This article will explain to you what you see in the firewall record (Log? What do these ports mean? You will be able to use this information to determine whether I have been attacked by a Hacker? What does he/she want to do? This article is applicable to both enterprise-level firewall security experts and home users who use personal firewalls.
Nowadays, personal firewalls are becoming popular. Many netizens think that they are under certain attacks once they see an alarm. In fact, this is not the case in most cases.
1. What does the target port ZZZZ mean?
All communication through the firewall is a part of the connection. A connection contains a pair of IP addresses for mutual "conversation" and a pair of ports corresponding to the IP address. The target port usually indicates a service that is being connected. When a firewall blocks a connection, it will "record" the target port ). This section describes the meaning of these ports.
Ports can be divided into three categories:
1) Well Known Ports: from 0 to 1023, they are closely bound to some services. Usually the communication between these ports clearly indicates a service protocol. For example, port 80 is always HTTP Communication.
2) Registration port (Registered Ports): from 1024 to 49151. They are loosely bound to some services. That is to say, many services are bound to these ports, which are also used for many other purposes. For example, many systems process dynamic ports starting from around 1024.
3) Dynamic and/or Private Ports: From 49152 to 65535. Theoretically, these ports should not be allocated to the service. In fact, machines usually allocate dynamic ports from 1024. But there are also exceptions: SUN's RPC port starts from 32768.
Where to obtain more comprehensive port information:
1. ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers
"Assigned Numbers" RFC, the official source of port allocation.
2. http://advice.networkice.com/advice/Exploits/Ports/
Port Database, including ports with many system vulnerabilities.
3./etc/services
In UNIX systems, the file/etc/services contains the list of commonly used UNIX port allocations. In Windows NT, the file is located at % systemroot %/system32/drivers/etc/services.
4. http://www.con.wesleyan.edu /~ Triemer/network/docservs.html
Specific protocols and ports.
5. http://www.chebucto.ns.ca /~ Rakerman/trojan-port-table.html
Describes many ports.
6. http://www.tlsecurity.com/trojanh.htm
TLSecurity's Trojan port list. Different from other users' collections, the author checks all ports in them.
7. http://www.simovits.com/nyheter9902.html
Trojan Horse probe.
2. What are the common TCP/UDP port scans for the firewall?
This section describes information about TCP/UDP port scanning in firewall records. Remember: There is no so-called ICMP port. If you are interested in interpreting ICMP data, please refer to other sections in this article.
0 is usually used to analyze the operating system. This method works because "0" is an invalid port in some systems. When you try to use a normally closed port to connect to it, different results will be generated. A typical scan: an IP address of 0.0.0.0 is used to set the ACK bit and broadcast it on the Ethernet layer.
1 tcpmux this shows someone is looking for a SGI Irix machine. Irix is the main provider for implementing tcpmux. By default, tcpmux is enabled in this system. The Iris machine is released with several default password-free accounts, such as lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and 4 Dgifts. Many administrators forget to delete these accounts after installing them. Therefore, hackers search for tcpmux on the Internet and use these accounts.
7 Echo you can see the information sent to x. x. x.0 and x. x. x.255 when people search for the Fraggle amplifier.
A common DoS attack is the echo loop. attackers forge UDP packets sent from one machine to another, and the two machines respond to these packets in the fastest way. (See Chargen)
Another thing is the TCP Connection established by DoubleClick on the word port. There is a product called "Resonate Global Dispatch", which connects to this port of DNS to determine the nearest route.
Harvest/squid cache will send UDP echo from Port 3130: "If the source_ping on option of cache is enabled, it will respond to an HIT reply to the UDP echo port of the original host ." This will generate many such data packets.
11 sysstat is a UNIX service that lists all running processes on the machine and what started these processes. This provides a lot of information for intruders to threaten the security of machines, such as programs that expose known vulnerabilities or accounts. This is similar to the results of the "ps" command in UNIX systems.
Again: ICMP has no port, and ICMP port 11 is usually ICMP type = 11
19 chargen this is a service that only sends characters. The UDP version will respond to packets containing spam characters after receiving the UDP packet. When a TCP connection is established, a data stream containing spam characters is sent to know that the connection is closed. Hacker uses IP spoofing to launch DoS attacks. Forge a UDP packet between two chargen servers. The server attempts to respond to the infinite round-trip data communication between the two servers. A chargen and echo will overload the server. Similarly, the fraggle DoS attack broadcasts a packet with a spoofed IP address to the port of the target address. The victim is overloaded to respond to the data.
21 ftp: The most common attacker is used to find a method to open the "anonymous" ftp server. These servers have read/write directories. Hackers or Crackers use these servers as nodes that transmit warez (private programs) and pr0n (intentionally misspelled words to avoid being classified by search engines.
22 ssh PcAnywhere is used to establish a TCP connection to this port. This service has many weaknesses. Many versions that use the RSAREF library have many vulnerabilities if configured in a specific mode. (It is recommended to run ssh on other ports)
Note that the ssh toolkit contains a program called make-ssh-known-hosts. It scans the ssh host of the entire domain. Sometimes you are accidentally scanned by people using this program.
If UDP (instead of TCP) is connected to port 5632 on the other end, a scan for pcAnywhere exists. 5632 (hexadecimal 0x1600) after the bit is switched, It is 0x0016 (so that the hexadecimal 22 ).
23 Telnet intruders are searching for remote UNIX services. In most cases, intruders scan this port to find the operating system on which the machine runs. In addition, when using other technologies, intruders will find the password.
25 smtp attackers (spammer) are looking for SMTP servers to pass their spam. The accounts of intruders are always disabled. They need to dial up to connect to the high-bandwidth e-mail server and pass simple information to different addresses. SMTP servers (especially sendmail) are one of the most common methods to access the system, because they must be completely exposed to the Internet and mail routing is complex (exposure + complexity = weakness ).
53 DNS Hacker or crackers may attempt to pass through the region (TCP), spoof DNS (UDP) or hide other communications. Therefore, firewalls often filter or record port 53.
Note that you usually see port 53 as the UDP source port. Unstable firewalls usually allow such communication and assume that this is a response to DNS queries. Hacker often uses this method to penetrate the firewall.
Bootp/DHCP on 67 and 68 Bootp and dhcp udp: Through the DSL and cable-modem firewalls, a large amount of data is often seen sent to the broadcast address 255.255.255.255. These machines are requesting an address allocation from the DHCP server. Hackers often access them and assign an address to use themselves as local routers to initiate a large number of man-in-middle (man-in-middle) attacks. The client broadcasts the request configuration to port 68 (bootps), and the server broadcasts a response to the request to port 67 (bootpc. This response uses broadcast because the client does not know the IP address that can be sent.
69 TFTP (UDP) Many servers provide this service together with bootp to facilitate the download of startup code from the system. However, they are often misconfigured and provide any files from the system, such as password files. They can also be used to write files to the system.
79 finger Hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from your own machine to other machines.
98 linuxconf this program provides simple management of linux boxen. The Integrated HTTP server provides Web-based services on port 98. It has many security problems. Some versions of setuid root, trusted LAN, and Internet accessible files are created under/tmp. The LANG environment variable has a buffer overflow. In addition, because it contains integrated servers, many typical HTTP vulnerabilities may exist (buffer overflow, calendar directories, etc)
109 POP2 is not as famous as POP3, but many servers provide two services at the same time (backward compatible ). The POP3 vulnerability on the same server also exists in POP2.
110 POP3 is used by the client to access the mail service on the server. POP3 services have many common vulnerabilities. There are at least 20 vulnerabilities regarding the buffer overflow of user name and password exchange (which means that Hacker can actually log on to the system ). There are other buffer overflow errors after successful login.
111 sunrpc portmap rpcbind Sun RPC PortMapper/RPCBIND. Accessing portmapper is the first step to scan the system to view which RPC services are allowed. Common RPC services include rpc. mountd, NFS, rpc. statd, rpc. csmd, rpc. ttybd, and amd. Intruders discovered that the allowed RPC service would turn to a specific port test vulnerability that provides the service.
Remember to record the daemon, IDS, or sniffer in the line. You can find out what programs are being accessed by intruders to find out what happened.
113 Ident auth this is a protocol run on many machines, used to identify users with TCP connections. Using standard services, you can obtain information about many machines (which will be used by Hacker ). But it can be used as a recorder for many services, especially FTP, POP, IMAP, SMTP and IRC. If many customers access these services through the firewall, you will see many connection requests on this port. Remember, if you block this port, the client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support sending back the RST during TCP connection blocking and will stop this slow connection.
119 NNTP news newsgroup transmission protocol, which carries USENET communication. This port is usually used when you link to an address such as news: // comp. security. firewils. The connection attempt on this port is usually made by people looking for USENET servers. Most ISPs limit that only their customers can access their newsgroup servers. Opening the newsgroup server will allow you to send/read any post, access the restricted newsgroup server, and post anonymously or send spam messages.
135 oc-serv ms rpc end-point mapper Microsoft runs dce rpc end-point mapper on this port for its DCOM Service. This is similar to the function of UNIX port 111. Use the DCOM and/or RPC services to register it with the end-point mapper on the machine.