[CLUE-Talk] Preventing Hack Attempts before they Happen

Jim Intriglia jimintriglia at hotmail.com
Mon May 14 16:10:01 MDT 2001 

>From: Brandon N <bneill at yahoo.com>
>Reply-To: clue-talk at clue.denver.co.us
>To: clue-talk at clue.denver.co.us
>Subject: Re: [CLUE-Talk] Preventing Hack Attempts before they Happen
>Date: Sat, 12 May 2001 18:21:07 -0700 (PDT)
>
>I've actually noticed a couple of hits on port 111, which is the rpc
>portmapper.  From what I remember, that is used by rpc to find out
>which port another program is running on.  in theory you could query
>the portmapper and find out what rpc services are running.
>
>119 is usenet.  I've gotten quite a few scans there, mostly from @home.
>
>I've also gotten a few hits on 23, which is telnet, which would imply a
>rather stupid newbie trying to get access, or just trying to see which
>machines are unix ones.

A while back I came across a listing of ports and their definitions - I did 
not make note of it as I though I would remember where to find it. Of 
course, I can't remember where I saw it. Where can I find a listing of ports 
and their use/definition?

>
>I don't use portsentry yet, haven't had time to set it up, one problem
>is that because it resides in user space, it can only listen on unused
>ports.  Am I correct in that assumption?

PortSentry was pretty easy to setup, thanks to an article Kevin C. posted 
and good README. Not sure about the user space thing.. my understanding is 
it monitors all enabled ports. I'll check the docs and see if I can find an 
answer to this.

>
>Lastly, what information would we want in an "access attempt" database?
>  I can think of time, ip, port, anything else?
>

I was thinking of a format that could easily be cut/paste or inported into 
an existing portsenty.deny or host.deny file. The effect would be to prevent 
cracker attacks before they get around to your system.

Additional information could be added to better describe the info, but I 
think the first whack should be putting together a list of known IPs where 
crackers are known to operate, in the format that would be compatible with 
importing direct to portsentry.deny and hosts.deny files.

>we would just have to make sure people contributing to the database can
>tell the difference between an actuall access attempt, or something
>innocouous, like bootp requests.

I am relying on tools such as PortSentry to tell the difference between 
malicious intent, vs innocent port activity. This saves lots of time 
analyzing log files.

>
>I'm willing to sit down with anyone that needs it and go over their
>firewall script or logs.
>
>Brandon

Continued..

>--- R Frank <rfrank at rfrank.net> wrote:
> > On Sat, 12 May 2001 22:21:51
> > "Jim Intriglia" <jimintriglia at hotmail.com> questioned:
> >
> > > Would it make sense if all Clubies submitted their PostSentry (or
> > other
> > > security log info) that lists the IP address of crackers? My
> > thinking is
> > > that this list of known cracker IP's can be imported into PortSenty
> > and
> > > host.deny files, to avert an attack before it happens.
> >
> > Wish I knew more about this.  I checked my logs and there are 88
> > different
> > IP addresses being blocked, most as a result of scans to port 111.
> > Am I
> > wrong in thinking that such scans are not evidence of a would-be
> > hacker?

What application wrote those IP addresses to the blocked file? If it was a 
utility such as PortSentry, I would say that we could assume malicious 
intent from those IPs until proven otherwise.

Better safe than sorry, yes?


> > There is a burst of activity on May 7th against my port 119, and the
> > machine reported it went into "stealth listening mode" on that port
> > at that time.  But as far as which IP addresses to deny, I'm not sure
> >
> > which are real threats and which are innocuous port scans.
> >
> > Roger Frank

For those interested in security, they could do some analysis of the data 
collected by cluebies. Those interested in cracker-busting (we have a few) 
can follow-up with tactics to step the activity.

JimI.
> > _______________________________________________
> > CLUE-Talk mailing list
> > CLUE-Talk at clue.denver.co.us
> > http://clue.denver.co.us/mailman/listinfo/clue-talk
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Auctions - buy the things you want at great prices
>http://auctions.yahoo.com/
>_______________________________________________
>CLUE-Talk mailing list
>CLUE-Talk at clue.denver.co.us
>http://clue.denver.co.us/mailman/listinfo/clue-talk

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

More information about the clue-talk mailing list