Deep understanding of firewalls-deep Firewall Records (2) _ Server

Deep Firewall logging
The DNS hacker or crackers may be attempting to perform zone transfer (TCP), spoof DNS (UDP), or hide other traffic. Therefore, firewalls often filter or record port 53.
Note that you will often see 53 ports as UDP source ports. Unstable firewalls typically allow this communication and assume that this is a reply to a DNS query. Hacker often use this method to penetrate a firewall.

67 and Bootp/dhcp on the BOOTP and DHCP UDP: Firewalls in DSL and Cable-modem often see large numbers of data sent to broadcast address 255.255.255.255. These machines are requesting an address assignment from the DHCP server. Hacker often enter them to assign an address that initiates a large number of "man-in-the-Middle" (man-in-middle) attacks as local routers. The client configures the 68 port (BOOTPS) broadcast request, and the server broadcasts a response request to port 67 (BOOTPC). This response uses the broadcast because the client is unaware of the IP address that can be sent.

(UDP) Many servers together with BOOTP provide this service to facilitate downloading of boot code from the system. But they are often incorrectly configured to provide any file from the system, such as a password file. They can also be used to write files to the system.

The hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from its own machine to other machines.

Linuxconf This program provides simple management of Linux boxen. Provides Web-interface based services on 98 ports through a consolidated HTTP server. It has found a number of security issues. Some versions setuid root, trust the local area network, establish Internet accessible files in/tmp, and the lang environment variable has a buffer overflow. In addition, because it contains consolidated servers, many typical HTTP vulnerabilities may exist (buffer overflow, calendar directory, etc.)

109 POP2 is not as famous as POP3, but many servers offer two of services (backwards compatible). POP3 vulnerabilities exist on the same server in POP2.

The POP3 is used for client access to server-side mail services. The POP3 service has many recognized weaknesses. There are at least 20 weaknesses in the user name and password Exchange buffer overflow (which means that hacker can enter the system before a real login). There were other buffer overflow errors after the successful landing.

Sunrpc portmap rpcbind Sun RPC portmapper/rpcbind. Access Portmapper is the first step in scanning the system to see which RPC services are allowed. Common RPC services are: Rpc.mountd, NFS, RPC.STATD, RPC.CSMD, RPC.TTYBD, AMD and so on. The intruder found that the allowed RPC service would be diverted to the specific port test vulnerability that provided the service.

Remember to keep track of Daemon, IDS, or sniffer, and you can find out what programs the intruder is using to find out what happened.

113 Ident Auth This is a protocol that is running on many machines to authenticate users of TCP connections. The use of standard services can be used to obtain information about many machines (which will be hacker). But it can serve as a logger for many services, especially FTP, POP, IMAP, SMTP and IRC services. Usually if there are many customers accessing these services through the firewall, you will see many connection requests for this port. Remember, if you block this port the client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support the return of RST during the blocking of a TCP connection, which stops the slow connection.

119 The NNTP News Newsgroup transport protocol, which hosts Usenet traffic. When you link to things like: news://comp.security.firewalls/. This port is usually used when addressing the address. The connection attempt for this port is usually people looking for Usenet servers. Most ISPs restrict access to their newsgroup servers only by their customers. Opening a newsgroup server will allow you to send/read anyone's posts, visit a Restricted newsgroup server, post anonymously, or send spam.

135 Oc-serv MS RPC end-point mapper Microsoft runs DCE RPC end-point mapper for its DCOM service on this port. This is similar to the capabilities of UNIX 111 ports. Services that use DCOM and/or RPC register their location with the end-point mapper on the machine. When the remote client connects to the machine, they query the location where the end-point mapper find the service. The same hacker scans the machine for this port to find such things as: Running Exchange Server on this machine? What version is it?

This port can also be used for direct attacks, in addition to being used to query services, such as using Epdump. Some Dos attacks are directed at this port.

137 NetBIOS Name Service nbtstat (UDP) This is the most common information for firewall administrators, please read the NetBIOS section later in this article

139 NetBIOS File and Print sharing incoming connections through this port to attempt to obtain NETBIOS/SMB services. This protocol is used for Windows "File and Printer Sharing" and samba. Sharing your own hard disk on the Internet is probably the most common problem.

A large amount of this port begins at 1999, and then gradually becomes less. 2000 has rebounded again. Some VBS (IE5 VisualBasic scripting) begin copying themselves to this port, attempting to reproduce on this port.

143 IMAP and above POP3 security issues, many IMAP servers have buffer overflow vulnerabilities running into the login process. Remember: a Linux worm (ADMW0RM) will breed through this port, so many of this port scans come from unsuspecting infected users. These vulnerabilities became popular when radhat the default allowed IMAP in their Linux release versions. After the Morris worm, it was the first widely transmitted worm of all time.

This port is also used for IMAP2, but it is not popular.

There have been reports that some 0 to 143 ports of attack originate from scripts.

161 SNMP (UDP) Intruders are frequently probed ports. SNMP allows remote management of devices. All configuration and running information is stored in the database, which is obtained through the SNMP customer. Many administrator errors are configured to expose them to the Internet. Crackers will attempt to access the system using the default password "public" "private". They may experiment with all possible combinations.

SNMP packets may be incorrectly pointing to your network. Windows machines often use SNMP for HP JetDirect remote management software because of an error configuration. HP OBJECT identifier will receive SNMP packets. The new version of Win98 uses SNMP to resolve domain names, and you will see this packet in the subnet (cable modem, DSL) query sysname and other information.

The 162 SNMP trap may be due to an incorrect configuration

177 XDMCP Many hacker use it to access the X-windows console, which also needs to open port 6000.

513 rwho may be a broadcast from a UNIX machine on a subnet that uses the cable modem or DSL. These people provide interesting information for hacker access to their systems.

553 CORBA IIOP (UDP) If you use the cable modem or DSL VLAN, you will see the broadcast of this port. CORBA is an object-oriented RPC (Remote Procedure Call) system. Hacker will use this information to enter the system.

Pcserver Backdoor Please check port 1524

Some children who play script think they have completely breached the system by modifying Ingreslock and Pcserver files-Alan J. Rosenthal.

635 Mountd Linux Mountd bugs. This is a popular bug scanned by people. Most scans of this port are based on UDP, but TCP-based mountd have increased (Mountd runs on two ports at the same time). Remember, MOUNTD can run on any port (in which port you need to do PORTMAP queries on port 111), but Linux defaults to 635 ports, just as NFS is typically running on port 2049.

1024 Many people ask what this port is for. It is the start of a dynamic port. Many programs do not care which port to connect to the network, and they request the operating system to assign them "next idle port." Based on this point, the assignment starts with port 1024. This means that the first program that assigns a dynamic port to the system request will be assigned port 1024. To verify this, you can reboot the machine, turn on Telnet, and then open a window to run "natstat-a", and you will see that Telnet is assigned 1024 ports. The more programs you request, the more dynamic ports are. The operating system's assigned ports will become larger. Again, when you browse the Web page with a "netstat" view, each Web page requires a new port.