From owner-freebsd-isp Wed Nov 29 19: 0:55 2000 Delivered-To: freebsd-isp@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 806B037B401; Wed, 29 Nov 2000 19:00:40 -0800 (PST) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Wed, 29 Nov 2000 19:00:39 -0800 Message-ID: <016801c05a7a$a7bac8c0$fd01a8c0@pacbell.net> From: "John Howie" To: , , "Jonathan M. Slivko" Subject: Re: Danger Ports Date: Wed, 29 Nov 2000 19:07:20 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0165_01C05A37.992C91F0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1800 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1800 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0165_01C05A37.992C91F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Jonathon, My apologies - I see what you are after now. Yes, there is a list = floating around, but I usually head over to SANS and get theirs: http://www.sans.org/newlook/resources/IDFAQ/oddports.htm You will see that it is extensive! Regarding your followup on dummy applications acting as these rogue services/daemons I think you are after a Honeypot. There are a couple = but I'll need to check out the details as I don't have them off the top of = my head. Depending on the level of sophistication you are after it might = just be easier to have your firewall log any attempt to access one the ports = that you are interested in and deny access. Hope this helps, john... ----- Original Message ----- From: "Jonathan M. Slivko" To: "John Howie" Cc: ; Sent: Wednesday, November 29, 2000 6:08 PM Subject: Re: Danger Ports > I am referring to the Back Orifice, Trinoo server ports, etc. Where = can I > get my hands on a list of those port #'s? or are there any utilities = that > act as those servers and log all attempts in hopes of catching those = users > who will no doubt try and take advantage of an open system? > > ---- > Jonathan M. Slivko > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > On Wed, 29 Nov 2000, John Howie wrote: > > > Jonathan, > > > > Rather than denying access to certain ports on your system, and = allowing > > access to the rest, you might find it easier to think in the reverse = - What > > ports do I need to leave open to outside (presumably Internet) = users? > > > > The answer to that question depends on the needs of your outside = users. You > > will probably need to allow SSH access, and I would suggest that you = get > > users to use SCP instead of FTP (unless you have a public FTP site = that > > allows anonymous connections). You might also need to open up access = to SMTP > > and POP3 services for mail (while ensuring that your site can't be = used as a > > mail relay). DNS is another service that you might need to provide access > > to. > > > > If users need access to so-called dangerous services such as X, = printer, > > NFS, NIS, SNMP, etc. then I would look for a VPN solution that = brings them > > into your network through the firewall and allows them to access = these > > services as an internal user. > > > > O'Reilly does a good book on Firewall Security, I suggest that you = get it > > and have a read. CERT also has a good document on packet filtering > > (http://www.cert.org). Also, check the FreeBSD handbook or The = Complete > > FreeBSD for more information about setting up firewalls on FreeBSD systems. > > > > Hope this helps, > > > > john... > > > > ----- Original Message ----- > > From: "Jonathan M. Slivko" > > To: > > Cc: > > Sent: Wednesday, November 29, 2000 5:23 PM > > Subject: Danger Ports > > > > > > > Can someone tell me what are the "danger" ports on FreeBSD, ports = that > > > perhaps need to be blocked because they are insecure? I would like = to know > > > so in the future, I can prevent outside attacks and concentrate = more on > > > internal attacks, or "insider jobs" as they're called. > > > > > > ---- > > > Jonathan M. Slivko > > > Technical Support, CoreSync Corporation (http://www.coresync.net) > > > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > > > Pager/Voicemail: (917) 388-5304 > > > ---- > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > ------=_NextPart_000_0165_01C05A37.992C91F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Jonathon,

My apologies - I see = what you=20 are after now. Yes, there is a list floating
around, but I usually = head over=20 to SANS and get theirs:

http://www.sans.org/newlook/resources/IDFAQ/oddports.htm<= /A>

You will see that it is extensive!

Regarding your = followup on=20 dummy applications acting as these rogue
services/daemons I think you = are=20 after a Honeypot. There are a couple but
I'll need to check out the = details=20 as I don't have them off the top of my
head. Depending on the level = of=20 sophistication you are after it might just
be easier to have your = firewall=20 log any attempt to access one the ports that
you are interested in = and deny=20 access.

Hope this helps,

john...

----- Original = Message=20 -----
From: "Jonathan M. Slivko" <jon_slivko@simphost.com>
To: = "John Howie"=20 <JHowie@msn.com>
Cc: = <freebsd-security@freebsd.org>; = <freebsd-isp@freebsd.org>
Sent: = Wednesday,=20 November 29, 2000 6:08 PM
Subject: Re: Danger Ports


> I = am=20 referring to the Back Orifice, Trinoo server ports, etc. Where can = I
> get=20 my hands on a list of those port #'s? or are there any utilities = that
>=20 act as those servers and log all attempts in hopes of catching those=20 users
> who will no doubt try and take advantage of an open=20 system?
>
> ----
> Jonathan M. Slivko <jon_slivko@simphost.com>
> = Technical=20 Support, CoreSync Corporation (http://www.coresync.net)
> Team = Leader,=20 SecureIRC Project (http://secureirc.sourceforge.net)
>=20 Pager/Voicemail: (917) 388-5304
> ----
>
> On Wed, 29 = Nov=20 2000, John Howie wrote:
>
> > Jonathan,
> = >
> >=20 Rather than denying access to certain ports on your system, and = allowing
>=20 > access to the rest, you might find it easier to think in the = reverse=20 -
What
> > ports do I need to leave open to outside = (presumably=20 Internet) users?
> >
> > The answer to that question = depends=20 on the needs of your outside users.
You
> > will probably = need to=20 allow SSH access, and I would suggest that you get
> > users to = use SCP=20 instead of FTP (unless you have a public FTP site that
> > = allows=20 anonymous connections). You might also need to open up access = to
SMTP
>=20 > and POP3 services for mail (while ensuring that your site can't be=20 used
as a
> > mail relay). DNS is another service that you = might=20 need to provide
access
> > to.
> >
> > If = users=20 need access to so-called dangerous services such as X, printer,
> = >=20 NFS, NIS, SNMP, etc. then I would look for a VPN solution that=20 brings
them
> > into your network through the firewall and = allows=20 them to access these
> > services as an internal user.
>=20 >
> > O'Reilly does a good book on Firewall Security, I = suggest that=20 you get
it
> > and have a read. CERT also has a good = document on=20 packet filtering
> > (http://www.cert.org). Also, check the = FreeBSD=20 handbook or The Complete
> > FreeBSD for more information about = setting=20 up firewalls on FreeBSD
systems.
> >
> > Hope this=20 helps,
> >
> > john...
> >
> > ----- = Original Message -----
> > From: "Jonathan M. Slivko" = <jon_slivko@simphost.com>
> = > To:=20 <freebsd-security@freebsd.org>
> > Cc:=20 <freebsd-isp@freebsd.org>
> = > Sent:=20 Wednesday, November 29, 2000 5:23 PM
> > Subject: Danger = Ports
>=20 >
> >
> > > Can someone tell me what are the = "danger"=20 ports on FreeBSD, ports that
> > > perhaps need to be = blocked=20 because they are insecure? I would like to
know
> > > so = in the=20 future, I can prevent outside attacks and concentrate more
on
> = >=20 > internal attacks, or "insider jobs" as they're called.
> > = >
> > > ----
> > > Jonathan M. Slivko = <jon_slivko@simphost.com>
> = > >=20 Technical Support, CoreSync Corporation (http://www.coresync.net)
> > = > Team=20 Leader, SecureIRC Project (http://secureirc.sourceforge.net)
> >=20 > Pager/Voicemail: (917) 388-5304
> > > ----
> > = >
> > >
> > >
> > > To = Unsubscribe: send=20 mail to majordomo@FreeBSD.org
> > = > with=20 "unsubscribe freebsd-security" in the body of the message
> >=20 >
> >
> >
> >
>=20 >
>
>

------=_NextPart_000_0165_01C05A37.992C91F0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message