In-depth firewall record

In-depth firewall record
 
This article will explain to you what you see in the firewall record (log? What do these ports mean? You will be able to use this information to determine whether I have been attacked by a hacker? What does he/she want to do? This article is applicable to both enterprise-level firewall security experts and home users who use personal firewalls.
1. What does the target port zzzz mean?
All communication through the firewall is a part of the connection. A connection contains a pair of IP addresses for mutual "conversation" and a pair of ports corresponding to the IP address. The target port usually indicates a service that is being connected. When a firewall blocks a connection, it will "record" the target port ). This section describes the meaning of these ports.
Ports can be divided into three categories:
1) well known ports: from 0 to 1023, they are closely bound to some services. Usually the communication between these ports clearly indicates a service protocol. For example, port 80 is always HTTP Communication.
2) Registration port (registered ports): from 1024 to 49151. They are loosely bound to some services. That is to say, many services are bound to these ports, which are also used for many other purposes. For example, many systems process dynamic ports starting from around 1024.
3) dynamic and/or private ports: From 49152 to 65535. Theoretically, these ports should not be allocated to the service. In fact, machines usually allocate dynamic ports from 1024. But there are also exceptions: Sun's rpc port starts from 32768.
Where to obtain more comprehensive port information:
1. ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers
"Assigned Numbers" RFC, the official source of port allocation.
2. http://advice.networkice.com/advice/Exploits/Ports/
Port Database, including ports with many system vulnerabilities.
3./etc/services
In Unix systems, the file/etc/Services contains the list of commonly used UNIX port allocations. In Windows NT, the file is located at % SystemRoot %/system32/Drivers/etc/services.
4. http://www.con.wesleyan.edu /~ Triemer/Network/docservs.html
Specific protocols and ports.
5. http://www.chebucto.ns.ca /~ Rakerman/trojan-port-table.html
Describes many ports.
6. http://www.tlsecurity.com/trojanh.htm
Tlsecurity's Trojan port list. Different from other users' collections, the author checks all ports in them.
7. http://www.simovits.com/nyheter9902.html
Trojan Horse Detection
2. What are the common TCP/UDP port scans for the firewall?
This section describes information about TCP/UDP port scanning in firewall records. Remember: There is no so-called ICMP port. If you are interested in interpreting ICMP data, please refer to other sections in this article.
0 is usually used to analyze the operating system. This method works because "0" is an invalid port in some systems. When you try to use a normally closed port to connect to it, different results will be generated. A typical scan: an IP address of 0.0.0.0 is used to set the ACK bit and broadcast it on the Ethernet layer.
1 tcpmux this shows someone is looking for a sgi irix machine. IRIX is the main provider for implementing tcpmux. By default, tcpmux is enabled in this system. The iris machine is released with several default password-free accounts, such as LP, guest, uucp, nuucp, demos, tutor, DIAG, ezsetup, outofbox, and 4 dgifts. Many administrators forget to delete these accounts after installing them. Therefore, hackers search for tcpmux on the Internet and use these accounts.
7 Echo you can see the information sent to x. x. x.0 and x. x. x.255 when people search for the Fraggle amplifier.
A common DoS attack is the echo loop. attackers forge UDP packets sent from one machine to another, and the two machines respond to these packets in the fastest way. (See chargen)
Another thing is the TCP Connection established by DoubleClick on the word port. There is a product called "resonate global dispatch", which connects to this port of DNS to determine the nearest route.
Harvest/Squid cache will send udp echo from Port 3130: "If the source_ping on option of cache is enabled, it will respond to an hit reply to the udp echo port of the original host ." This will generate many such data packets.
11 sysstat is a UNIX service that lists all running processes on the machine and what started these processes. This provides a lot of information for intruders to threaten the security of machines, such as programs that expose known vulnerabilities or accounts. This is similar to the results of the "Ps" command in UNIX systems.
Again: ICMP has no port, and ICMP port 11 is usually ICMP type = 11
19 chargen this is a service that only sends characters. The UDP version will respond to packets containing LJ characters after receiving the UDP packet. When a TCP connection is established, a data stream containing LJ characters is sent to know that the connection is closed. Hacker uses IP spoofing to launch DoS attacks. Forge a UDP packet between two chargen servers. The server attempts to respond to the infinite round-trip data communication between the two servers. A chargen and ECHO will overload the server. Similarly, the Fraggle DoS attack broadcasts a packet with a spoofed IP address to the port of the target address. The victim is overloaded to respond to the data.
21 ftp: The most common attacker is used to find a method to open the "anonymous" ftp server. These servers have read/write directories. Hackers or crackers use these servers as nodes that transmit warez (private programs) and pr0n (intentionally misspelled words to avoid being classified by search engines.
22 SSH PCAnywhere is used to establish a TCP connection to this port. This service has many weaknesses. Many versions that use the rsaref library have many vulnerabilities if configured in a specific mode. (It is recommended to run SSH on other ports)
Note that the SSH toolkit contains a program called Make-ssh-known-hosts. It scans the SSH host of the entire domain. Sometimes you are accidentally scanned by people using this program.
If UDP (instead of TCP) is connected to port 5632 on the other end, a scan for PCAnywhere exists. 5632 (hexadecimal 0x1600) after the bit is switched, It is 0x0016 (so that the hexadecimal 22 ).
23 Telnet intruders are searching for remote UNIX services. In most cases, intruders scan this port to find the operating system on which the machine runs. Use other technologies