Deep understanding of firewalls-deep firewall Records (1) _ Server

Deep Firewall logging
This article will explain to you what you see in the Firewall log (log). Especially what those ports mean ...
This article will explain to you what you see in the Firewall log (log). Especially those ports, what do you mean? You will be able to use this information to make a judgment: Have I been attacked by hacker? What does he/she want to do? This article applies both to security experts who maintain an enterprise-class firewall and to home users who use personal firewalls.
Translator: Now personal firewalls are starting to pop up, and many netizens think that they are attacked by some kind of attack, but most of them are not.

First, target port zzzz What does that mean?

All traffic through the firewall is a part of the connection. A connection contains a pair of "talking" IP addresses and a pair of ports corresponding to the IP address. The destination port usually means a service that is being connected. When a firewall blocks (block) A connection, it "registers" the target port (logfile). This section describes the meaning of these ports.

The port can be divided into 3 main categories:

1) Accepted ports (well known Ports): from 0 to 1023, they are tightly bound to some services. Usually the communication of these ports clearly indicates the protocol of some kind of service. For example: Port 80 is actually always HTTP traffic.

2 registration port (registered Ports): from 1024 to 49151. They are loosely bound to some services. This means that there are many services that are bound to these ports and are used for many other purposes. For example, many systems handle dynamic ports starting at around 1024.

3 dynamic and/or private ports (dynamically and/or private Ports): from 49152 to 65535. In theory, these ports should not be assigned to services. In fact, machines typically allocate dynamic ports from 1024. But there are exceptions: Sun's RPC port starts at 32768.

Where to get more comprehensive port information:

1. Ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

"Assigned Numbers" RFC, the official source of port assignment.

2. http://advice.networkice.com/advice/Exploits/Ports/

Port database, which contains many ports for system vulnerabilities.

3. /etc/services

File/etc/services in Unix systems contains a list of commonly used UNIX port assignments. This file is located in%systemroot%/system32/drivers/etc/services in Windows NT.

4. Http://www.con.wesleyan.edu/~triemer/network/docservs.html

A specific protocol and port.

5. Http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html

Describes a number of ports.

6. Http://www.tlsecurity.com/trojanh.htm

List of tlsecurity Trojan ports. Unlike other people's collections, the author examines all the ports in it.

7. Http://www.simovits.com/nyheter9902.html

Trojan Horse detection.

What are the usual TCP/UDP port scans for firewalls?

This section describes the information that typically TCP/UDP ports are scanned in the firewall record. Remember: There is no ICMP port. If you are interested in interpreting ICMP data, see the other parts of this article.

0 is typically used to analyze the operating system. This approach works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a common closed port. A typical scan: Use an IP address of 0.0.0.0 to set the ACK bit and broadcast on the Ethernet layer.

1 Tcpmux This shows someone looking for the SGI IRIX machine. IRIX is the primary provider of implementation Tcpmux, and Tcpmux is opened in this system by default. The Iris Machine is released with several default password-free accounts, such as LP, Guest, UUCP, NUUCP, demos, tutor, Diag, Ezsetup, Outofbox, and 4Dgifts. Many administrators forgot to delete these accounts after installation. So hacker search Tcpmux on the Internet and use these accounts.

7 Echo You can see the information that many people send to x.x.x.0 and x.x.x.255 when they search for Fraggle amplifiers.

A common Dos attack is the Echo loop (Echo-loop), where an attacker forges a UDP packet sent from one machine to another, and two machines respond to the packets in their quickest way. (See Chargen)

Another thing is a TCP connection established by DoubleClick in the word port. There is a product called the "resonate Global Dispatch", which is connected to the port at this end of DNS to determine the most recent route.

Harvest/squid cache will send UDP echo from port 3130: "If the cache's source_ping on option is turned on, it will respond to a hit reply on the original host's UDP Echo port." "This will produce many such packets.

One sysstat this is a UNIX service that lists all the running processes on the machine and what it is that started these processes. This provides intruders with a lot of information that threatens the safety of the machine, such as exposing certain vulnerabilities or accounts known to the program. This is similar to the result of the "PS" command in UNIX systems

Say again: ICMP does not have a port, ICMP Port 11 is usually ICMP type=11

Chargen This is a service that sends only characters. The UDP version will respond to packets that contain junk characters after the UDP packet is received. When a TCP connection is sent, the data stream that contains the garbage character is known to be closed. Hacker uses IP spoofing to launch a Dos attack. Fake UDP packets between two Chargen servers. Because the server attempted to respond to an unlimited round-trip data communication between two servers one chargen and Echo will cause the server to overload. The same Fraggle DOS attack broadcasts a packet of spoofed victim IP to this port on the destination address, and the victim is overloaded in response to the data.

FTP The most common attacker is used to find ways to open the FTP server for "anonymous". These servers have a read-write directory. Hackers or crackers use these servers as a node to transmit warez (private programs) and pr0n (intentionally misspelled words to avoid being sorted by search engines).

SSH pcanywhere the connection between TCP and this port may be to find SSH. There are many weaknesses in this service. Many versions that use the RSAREF library have a number of vulnerabilities if configured to a specific pattern. (It is recommended that you run SSH on a different port)

It should also be noted that the SSH Toolkit comes with a program called Make-ssh-known-hosts. It scans the entire domain for SSH hosts. You are sometimes accidentally scanned by someone using the program.

UDP (not TCP) connected to the 5632 port on the other end means there is a scan for the search pcanywhere. The 5632 (16-0x1600) bit is exchanged after the 0x0016 (22 of the system).

A Telnet intruder searches for remote UNIX services. In most cases, intruders scan this port to find the operating system that the machine is running on. In addition to using other techniques, intruders will find the password.

The SMTP attacker (spammer) is looking for an SMTP server to pass their spam. An intruder's account is always closed, and they need to dial up to a high-bandwidth e-mail server to deliver simple information to different addresses. SMTP servers, especially SendMail, are one of the most common ways to access the system because they must be fully exposed to the Internet and the routing of Messages is complex (exposing complexity = weakness).