual network console), a remote GUI session tool where, unlike X11, only the keyboard and screen buffer is transferred, but the session stays on the server. It has only a single plain text password protection. With Linux your users create more virtual X terminals 2,3,4,...; the matching port number is increased by the display number - 5902, 5903, ... Windows PCs have only one display numbered zero - listening on port 5900. So that's a neat thing to scan for - free access to the whole machine! See http://www.uk.research.att.com/vnc/ for examples and software (freeware). Yours, Peter -- Peter Vohmann, Systems Admin; Phone +49(721)91344-0; Fax -99 VIONA Development GmbH & Co. KG, Karlsruhe, Germany; Partner of RAVISENT Technologies, Inc.
participants (4)
-
-|D|- -
Chris Reeves -
Peter Vohmann -
Roman Drahtmueller