Date: Wed, 29 Nov 2000 19:07:20 -0800 From: "John Howie" <JHowie@msn.com> To: <freebsd-security@FreeBSD.ORG>, <freebsd-isp@freebsd.org>, "Jonathan M. Slivko" <jon_slivko@simphost.com> Subject: Re: Danger Ports Message-ID: <016801c05a7a$a7bac8c0$fd01a8c0@pacbell.net>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Jonathon, My apologies - I see what you are after now. Yes, there is a list floating around, but I usually head over to SANS and get theirs: http://www.sans.org/newlook/resources/IDFAQ/oddports.htm You will see that it is extensive! Regarding your followup on dummy applications acting as these rogue services/daemons I think you are after a Honeypot. There are a couple but I'll need to check out the details as I don't have them off the top of my head. Depending on the level of sophistication you are after it might just be easier to have your firewall log any attempt to access one the ports that you are interested in and deny access. Hope this helps, john... ----- Original Message ----- From: "Jonathan M. Slivko" <jon_slivko@simphost.com> To: "John Howie" <JHowie@msn.com> Cc: <freebsd-security@freebsd.org>; <freebsd-isp@freebsd.org> Sent: Wednesday, November 29, 2000 6:08 PM Subject: Re: Danger Ports > I am referring to the Back Orifice, Trinoo server ports, etc. Where can I > get my hands on a list of those port #'s? or are there any utilities that > act as those servers and log all attempts in hopes of catching those users > who will no doubt try and take advantage of an open system? > > ---- > Jonathan M. Slivko <jon_slivko@simphost.com> > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > On Wed, 29 Nov 2000, John Howie wrote: > > > Jonathan, > > > > Rather than denying access to certain ports on your system, and allowing > > access to the rest, you might find it easier to think in the reverse - What > > ports do I need to leave open to outside (presumably Internet) users? > > > > The answer to that question depends on the needs of your outside users. You > > will probably need to allow SSH access, and I would suggest that you get > > users to use SCP instead of FTP (unless you have a public FTP site that > > allows anonymous connections). You might also need to open up access to SMTP > > and POP3 services for mail (while ensuring that your site can't be used as a > > mail relay). DNS is another service that you might need to provide access > > to. > > > > If users need access to so-called dangerous services such as X, printer, > > NFS, NIS, SNMP, etc. then I would look for a VPN solution that brings them > > into your network through the firewall and allows them to access these > > services as an internal user. > > > > O'Reilly does a good book on Firewall Security, I suggest that you get it > > and have a read. CERT also has a good document on packet filtering > > (http://www.cert.org). Also, check the FreeBSD handbook or The Complete > > FreeBSD for more information about setting up firewalls on FreeBSD systems. > > > > Hope this helps, > > > > john... > > > > ----- Original Message ----- > > From: "Jonathan M. Slivko" <jon_slivko@simphost.com> > > To: <freebsd-security@freebsd.org> > > Cc: <freebsd-isp@freebsd.org> > > Sent: Wednesday, November 29, 2000 5:23 PM > > Subject: Danger Ports > > > > > > > Can someone tell me what are the "danger" ports on FreeBSD, ports that > > > perhaps need to be blocked because they are insecure? I would like to know > > > so in the future, I can prevent outside attacks and concentrate more on > > > internal attacks, or "insider jobs" as they're called. > > > > > > ---- > > > Jonathan M. Slivko <jon_slivko@simphost.com> > > > Technical Support, CoreSync Corporation (http://www.coresync.net) > > > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > > > Pager/Voicemail: (917) 388-5304 > > > ---- > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 5.50.4207.2601" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT size=2><FONT size=3>Jonathon,<BR><BR>My apologies - I see what you are after now. Yes, there is a list floating<BR>around, but I usually head over to SANS and get theirs:<BR><BR></FONT><A href="http://www.sans.org/newlook/resources/IDFAQ/oddports.htm"><FONT size=3>http://www.sans.org/newlook/resources/IDFAQ/oddports.htm</FONT></A><BR><BR><FONT size=3>You will see that it is extensive!<BR><BR>Regarding your followup on dummy applications acting as these rogue<BR>services/daemons I think you are after a Honeypot. There are a couple but<BR>I'll need to check out the details as I don't have them off the top of my<BR>head. Depending on the level of sophistication you are after it might just<BR>be easier to have your firewall log any attempt to access one the ports that<BR>you are interested in and deny access.<BR><BR>Hope this helps,<BR><BR>john...<BR><BR>----- Original Message -----<BR>From: "Jonathan M. Slivko" <</FONT><A href="mailto:jon_slivko@simphost.com"><FONT size=3>jon_slivko@simphost.com</FONT></A><FONT size=3>><BR>To: "John Howie" <</FONT><A href="mailto:JHowie@msn.com"><FONT size=3>JHowie@msn.com</FONT></A><FONT size=3>><BR>Cc: <</FONT><A href="mailto:freebsd-security@freebsd.org"><FONT size=3>freebsd-security@freebsd.org</FONT></A><FONT size=3>>; <</FONT><A href="mailto:freebsd-isp@freebsd.org"><FONT size=3>freebsd-isp@freebsd.org</FONT></A><FONT size=3>><BR>Sent: Wednesday, November 29, 2000 6:08 PM<BR>Subject: Re: Danger Ports<BR><BR><BR>> I am referring to the Back Orifice, Trinoo server ports, etc. Where can I<BR>> get my hands on a list of those port #'s? or are there any utilities that<BR>> act as those servers and log all attempts in hopes of catching those users<BR>> who will no doubt try and take advantage of an open system?<BR>><BR>> ----<BR>> Jonathan M. Slivko <</FONT><A href="mailto:jon_slivko@simphost.com"><FONT size=3>jon_slivko@simphost.com</FONT></A><FONT size=3>><BR>> Technical Support, CoreSync Corporation (</FONT><A href="http://www.coresync.net"><FONT size=3>http://www.coresync.net</FONT></A><FONT size=3>)<BR>> Team Leader, SecureIRC Project (</FONT><A href="http://secureirc.sourceforge.net"><FONT size=3>http://secureirc.sourceforge.net</FONT></A><FONT size=3>)<BR>> Pager/Voicemail: (917) 388-5304<BR>> ----<BR>><BR>> On Wed, 29 Nov 2000, John Howie wrote:<BR>><BR>> > Jonathan,<BR>> ><BR>> > Rather than denying access to certain ports on your system, and allowing<BR>> > access to the rest, you might find it easier to think in the reverse -<BR>What<BR>> > ports do I need to leave open to outside (presumably Internet) users?<BR>> ><BR>> > The answer to that question depends on the needs of your outside users.<BR>You<BR>> > will probably need to allow SSH access, and I would suggest that you get<BR>> > users to use SCP instead of FTP (unless you have a public FTP site that<BR>> > allows anonymous connections). You might also need to open up access to<BR>SMTP<BR>> > and POP3 services for mail (while ensuring that your site can't be used<BR>as a<BR>> > mail relay). DNS is another service that you might need to provide<BR>access<BR>> > to.<BR>> ><BR>> > If users need access to so-called dangerous services such as X, printer,<BR>> > NFS, NIS, SNMP, etc. then I would look for a VPN solution that brings<BR>them<BR>> > into your network through the firewall and allows them to access these<BR>> > services as an internal user.<BR>> ><BR>> > O'Reilly does a good book on Firewall Security, I suggest that you get<BR>it<BR>> > and have a read. CERT also has a good document on packet filtering<BR>> > (</FONT><A href="http://www.cert.org"><FONT size=3>http://www.cert.org</FONT></A><FONT size=3>). Also, check the FreeBSD handbook or The Complete<BR>> > FreeBSD for more information about setting up firewalls on FreeBSD<BR>systems.<BR>> ><BR>> > Hope this helps,<BR>> ><BR>> > john...<BR>> ><BR>> > ----- Original Message -----<BR>> > From: "Jonathan M. Slivko" <</FONT><A href="mailto:jon_slivko@simphost.com"><FONT size=3>jon_slivko@simphost.com</FONT></A><FONT size=3>><BR>> > To: <</FONT><A href="mailto:freebsd-security@freebsd.org"><FONT size=3>freebsd-security@freebsd.org</FONT></A><FONT size=3>><BR>> > Cc: <</FONT><A href="mailto:freebsd-isp@freebsd.org"><FONT size=3>freebsd-isp@freebsd.org</FONT></A><FONT size=3>><BR>> > Sent: Wednesday, November 29, 2000 5:23 PM<BR>> > Subject: Danger Ports<BR>> ><BR>> ><BR>> > > Can someone tell me what are the "danger" ports on FreeBSD, ports that<BR>> > > perhaps need to be blocked because they are insecure? I would like to<BR>know<BR>> > > so in the future, I can prevent outside attacks and concentrate more<BR>on<BR>> > > internal attacks, or "insider jobs" as they're called.<BR>> > ><BR>> > > ----<BR>> > > Jonathan M. Slivko <</FONT><A href="mailto:jon_slivko@simphost.com"><FONT size=3>jon_slivko@simphost.com</FONT></A><FONT size=3>><BR>> > > Technical Support, CoreSync Corporation (</FONT><A href="http://www.coresync.net"><FONT size=3>http://www.coresync.net</FONT></A><FONT size=3>)<BR>> > > Team Leader, SecureIRC Project (</FONT><A href="http://secureirc.sourceforge.net"><FONT size=3>http://secureirc.sourceforge.net</FONT></A><FONT size=3>)<BR>> > > Pager/Voicemail: (917) 388-5304<BR>> > > ----<BR>> > ><BR>> > ><BR>> > ><BR>> > > To Unsubscribe: send mail to </FONT><A href="mailto:majordomo@FreeBSD.org"><FONT size=3>majordomo@FreeBSD.org</FONT></A><BR><FONT size=3>> > > with "unsubscribe freebsd-security" in the body of the message<BR>> > ><BR>> ><BR>> ><BR>> ><BR>> ><BR>><BR>></FONT><BR><BR></FONT></DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?016801c05a7a$a7bac8c0$fd01a8c0>