[CLUE-Talk] Preventing Hack Attempts before they Happen

Wed May 16 20:38:45 MDT 2001

David,

>From: David Anselmi <anselmi at intradenver.net>
>Reply-To: clue-talk at clue.denver.co.us
>To: clue-talk at clue.denver.co.us
>Subject: Re: [CLUE-Talk] Preventing Hack Attempts before they Happen
>Date: Mon, 14 May 2001 15:46:49 -0600
>
>This is as good a source as I can imagine for port numbers, though it may 
>not
>list all the ports in use on a particular system (you can also check
>/etc/services):
>
>http://www.iana.org/assignments/port-numbers

That's the list that I recall - thanks - will print it out/bookmark it this 
time around.

-Jim

>
>Dave
>
>Jim Intriglia wrote:
>
> > >From: Brandon N <bneill at yahoo.com>
> > >Reply-To: clue-talk at clue.denver.co.us
> > >To: clue-talk at clue.denver.co.us
> > >Subject: Re: [CLUE-Talk] Preventing Hack Attempts before they Happen
> > >Date: Sat, 12 May 2001 18:21:07 -0700 (PDT)
> > >
> > >I've actually noticed a couple of hits on port 111, which is the rpc
> > >portmapper.  From what I remember, that is used by rpc to find out
> > >which port another program is running on.  in theory you could query
> > >the portmapper and find out what rpc services are running.
> > >
> > >119 is usenet.  I've gotten quite a few scans there, mostly from @home.
> > >
> > >I've also gotten a few hits on 23, which is telnet, which would imply a
> > >rather stupid newbie trying to get access, or just trying to see which
> > >machines are unix ones.
> >
> > A while back I came across a listing of ports and their definitions - I 
>did
> > not make note of it as I though I would remember where to find it. Of
> > course, I can't remember where I saw it. Where can I find a listing of 
>ports
> > and their use/definition?
> >
> > >
> > >I don't use portsentry yet, haven't had time to set it up, one problem
> > >is that because it resides in user space, it can only listen on unused
> > >ports.  Am I correct in that assumption?
> >
> > PortSentry was pretty easy to setup, thanks to an article Kevin C. 
>posted
> > and good README. Not sure about the user space thing.. my understanding 
>is
> > it monitors all enabled ports. I'll check the docs and see if I can find 
>an
> > answer to this.
> >
> > >
> > >Lastly, what information would we want in an "access attempt" database?
> > >  I can think of time, ip, port, anything else?
> > >
> >
> > I was thinking of a format that could easily be cut/paste or inported 
>into
> > an existing portsenty.deny or host.deny file. The effect would be to 
>prevent
> > cracker attacks before they get around to your system.
> >
> > Additional information could be added to better describe the info, but I
> > think the first whack should be putting together a list of known IPs 
>where
> > crackers are known to operate, in the format that would be compatible 
>with
> > importing direct to portsentry.deny and hosts.deny files.
> >
> > >we would just have to make sure people contributing to the database can
> > >tell the difference between an actuall access attempt, or something
> > >innocouous, like bootp requests.
> >
> > I am relying on tools such as PortSentry to tell the difference between
> > malicious intent, vs innocent port activity. This saves lots of time
> > analyzing log files.
> >
> > >
> > >I'm willing to sit down with anyone that needs it and go over their
> > >firewall script or logs.
> > >
> > >Brandon
> >
> > Continued..
> >
> > >--- R Frank <rfrank at rfrank.net> wrote:
> > > > On Sat, 12 May 2001 22:21:51
> > > > "Jim Intriglia" <jimintriglia at hotmail.com> questioned:
> > > >
> > > > > Would it make sense if all Clubies submitted their PostSentry (or
> > > > other
> > > > > security log info) that lists the IP address of crackers? My
> > > > thinking is
> > > > > that this list of known cracker IP's can be imported into 
>PortSenty
> > > > and
> > > > > host.deny files, to avert an attack before it happens.
> > > >
> > > > Wish I knew more about this.  I checked my logs and there are 88
> > > > different
> > > > IP addresses being blocked, most as a result of scans to port 111.
> > > > Am I
> > > > wrong in thinking that such scans are not evidence of a would-be
> > > > hacker?
> >
> > What application wrote those IP addresses to the blocked file? If it was 
>a
> > utility such as PortSentry, I would say that we could assume malicious
> > intent from those IPs until proven otherwise.
> >
> > Better safe than sorry, yes?
> >
> > > > There is a burst of activity on May 7th against my port 119, and the
> > > > machine reported it went into "stealth listening mode" on that port
> > > > at that time.  But as far as which IP addresses to deny, I'm not 
>sure
> > > >
> > > > which are real threats and which are innocuous port scans.
> > > >
> > > > Roger Frank
> >
> > For those interested in security, they could do some analysis of the 
>data
> > collected by cluebies. Those interested in cracker-busting (we have a 
>few)
> > can follow-up with tactics to step the activity.
> >
> > JimI.
> > > > _______________________________________________
> > > > CLUE-Talk mailing list
> > > > CLUE-Talk at clue.denver.co.us
> > > > http://clue.denver.co.us/mailman/listinfo/clue-talk
> > >
> > >
> > >__________________________________________________
> > >Do You Yahoo!?
> > >Yahoo! Auctions - buy the things you want at great prices
> > >http://auctions.yahoo.com/
> > >_______________________________________________
> > >CLUE-Talk mailing list
> > >CLUE-Talk at clue.denver.co.us
> > >http://clue.denver.co.us/mailman/listinfo/clue-talk
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> >
> > _______________________________________________
> > CLUE-Talk mailing list
> > CLUE-Talk at clue.denver.co.us
> > http://clue.denver.co.us/mailman/listinfo/clue-talk
>
>_______________________________________________
>CLUE-Talk mailing list
>CLUE-Talk at clue.denver.co.us
>http://clue.denver.co.us/mailman/listinfo/clue-talk

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com