SV650.org - SV650 & Gladius 650 Forum - View Single Post

timwilky · 23-04-06, 07:18 PM

OK to answer your question "WTF is a port scan attack"

OK I am going to treat you like a muppet, you may not be, in fact because you have a firewall I know you not to be.

TCP/IP uses defined ports for services.
For a list look at your services file but will look a bit like

tcpmux 1/tcp # TCP port service multiplexer
tcpmux 1/udp # TCP port service multiplexer
rje 5/tcp # Remote Job Entry
rje 5/udp # Remote Job Entry
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
systat 11/udp users
daytime 13/tcp
daytime 13/udp
qotd 17/tcp quote
qotd 17/udp quote
msp 18/tcp # message send protocol
msp 18/udp # message send protocol
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp-data 20/udp
# 21 is registered to ftp, but also used by fsp
ftp 21/tcp
ftp 21/udp fsp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
telnet 23/tcp
telnet 23/udp
# 24 - private mail system
lmtp 24/tcp # LMTP Mail Delivery
lmtp 24/udp # LMTP Mail Delivery
smtp 25/tcp mail
smtp 25/udp mail ad so on

so a port scan is simply a device out on the internet that is sequencing through the port numbers trying to find a hole through your firewalll

Assumming you might run a couple of services for a home based server, you may for instance allow ssh traffic from the net on port 22 or mail on port 25 or pop3 on port 110 etc.

The box out there is simply looking for these holes. once it finds them then they may start to try to find a hole in the application behind the port such as a buffer overflow etc.

Please note ISPs also run checks on their own networks looking for servers that do not conform to their use policy etc. So if you isp does not want you to host services he could do a port scan on every device on his network.

I run a couple of tools on my servers to look for attacks, including port scans, where I detect them I then automatically drop packets that match the offending ip address, therefore having attempted a port scan against me etc then the offending device is prevented from using ports that I have open such as maill/http.

I am please that you use a firewall and even better look at the logs. You would not believe the number of people out there living in blissfull ignorance asssuming they are safe because they have a firewall. Vigilence is the most important part of any security policy

23-04-06, 07:18 PM	#5
timwilky Member Mega Poster Join Date: Mar 2004 Location: Not in Yorkshire. (Thank God) Posts: 4,116	OK to answer your question "WTF is a port scan attack" OK I am going to treat you like a muppet, you may not be, in fact because you have a firewall I know you not to be. TCP/IP uses defined ports for services. For a list look at your services file but will look a bit like tcpmux 1/tcp # TCP port service multiplexer tcpmux 1/udp # TCP port service multiplexer rje 5/tcp # Remote Job Entry rje 5/udp # Remote Job Entry echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users systat 11/udp users daytime 13/tcp daytime 13/udp qotd 17/tcp quote qotd 17/udp quote msp 18/tcp # message send protocol msp 18/udp # message send protocol chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp-data 20/udp # 21 is registered to ftp, but also used by fsp ftp 21/tcp ftp 21/udp fsp fspd ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp # SSH Remote Login Protocol telnet 23/tcp telnet 23/udp # 24 - private mail system lmtp 24/tcp # LMTP Mail Delivery lmtp 24/udp # LMTP Mail Delivery smtp 25/tcp mail smtp 25/udp mail ad so on so a port scan is simply a device out on the internet that is sequencing through the port numbers trying to find a hole through your firewalll Assumming you might run a couple of services for a home based server, you may for instance allow ssh traffic from the net on port 22 or mail on port 25 or pop3 on port 110 etc. The box out there is simply looking for these holes. once it finds them then they may start to try to find a hole in the application behind the port such as a buffer overflow etc. Please note ISPs also run checks on their own networks looking for servers that do not conform to their use policy etc. So if you isp does not want you to host services he could do a port scan on every device on his network. I run a couple of tools on my servers to look for attacks, including port scans, where I detect them I then automatically drop packets that match the offending ip address, therefore having attempted a port scan against me etc then the offending device is prevented from using ports that I have open such as maill/http. I am please that you use a firewall and even better look at the logs. You would not believe the number of people out there living in blissfull ignorance asssuming they are safe because they have a firewall. Vigilence is the most important part of any security policy __________________ Not Grumpy, opinionated.