From owner-freebsd-isp Thu Nov 30 7:28:45 2000 Delivered-To: freebsd-isp@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id EDF9737B400; Thu, 30 Nov 2000 07:28:38 -0800 (PST) Received: from localhost (traviso@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id IAA09380; Thu, 30 Nov 2000 08:28:37 -0700 (MST) Date: Thu, 30 Nov 2000 08:28:32 -0700 (MST) From: Travis {RapidSupport} To: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Danger Ports In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Nov 2000, Dan Babb wrote: > I am referring to the Back Orifice, Trinoo server ports, etc. Where can I > get my hands on a list of those port #'s? or are there any utilities that > act as those servers and log all attempts in hopes of catching those users > who will no doubt try and take advantage of an open system? Probably the best thing for exactly what you are describing is called SNORT it's a light weight intrusion detection software called SNORT which you can get at: http://www.snort.org I can identify exactly what you are referring to in my logs. I also use an ipf firewall to block that which I ID with the IDS software. Here is a snippet of actual logs from snort on my machine: [begin log snippet] [**] Netbus/GabanBus [**] 09/20-21:11:08.683624 *.*.*.*:1891 -> *.*.*.*:12345 TCP TTL:64 TOS:0x0 ID:60113 DF S***** Seq: 0x750B7F5F Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 [**] Traceroute ICMP [**] 09/20-22:26:12.133438 204.178.16.36 -> *.*.*.* ICMP TTL:1 TOS:0x0 ID:47254 ID:3699 Seq:13803 ECHO [**] SYN FIN Scan [**] 10/01-22:18:16.531398 203.41.93.253:21 -> *.*.*.*:21 TCP TTL:28 TOS:0x0 ID:39426 SF**** Seq: 0x205F74F Ack: 0x55003324 Win: 0x404 [**] PCAnywhere [**] 10/02-17:45:14.656264 *.*.*.*:1030 -> *.*.*.*:22 UDP TTL:125 TOS:0x0 ID:16896 Len: 10 [**] Backdoor-31337-shell [**] 11/20-16:43:17.064386 *.*.*.*:2286 -> *.*.*.*:31337 TCP TTL:64 TOS:0x0 ID:57979 DF S***** Seq: 0xDDD33B02 Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 --- [end log snippet] As you can see I have *'d out the destination IP's (my servers) and some of the attackers IP's. While it creates these quick fingerprints of the attack it also holds more information on a per IP basis. Personally - I don't always have time to dig through the logs so I use "snort snarf" which takes the logs and creates a very nice web interface for tracking attacks and trends. Snort Snarf can be downloaded from the Snort website... Oh, did I mention this is free? =) Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet has moved to 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message