[CLUE-Talk] Preventing Hack Attempts before they Happen

Brandon N bneill at yahoo.com
Sat May 12 19:21:07 MDT 2001 

I've actually noticed a couple of hits on port 111, which is the rpc
portmapper.  From what I remember, that is used by rpc to find out
which port another program is running on.  in theory you could query
the portmapper and find out what rpc services are running.

119 is usenet.  I've gotten quite a few scans there, mostly from @home.

I've also gotten a few hits on 23, which is telnet, which would imply a
rather stupid newbie trying to get access, or just trying to see which
machines are unix ones.

I don't use portsentry yet, haven't had time to set it up, one problem
is that because it resides in user space, it can only listen on unused
ports.  Am I correct in that assumption?

Lastly, what information would we want in an "access attempt" database?
 I can think of time, ip, port, anything else?

we would just have to make sure people contributing to the database can
tell the difference between an actuall access attempt, or something
innocouous, like bootp requests.

I'm willing to sit down with anyone that needs it and go over their
firewall script or logs.

Brandon 
--- R Frank <rfrank at rfrank.net> wrote:
> On Sat, 12 May 2001 22:21:51 
> "Jim Intriglia" <jimintriglia at hotmail.com> questioned:
> 
> > Would it make sense if all Clubies submitted their PostSentry (or
> other 
> > security log info) that lists the IP address of crackers? My
> thinking is 
> > that this list of known cracker IP's can be imported into PortSenty
> and 
> > host.deny files, to avert an attack before it happens.
> 
> Wish I knew more about this.  I checked my logs and there are 88
> different
> IP addresses being blocked, most as a result of scans to port 111. 
> Am I
> wrong in thinking that such scans are not evidence of a would-be
> hacker?
> There is a burst of activity on May 7th against my port 119, and the
> machine reported it went into "stealth listening mode" on that port
> at that time.  But as far as which IP addresses to deny, I'm not sure
> 
> which are real threats and which are innocuous port scans.
> 
> Roger Frank
> _______________________________________________
> CLUE-Talk mailing list
> CLUE-Talk at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-talk


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

More information about the clue-talk mailing list