[CLUE-Talk] Preventing Hack Attempts before they Happen

David Anselmi anselmi at intradenver.net
Mon May 14 15:46:49 MDT 2001 

This is as good a source as I can imagine for port numbers, though it may not
list all the ports in use on a particular system (you can also check
/etc/services):

http://www.iana.org/assignments/port-numbers

Dave

Jim Intriglia wrote:

> >From: Brandon N <bneill at yahoo.com>
> >Reply-To: clue-talk at clue.denver.co.us
> >To: clue-talk at clue.denver.co.us
> >Subject: Re: [CLUE-Talk] Preventing Hack Attempts before they Happen
> >Date: Sat, 12 May 2001 18:21:07 -0700 (PDT)
> >
> >I've actually noticed a couple of hits on port 111, which is the rpc
> >portmapper.  From what I remember, that is used by rpc to find out
> >which port another program is running on.  in theory you could query
> >the portmapper and find out what rpc services are running.
> >
> >119 is usenet.  I've gotten quite a few scans there, mostly from @home.
> >
> >I've also gotten a few hits on 23, which is telnet, which would imply a
> >rather stupid newbie trying to get access, or just trying to see which
> >machines are unix ones.
>
> A while back I came across a listing of ports and their definitions - I did
> not make note of it as I though I would remember where to find it. Of
> course, I can't remember where I saw it. Where can I find a listing of ports
> and their use/definition?
>
> >
> >I don't use portsentry yet, haven't had time to set it up, one problem
> >is that because it resides in user space, it can only listen on unused
> >ports.  Am I correct in that assumption?
>
> PortSentry was pretty easy to setup, thanks to an article Kevin C. posted
> and good README. Not sure about the user space thing.. my understanding is
> it monitors all enabled ports. I'll check the docs and see if I can find an
> answer to this.
>
> >
> >Lastly, what information would we want in an "access attempt" database?
> >  I can think of time, ip, port, anything else?
> >
>
> I was thinking of a format that could easily be cut/paste or inported into
> an existing portsenty.deny or host.deny file. The effect would be to prevent
> cracker attacks before they get around to your system.
>
> Additional information could be added to better describe the info, but I
> think the first whack should be putting together a list of known IPs where
> crackers are known to operate, in the format that would be compatible with
> importing direct to portsentry.deny and hosts.deny files.
>
> >we would just have to make sure people contributing to the database can
> >tell the difference between an actuall access attempt, or something
> >innocouous, like bootp requests.
>
> I am relying on tools such as PortSentry to tell the difference between
> malicious intent, vs innocent port activity. This saves lots of time
> analyzing log files.
>
> >
> >I'm willing to sit down with anyone that needs it and go over their
> >firewall script or logs.
> >
> >Brandon
>
> Continued..
>
> >--- R Frank <rfrank at rfrank.net> wrote:
> > > On Sat, 12 May 2001 22:21:51
> > > "Jim Intriglia" <jimintriglia at hotmail.com> questioned:
> > >
> > > > Would it make sense if all Clubies submitted their PostSentry (or
> > > other
> > > > security log info) that lists the IP address of crackers? My
> > > thinking is
> > > > that this list of known cracker IP's can be imported into PortSenty
> > > and
> > > > host.deny files, to avert an attack before it happens.
> > >
> > > Wish I knew more about this.  I checked my logs and there are 88
> > > different
> > > IP addresses being blocked, most as a result of scans to port 111.
> > > Am I
> > > wrong in thinking that such scans are not evidence of a would-be
> > > hacker?
>
> What application wrote those IP addresses to the blocked file? If it was a
> utility such as PortSentry, I would say that we could assume malicious
> intent from those IPs until proven otherwise.
>
> Better safe than sorry, yes?
>
> > > There is a burst of activity on May 7th against my port 119, and the
> > > machine reported it went into "stealth listening mode" on that port
> > > at that time.  But as far as which IP addresses to deny, I'm not sure
> > >
> > > which are real threats and which are innocuous port scans.
> > >
> > > Roger Frank
>
> For those interested in security, they could do some analysis of the data
> collected by cluebies. Those interested in cracker-busting (we have a few)
> can follow-up with tactics to step the activity.
>
> JimI.
> > > _______________________________________________
> > > CLUE-Talk mailing list
> > > CLUE-Talk at clue.denver.co.us
> > > http://clue.denver.co.us/mailman/listinfo/clue-talk
> >
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Yahoo! Auctions - buy the things you want at great prices
> >http://auctions.yahoo.com/
> >_______________________________________________
> >CLUE-Talk mailing list
> >CLUE-Talk at clue.denver.co.us
> >http://clue.denver.co.us/mailman/listinfo/clue-talk
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> _______________________________________________
> CLUE-Talk mailing list
> CLUE-Talk at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-talk

More information about the clue-talk mailing list