[CLUE-Talk] Preventing Hack Attempts before they Happen
Jim Intriglia
jimintriglia at hotmail.com
Mon May 14 16:10:01 MDT 2001
>From: Brandon N <bneill at yahoo.com>
>Reply-To: clue-talk at clue.denver.co.us
>To: clue-talk at clue.denver.co.us
>Subject: Re: [CLUE-Talk] Preventing Hack Attempts before they Happen
>Date: Sat, 12 May 2001 18:21:07 -0700 (PDT)
>
>I've actually noticed a couple of hits on port 111, which is the rpc
>portmapper. From what I remember, that is used by rpc to find out
>which port another program is running on. in theory you could query
>the portmapper and find out what rpc services are running.
>
>119 is usenet. I've gotten quite a few scans there, mostly from @home.
>
>I've also gotten a few hits on 23, which is telnet, which would imply a
>rather stupid newbie trying to get access, or just trying to see which
>machines are unix ones.
A while back I came across a listing of ports and their definitions - I did
not make note of it as I though I would remember where to find it. Of
course, I can't remember where I saw it. Where can I find a listing of ports
and their use/definition?
>
>I don't use portsentry yet, haven't had time to set it up, one problem
>is that because it resides in user space, it can only listen on unused
>ports. Am I correct in that assumption?
PortSentry was pretty easy to setup, thanks to an article Kevin C. posted
and good README. Not sure about the user space thing.. my understanding is
it monitors all enabled ports. I'll check the docs and see if I can find an
answer to this.
>
>Lastly, what information would we want in an "access attempt" database?
> I can think of time, ip, port, anything else?
>
I was thinking of a format that could easily be cut/paste or inported into
an existing portsenty.deny or host.deny file. The effect would be to prevent
cracker attacks before they get around to your system.
Additional information could be added to better describe the info, but I
think the first whack should be putting together a list of known IPs where
crackers are known to operate, in the format that would be compatible with
importing direct to portsentry.deny and hosts.deny files.
>we would just have to make sure people contributing to the database can
>tell the difference between an actuall access attempt, or something
>innocouous, like bootp requests.
I am relying on tools such as PortSentry to tell the difference between
malicious intent, vs innocent port activity. This saves lots of time
analyzing log files.
>
>I'm willing to sit down with anyone that needs it and go over their
>firewall script or logs.
>
>Brandon
Continued..
>--- R Frank <rfrank at rfrank.net> wrote:
> > On Sat, 12 May 2001 22:21:51
> > "Jim Intriglia" <jimintriglia at hotmail.com> questioned:
> >
> > > Would it make sense if all Clubies submitted their PostSentry (or
> > other
> > > security log info) that lists the IP address of crackers? My
> > thinking is
> > > that this list of known cracker IP's can be imported into PortSenty
> > and
> > > host.deny files, to avert an attack before it happens.
> >
> > Wish I knew more about this. I checked my logs and there are 88
> > different
> > IP addresses being blocked, most as a result of scans to port 111.
> > Am I
> > wrong in thinking that such scans are not evidence of a would-be
> > hacker?
What application wrote those IP addresses to the blocked file? If it was a
utility such as PortSentry, I would say that we could assume malicious
intent from those IPs until proven otherwise.
Better safe than sorry, yes?
> > There is a burst of activity on May 7th against my port 119, and the
> > machine reported it went into "stealth listening mode" on that port
> > at that time. But as far as which IP addresses to deny, I'm not sure
> >
> > which are real threats and which are innocuous port scans.
> >
> > Roger Frank
For those interested in security, they could do some analysis of the data
collected by cluebies. Those interested in cracker-busting (we have a few)
can follow-up with tactics to step the activity.
JimI.
> > _______________________________________________
> > CLUE-Talk mailing list
> > CLUE-Talk at clue.denver.co.us
> > http://clue.denver.co.us/mailman/listinfo/clue-talk
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Auctions - buy the things you want at great prices
>http://auctions.yahoo.com/
>_______________________________________________
>CLUE-Talk mailing list
>CLUE-Talk at clue.denver.co.us
>http://clue.denver.co.us/mailman/listinfo/clue-talk
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
More information about the clue-talk
mailing list