Security knowledge Interpretation Firewall Log logging _ security settings

One, Target port

All traffic through the firewall is a part of the connection. A connection contains a pair of "talking" IP addresses and a pair of ports corresponding to the IP address. The destination port usually means a service that is being connected. When a firewall blocks (block) A connection, it "registers" the target port.

The port can be divided into 3 main categories:

1) Accepted ports (well known Ports): from 0 to 1023, they are tightly bound to some services. Usually the communication of these ports clearly indicates the protocol of some kind of service. For example: Port 80 is actually always HTTP traffic.

2 registration port (registered Ports): from 1024 to 49151. They are loosely bound to some services. This means that there are many services that are bound to these ports and are used for many other purposes. For example, many systems handle dynamic ports starting at around 1024.

3 Dynamic and/Private ports (Dynamic/private Ports): from 49152 to 65535. In theory, these ports should not be assigned to services. In fact, machines typically allocate dynamic ports from 1024. But there are exceptions: Sun's RPC port starts at 32768.

Where to get more comprehensive port information:

1.ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

"Assigned Numbers" RFC, the official source of port assignment.

2.http://advice.networkice.com/advice/exploits/ports/

Port database, which contains many ports for system vulnerabilities.

3./etc/services

File/etc/services in Unix systems contains a list of commonly used UNIX port assignments. This file is located in%systemroot%/system32/drivers/etc/services in Windows NT.

4.http://www.con.wesleyan.edu/~triemer/network/docservs.html

A specific protocol and port.

5.http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html

Describes a number of ports.

What are the usual TCP/UDP port scans for firewalls?

0 is typically used to analyze the operating system. This approach works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a common closed port. A typical scan: Use an IP address of 0.0.0.0 to set the ACK bit and broadcast on the Ethernet layer.

1 Tcpmux This shows someone looking for the SGI IRIX machine. IRIX is the primary provider of implementation Tcpmux, and Tcpmux is opened in this system by default. The Iris Machine is released with several default password-free accounts, such as LP, Guest, UUCP, NUUCP, demos, tutor, Diag, Ezsetup, Outofbox, and 4Dgifts. Many administrators forgot to delete these accounts after installation. So hacker search Tcpmux on the Internet and use these accounts.

7 Echo You can see the information that many people send to x.x.x.0 and x.x.x.255 when they search for Fraggle amplifiers.

A common Dos attack is the Echo loop (Echo-loop), where an attacker forges a UDP packet sent from one machine to another, and two machines respond to the packet in their quickest manner, and the other is a TCP connection established by DoubleClick in the word port. There is a product called the "resonate Global Dispatch", which is connected to the port at this end of DNS to determine the most recent route.

Harvest/squid cache will send UDP echo from port 3130: "If the cache's source_ping on option is turned on, it will respond to a hit reply on the original host's UDP Echo port." "This will produce many such packets.

One sysstat this is a UNIX service that lists all the running processes on the machine and what it is that started these processes. This provides intruders with a lot of information that threatens the safety of the machine, such as exposing certain vulnerabilities or accounts known to the program. This is similar to the result of the "PS" command in UNIX systems

Chargen This is a service that sends only characters. The UDP version will respond to packets that contain junk characters after the UDP packet is received. When a TCP connection is sent, the data stream that contains the garbage character is known to be closed. Hacker uses IP spoofing to launch a Dos attack. Fake UDP packets between two Chargen servers. Because the server attempted to respond to an unlimited round-trip data communication between two servers one chargen and Echo will cause the server to overload. The same Fraggle DOS attack broadcasts a packet of spoofed victim IP to this port on the destination address, and the victim is overloaded in response to the data.

FTP The most common attacker is used to find ways to open the FTP server for "anonymous". These servers have a read-write directory. Hackers or crackers use these servers as a node to transmit warez (private programs) and pr0n (intentionally misspelled words to avoid being sorted by search engines).

SSH pcanywhere the connection between TCP and this port may be to find SSH. There are many weaknesses in this service. Many versions that use the RSAREF library have a number of vulnerabilities if configured to a specific pattern. (It is recommended that you run SSH on a different port)

It should also be noted that the SSH Toolkit comes with a program called Make-ssh-known-hosts. It scans the entire domain for SSH hosts. You are sometimes accidentally scanned by someone using the program.

UDP (not TCP) connected to the 5632 port on the other end means there is a scan for the search pcanywhere. The 5632 (16-0x1600) bit is exchanged after the 0x0016 (22 of the system).

A Telnet intruder searches for remote UNIX services. In most cases, intruders scan this port to find the operating system that the machine is running on. In addition to using other techniques, intruders will find the password.

The SMTP attacker (spammer) is looking for an SMTP server to pass their spam. An intruder's account is always closed, and they need to dial up to a high-bandwidth e-mail server to deliver simple information to different addresses. SMTP servers (especially SendMail) are one of the most common ways to get into the system, because they must be fully exposed to the Internet and the routing of Messages is complex (exposed + complex = weakness).

The DNS hacker or crackers may be attempting to perform zone transfer (TCP), spoof DNS (UDP), or hide other traffic. Therefore, firewalls often filter or record port 53.

Note that you will often see 53 ports as UDP source ports. Unstable firewalls typically allow this communication and assume that this is a reply to a DNS query. Hacker often use this method to penetrate a firewall.

67 and Bootp/dhcp on the BOOTP and DHCP UDP: Firewalls in DSL and Cable-modem often see large numbers of data sent to broadcast address 255.255.255.255. These machines are requesting an address assignment from the DHCP server. Hacker often enter them to assign an address that initiates a large number of "man-in-the-Middle" (man-in-middle) attacks as local routers. The client configures the 68 port (BOOTPS) broadcast request, and the server broadcasts a response request to port 67 (BOOTPC). This response uses the broadcast because the client is unaware of the IP address that can be sent.

(UDP) Many servers together with BOOTP provide this service to facilitate downloading of boot code from the system. But they are often incorrectly configured to provide any file from the system, such as a password file. They can also be used to write files to the system.

The hacker is used to obtain user information, query the operating system, detect known buffer overflow errors, and respond to finger scans from its own machine to other machines.

Linuxconf This program provides simple management of Linux boxen. Provides Web-interface based services on 98 ports through a consolidated HTTP server. It has found a number of security issues. Some versions setuid root, trust the local area network, establish Internet accessible files in/tmp, and the lang environment variable has a buffer overflow. In addition, because it contains consolidated servers, many typical HTTP vulnerabilities may exist (buffer overflow, calendar directory, etc.)

109 POP2 is not as famous as POP3, but many servers offer two of services (backwards compatible). POP3 vulnerabilities exist on the same server in POP2.

The POP3 is used for client access to server-side mail services. The POP3 service has many recognized weaknesses. There are at least 20 weaknesses in the user name and password Exchange buffer overflow (which means that hacker can enter the system before a real login). There were other buffer overflow errors after the successful landing.

Sunrpc portmap rpcbind Sun RPC portmapper/rpcbind. Access Portmapper is the first step in scanning the system to see which RPC services are allowed. Common RPC services are: Rpc.mountd, NFS, RPC.STATD, RPC.CSMD, RPC.TTYBD, AMD and so on. The intruder found that the allowed RPC service would be diverted to the specific port test vulnerability that provided the service.

Remember to keep track of Daemon, IDS, or sniffer, and you can find out what programs the intruder is using to find out what happened.

113 Ident Auth This is a protocol that is running on many machines to authenticate users of TCP connections. The use of standard services can be used to obtain information about many machines (which will be hacker). But it can serve as a logger for many services, especially FTP, POP, IMAP, SMTP and IRC services. Usually if there are many customers accessing these services through the firewall, you will see many connection requests for this port. Remember, if you block this port the client will feel a slow connection to the e-mail server on the other side of the firewall. Many firewalls support the return of RST during the blocking of a TCP connection, which stops the slow connection.

119 The NNTP News Newsgroup transport protocol, which hosts Usenet traffic. When you link to things like: news://comp.security.firewalls/. This port is usually used when addressing the address. The connection attempt for this port is usually people looking for Usenet servers. Most ISPs restrict access to their newsgroup servers only by their customers. Opening a newsgroup server will allow you to send/read anyone's posts, visit a Restricted newsgroup server, post anonymously, or send spam.

135 Oc-serv MS RPC end-point mapper Microsoft runs DCE RPC end-point mapper for its DCOM service on this port. This is similar to the capabilities of UNIX 111 ports. Services that use DCOM and/or RPC register their location with the end-point mapper on the machine. When the remote client connects to the machine, they query the location where the end-point mapper find the service. The same hacker scan machine This port is to find something like this: Running Exchange Server on this machine? What version is it?

This port can also be used for direct attacks, in addition to being used to query services, such as using Epdump. Some Dos attacks are directed at this port.

137 NetBIOS Name Service nbtstat (UDP) This is the most common information for firewall administrators, please read the NetBIOS section later in this article

139 NetBIOS File and Print sharing incoming connections through this port to attempt to obtain NETBIOS/SMB services. This protocol is used for Windows "File and Printer Sharing" and samba. Sharing your own hard disk on the Internet is probably the most common problem.

A large amount of this port begins at 1999, and then gradually becomes less. 2000 has rebounded again. Some VBS (IE5 VisualBasic scripting) begin copying themselves to this port, attempting to reproduce on this port.

143 IMAP and above POP3 security issues, many IMAP servers have buffer overflow vulnerabilities running into the login process. Remember: a Linux worm (ADMW0RM) will breed through this port, so many of this port scans come from unsuspecting infected users. These vulnerabilities became popular when radhat the default allowed IMAP in their Linux release versions. After the Morris worm, it was the first widely transmitted worm of all time.

This port is also used for IMAP2, but it is not popular.

There have been reports that some 0 to 143 ports of attack originate from scripts.

161 SNMP (UDP) Intruders are frequently probed ports. SNMP allows remote management of devices. All configuration and running information is stored in the database, which is obtained through the SNMP customer. Many administrator errors are configured to expose them to the Internet. Crackers will attempt to access the system using the default password "public" "private". They may experiment with all possible combinations.

SNMP packets may be incorrectly pointing to your network. Windows machines often use SNMP for HP JetDirect remote management software because of an error configuration. HP OBJECT identifier will receive SNMP packets. The new version of Win98 uses SNMP to resolve domain names, and you will see this packet in the subnet (cable modem, DSL) query sysname and other information.

The 162 SNMP trap may be due to an incorrect configuration

177 XDMCP Many hacker use it to access the X-windows console, which also needs to open port 6000.

513 rwho may be a broadcast from a UNIX machine on a subnet that uses the cable modem or DSL. These people provide interesting information for hacker access to their systems.

553 CORBA IIOP (UDP) If you use the cable modem or DSL VLAN, you will see the broadcast of this port. CORBA is an object-oriented RPC (Remote Procedure Call) system. Hacker will use this information to enter the system.

Pcserver Backdoor Please check port 1524

Some children who play script think they have completely breached the system by modifying Ingreslock and Pcserver files-Alan J. Rosenthal.

635 Mountd Linux Mountd bugs. This is a popular bug scanned by people. Most scans of this port are based on UDP, but TCP-based mountd have increased (Mountd runs on two ports at the same time). Remember, MOUNTD can run on any port (in which port you need to do PORTMAP queries on port 111), but Linux defaults to 635 ports, just as NFS is typically running on port 2049.

1024 Many people ask what this port is for. It is the start of a dynamic port. Many programs do not care which port to connect to the network, and they request the operating system to assign them "next idle port." Based on this point, the assignment starts with port 1024. This means that the first program that assigns a dynamic port to the system request will be assigned port 1024. To verify this, you can reboot the machine, turn on Telnet, and then open a window to run "natstat-a", and you will see that Telnet is assigned 1024 ports. The more programs you request, the more dynamic ports are. The operating system's assigned ports will become larger. Again, when you browse the Web page with a "netstat" view, each Web page requires a new port.