Date: Wed, 29 Nov 2000 19:07:20 -0800 From: "John Howie" <JHowie@msn.com> To: <freebsd-security@FreeBSD.ORG>, <freebsd-isp@freebsd.org>, "Jonathan M. Slivko" <jon_slivko@simphost.com> Subject: Re: Danger Ports Message-ID: <016801c05a7a$a7bac8c0$fd01a8c0@pacbell.net>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0165_01C05A37.992C91F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Jonathon, My apologies - I see what you are after now. Yes, there is a list = floating around, but I usually head over to SANS and get theirs: http://www.sans.org/newlook/resources/IDFAQ/oddports.htm You will see that it is extensive! Regarding your followup on dummy applications acting as these rogue services/daemons I think you are after a Honeypot. There are a couple = but I'll need to check out the details as I don't have them off the top of = my head. Depending on the level of sophistication you are after it might = just be easier to have your firewall log any attempt to access one the ports = that you are interested in and deny access. Hope this helps, john... ----- Original Message ----- From: "Jonathan M. Slivko" <jon_slivko@simphost.com> To: "John Howie" <JHowie@msn.com> Cc: <freebsd-security@freebsd.org>; <freebsd-isp@freebsd.org> Sent: Wednesday, November 29, 2000 6:08 PM Subject: Re: Danger Ports > I am referring to the Back Orifice, Trinoo server ports, etc. Where = can I > get my hands on a list of those port #'s? or are there any utilities = that > act as those servers and log all attempts in hopes of catching those = users > who will no doubt try and take advantage of an open system? > > ---- > Jonathan M. Slivko <jon_slivko@simphost.com> > Technical Support, CoreSync Corporation (http://www.coresync.net) > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > Pager/Voicemail: (917) 388-5304 > ---- > > On Wed, 29 Nov 2000, John Howie wrote: > > > Jonathan, > > > > Rather than denying access to certain ports on your system, and = allowing > > access to the rest, you might find it easier to think in the reverse = - What > > ports do I need to leave open to outside (presumably Internet) = users? > > > > The answer to that question depends on the needs of your outside = users. You > > will probably need to allow SSH access, and I would suggest that you = get > > users to use SCP instead of FTP (unless you have a public FTP site = that > > allows anonymous connections). You might also need to open up access = to SMTP > > and POP3 services for mail (while ensuring that your site can't be = used as a > > mail relay). DNS is another service that you might need to provide access > > to. > > > > If users need access to so-called dangerous services such as X, = printer, > > NFS, NIS, SNMP, etc. then I would look for a VPN solution that = brings them > > into your network through the firewall and allows them to access = these > > services as an internal user. > > > > O'Reilly does a good book on Firewall Security, I suggest that you = get it > > and have a read. CERT also has a good document on packet filtering > > (http://www.cert.org). Also, check the FreeBSD handbook or The = Complete > > FreeBSD for more information about setting up firewalls on FreeBSD systems. > > > > Hope this helps, > > > > john... > > > > ----- Original Message ----- > > From: "Jonathan M. Slivko" <jon_slivko@simphost.com> > > To: <freebsd-security@freebsd.org> > > Cc: <freebsd-isp@freebsd.org> > > Sent: Wednesday, November 29, 2000 5:23 PM > > Subject: Danger Ports > > > > > > > Can someone tell me what are the "danger" ports on FreeBSD, ports = that > > > perhaps need to be blocked because they are insecure? I would like = to know > > > so in the future, I can prevent outside attacks and concentrate = more on > > > internal attacks, or "insider jobs" as they're called. > > > > > > ---- > > > Jonathan M. Slivko <jon_slivko@simphost.com> > > > Technical Support, CoreSync Corporation (http://www.coresync.net) > > > Team Leader, SecureIRC Project (http://secureirc.sourceforge.net) > > > Pager/Voicemail: (917) 388-5304 > > > ---- > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > ------=_NextPart_000_0165_01C05A37.992C91F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4207.2601" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT size=3D2><FONT size=3D3>Jonathon,<BR><BR>My apologies - I see = what you=20 are after now. Yes, there is a list floating<BR>around, but I usually = head over=20 to SANS and get theirs:<BR><BR></FONT><A=20 href=3D"http://www.sans.org/newlook/resources/IDFAQ/oddports.htm"><FONT=20 size=3D3>http://www.sans.org/newlook/resources/IDFAQ/oddports.htm</FONT><= /A><BR><BR><FONT=20 size=3D3>You will see that it is extensive!<BR><BR>Regarding your = followup on=20 dummy applications acting as these rogue<BR>services/daemons I think you = are=20 after a Honeypot. There are a couple but<BR>I'll need to check out the = details=20 as I don't have them off the top of my<BR>head. Depending on the level = of=20 sophistication you are after it might just<BR>be easier to have your = firewall=20 log any attempt to access one the ports that<BR>you are interested in = and deny=20 access.<BR><BR>Hope this helps,<BR><BR>john...<BR><BR>----- Original = Message=20 -----<BR>From: "Jonathan M. Slivko" <</FONT><A=20 href=3D"mailto:jon_slivko@simphost.com"><FONT=20 size=3D3>jon_slivko@simphost.com</FONT></A><FONT size=3D3>><BR>To: = "John Howie"=20 <</FONT><A href=3D"mailto:JHowie@msn.com"><FONT=20 size=3D3>JHowie@msn.com</FONT></A><FONT size=3D3>><BR>Cc: = <</FONT><A=20 href=3D"mailto:freebsd-security@freebsd.org"><FONT=20 size=3D3>freebsd-security@freebsd.org</FONT></A><FONT size=3D3>>; = <</FONT><A=20 href=3D"mailto:freebsd-isp@freebsd.org"><FONT=20 size=3D3>freebsd-isp@freebsd.org</FONT></A><FONT size=3D3>><BR>Sent: = Wednesday,=20 November 29, 2000 6:08 PM<BR>Subject: Re: Danger Ports<BR><BR><BR>> I = am=20 referring to the Back Orifice, Trinoo server ports, etc. Where can = I<BR>> get=20 my hands on a list of those port #'s? or are there any utilities = that<BR>>=20 act as those servers and log all attempts in hopes of catching those=20 users<BR>> who will no doubt try and take advantage of an open=20 system?<BR>><BR>> ----<BR>> Jonathan M. Slivko <</FONT><A=20 href=3D"mailto:jon_slivko@simphost.com"><FONT=20 size=3D3>jon_slivko@simphost.com</FONT></A><FONT size=3D3>><BR>> = Technical=20 Support, CoreSync Corporation (</FONT><A = href=3D"http://www.coresync.net"><FONT=20 size=3D3>http://www.coresync.net</FONT></A><FONT size=3D3>)<BR>> Team = Leader,=20 SecureIRC Project (</FONT><A = href=3D"http://secureirc.sourceforge.net"><FONT=20 size=3D3>http://secureirc.sourceforge.net</FONT></A><FONT = size=3D3>)<BR>>=20 Pager/Voicemail: (917) 388-5304<BR>> ----<BR>><BR>> On Wed, 29 = Nov=20 2000, John Howie wrote:<BR>><BR>> > Jonathan,<BR>> = ><BR>> >=20 Rather than denying access to certain ports on your system, and = allowing<BR>>=20 > access to the rest, you might find it easier to think in the = reverse=20 -<BR>What<BR>> > ports do I need to leave open to outside = (presumably=20 Internet) users?<BR>> ><BR>> > The answer to that question = depends=20 on the needs of your outside users.<BR>You<BR>> > will probably = need to=20 allow SSH access, and I would suggest that you get<BR>> > users to = use SCP=20 instead of FTP (unless you have a public FTP site that<BR>> > = allows=20 anonymous connections). You might also need to open up access = to<BR>SMTP<BR>>=20 > and POP3 services for mail (while ensuring that your site can't be=20 used<BR>as a<BR>> > mail relay). DNS is another service that you = might=20 need to provide<BR>access<BR>> > to.<BR>> ><BR>> > If = users=20 need access to so-called dangerous services such as X, printer,<BR>> = >=20 NFS, NIS, SNMP, etc. then I would look for a VPN solution that=20 brings<BR>them<BR>> > into your network through the firewall and = allows=20 them to access these<BR>> > services as an internal user.<BR>>=20 ><BR>> > O'Reilly does a good book on Firewall Security, I = suggest that=20 you get<BR>it<BR>> > and have a read. CERT also has a good = document on=20 packet filtering<BR>> > (</FONT><A = href=3D"http://www.cert.org"><FONT=20 size=3D3>http://www.cert.org</FONT></A><FONT size=3D3>). Also, check the = FreeBSD=20 handbook or The Complete<BR>> > FreeBSD for more information about = setting=20 up firewalls on FreeBSD<BR>systems.<BR>> ><BR>> > Hope this=20 helps,<BR>> ><BR>> > john...<BR>> ><BR>> > ----- = Original Message -----<BR>> > From: "Jonathan M. Slivko" = <</FONT><A=20 href=3D"mailto:jon_slivko@simphost.com"><FONT=20 size=3D3>jon_slivko@simphost.com</FONT></A><FONT size=3D3>><BR>> = > To:=20 <</FONT><A href=3D"mailto:freebsd-security@freebsd.org"><FONT=20 size=3D3>freebsd-security@freebsd.org</FONT></A><FONT = size=3D3>><BR>> > Cc:=20 <</FONT><A href=3D"mailto:freebsd-isp@freebsd.org"><FONT=20 size=3D3>freebsd-isp@freebsd.org</FONT></A><FONT size=3D3>><BR>> = > Sent:=20 Wednesday, November 29, 2000 5:23 PM<BR>> > Subject: Danger = Ports<BR>>=20 ><BR>> ><BR>> > > Can someone tell me what are the = "danger"=20 ports on FreeBSD, ports that<BR>> > > perhaps need to be = blocked=20 because they are insecure? I would like to<BR>know<BR>> > > so = in the=20 future, I can prevent outside attacks and concentrate more<BR>on<BR>> = >=20 > internal attacks, or "insider jobs" as they're called.<BR>> > = ><BR>> > > ----<BR>> > > Jonathan M. Slivko = <</FONT><A=20 href=3D"mailto:jon_slivko@simphost.com"><FONT=20 size=3D3>jon_slivko@simphost.com</FONT></A><FONT size=3D3>><BR>> = > >=20 Technical Support, CoreSync Corporation (</FONT><A=20 href=3D"http://www.coresync.net"><FONT=20 size=3D3>http://www.coresync.net</FONT></A><FONT size=3D3>)<BR>> > = > Team=20 Leader, SecureIRC Project (</FONT><A=20 href=3D"http://secureirc.sourceforge.net"><FONT=20 size=3D3>http://secureirc.sourceforge.net</FONT></A><FONT = size=3D3>)<BR>> >=20 > Pager/Voicemail: (917) 388-5304<BR>> > > ----<BR>> > = ><BR>> > ><BR>> > ><BR>> > > To = Unsubscribe: send=20 mail to </FONT><A href=3D"mailto:majordomo@FreeBSD.org"><FONT=20 size=3D3>majordomo@FreeBSD.org</FONT></A><BR><FONT size=3D3>> > = > with=20 "unsubscribe freebsd-security" in the body of the message<BR>> >=20 ><BR>> ><BR>> ><BR>> ><BR>>=20 ><BR>><BR>></FONT><BR><BR></FONT></DIV></BODY></HTML> ------=_NextPart_000_0165_01C05A37.992C91F0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?016801c05a7a$a7bac8c0$fd01a8c0>