[SLE] Re: [suse-security] portscanning and high ports
Hi Roman, Roman Drahtmueller wrote:
Be sure you really had a portscan on your box. It may as well have been some ftp transfer, where a server actively opens tcp connections to a client in your network for each file to be transferred. It should however be possible to distinguish these connections from others by the source port (20).
This was definitely a portscan, the ports tried included low-numbered ports, but I didn't show those here, because I knew what they all were.
nmap used to come with a quite exhaustive services-file (can be found on ftp.uni-freiburg.de:/pub/linux/misc/etc/services.nmap). It says:
<snipped> Ah! This could be a very useful file. It has now been saved for future reference! Thanks.
Is it generally considered safe to open up most high numbered ports? What do the people on these lists do? Do you close them all and open some, or open all and close some (all meaning all ports >1023)?
This discussion reduces itself to the necessity of allowing people to open connections from the outside to the inside in the first place.
Everyone inside can tunnel/reflect ports from a higher port to a lower one, which renders "full control of all opening connections" to an illusion (there is no difference in whether a user inside "allows" for a connection from outside to inside to be established or not. The fact (it is possible) remains.). From this standpoint, solely filtering ports doesn't improve "security" as much as people often think it would. You need a more thouroughly designed concept, because the sole port number doesn't tell anything about the vulnerability of the whole system or even network. (access to an X-server could be accomplished by connecting to ssh-spoofed X-servers on the ssh-daemon-side. These ports default to the range above 6010.) If it is impossible for you to combine your packet filter with other concepts of restricting traffic/information flow, you might want to think of filtering packets matching what is called the "established flag".
Point taken. However, this isn't such a problem in my case, as I only have a small few machine home network, and at the moment this computer isn't connected to it. The "established flag" - is that the same as blocking SYN packets? It's probably not, is it. I'll have a look into that. Thanks a lot, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (1)
-
chris.reeves@iname.com