"Fossies" - the Fresh Open Source Software Archive

Member "portsentry-2.0b1/README.methods" (8 Apr 2002, 4786 Bytes) of package /linux/privat/old/portsentry-2.0b1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Psionic PortSentry Errata
    2 =-=-=-=-=-=-=-=-=-=-=-=-=
    3 
    4 $Id: README.methods,v 1.16 2002/04/08 16:49:12 crowland Exp crowland $
    5 
    6 
    7 This is file contains some answers to questions we've been asked, or you
    8 may be wondering.
    9 
   10 1) How did you pick the ports in the default .conf file?
   11 
   12 2) Why should I be careful about running the PortSentry program?
   13    (PLEASE READ THIS)
   14 
   15 Why did you pick the ports in the default .conf file?
   16 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   17 
   18 There are some methods to the madness in the way ports were picked. Allow 
   19 me to explain:
   20 
   21 
   22 TCP Ports - Chosen for a particular interest that they pose to an attacker.
   23 These ports are generally the most likely to be abused by a person seeking
   24 to gain access to a host. 
   25 
   26 Low Range - Ports: 1-20
   27 
   28 These ports are chosen for two specific purposes:
   29 
   30 1) Because some scanners do sequential scanning starting at 1 and working
   31 up. This will allow the PortSentry to respond rapidly to a scan before any real 
   32 services are revealed.
   33 
   34 2) Several of these services (systat, netstat) are used by attackers as recon
   35 mechanisms and are frequently looked for when they are performing a targeted
   36 non-sequential port sweep.
   37 
   38 Low-Mid Range - Ports: 20-500
   39 
   40 These ports contain a large number of services that are very commonly
   41 looked for by attackers. Some of these services can be used for recon
   42 purposes or for full remote access.
   43 
   44 Mid Range - Ports: 500-1024
   45 
   46 These ports contain a host of services commonly looked for by attackers (rsh,
   47 rlogin, rexec, lpd, mountd). 
   48 
   49 Mid-High Range - Ports: 1024-32768
   50 
   51 These ports contain a wealth of services such as X-Windows, IRC servers, 
   52 router serial ports, MUDs and others. One particular port (31337) is used
   53 by the program "netcat" to facilitate UDP (yes that's UDP) scanning of the
   54 target host. Other ports in this range are commonly used for trojan horses
   55 for communications.
   56 
   57 High Range - Ports 32769-65535
   58 
   59 These ports are generally not used, with the exception of a really nasty bug
   60 in Solaris in which the portmapper service (normally on port 111) would
   61 present a copy of itself listening in the 327XX range of ports. This allows
   62 an attacker to use a modified portmapper probe to hop filters and dump
   63 RPC services on the target. Some scans target this range specifically.
   64 The port 49724 is used by the scanning tool "nmap" to do UDP scanning
   65 much like netcat as well.
   66 
   67 -------------------------------------------------------------------------------
   68 
   69 UDP Ports - These ports harbor a large number of services (largely RPC related)
   70 and have become the frequent target of "stealth" RPC scanning in which the
   71 attacker attempts to locate RPC services manually instead of using
   72 portmapper. This prevents notification of admins of unauthorized use
   73 of the portmapper, a feature found in Wietse Venema's portmapper version.
   74 
   75 Low Range - Ports: 1-20
   76 
   77 As above, some scanners do sequential scanning starting at 1 and working
   78 up. These ports will allow the PortSentry to respond rapidly to a scan before
   79 any real services are revealed.
   80 
   81 Low-Mid Range - Ports: 20-500
   82 
   83 TFTP(69), SNMP(161,162), and SMB(137,138) are commonly sought ports in this
   84 region for the information and compromise potential they provide.
   85 
   86 Mid Range - Ports: 500-1024
   87 
   88 A large number of RPC services are located in this area. Some attempts
   89 to do "stealth" RPC scanning concentrate a UDP scan in the 500-700
   90 range. This will allow admins to get notification of this activity.
   91 
   92 Mid-High Range - Ports: 1024-32768
   93 
   94 NFS (2049) is the main problem here, along with some RPC services and
   95 Back Orifice (31337).
   96 
   97 
   98 High Range - Ports 32769-65535
   99 
  100 These ports are generally not used, again though, Solaris has a habit of
  101 concentrating services in the 327XX range. Waiting here for connections
  102 will find people probing for these services quickly. People shouldn't be
  103 here unless portmapper sent them, and since we don't register with
  104 portmapper they shouldn't know about us unless they are up to no good.
  105 
  106 
  107 Why should I be careful about running the PortSentry program?
  108 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  109 
  110 With stealth scan detection, there is the possibility that an
  111 attacker can flood your host with bogus packets causing PortSentry to
  112 continuously activate and write out warnings to your log. This can create
  113 a denial of service attack that you should be aware of. We do not recommend
  114 running stealth scan detection on an Internet host that is high-profile
  115 and subject to frequent abuse.
  116 
  117 It is our experience though that spoofed scans are not an issue and we
  118 recommend people use auto-blocking knowing that %99.9 of the time it
  119 will block a scan.
  120 
  121 Again though, we strongly feel that the benefits of auto-blocking hosts
  122 *far outweighs* the limited risk you take by having auto-blocking turned on.
  123