View Single Post
Old 23-04-06, 07:18 PM   #5
timwilky
Member
Mega Poster
 
timwilky's Avatar
 
Join Date: Mar 2004
Location: Not in Yorkshire. (Thank God)
Posts: 4,116
Default

OK to answer your question "WTF is a port scan attack"

OK I am going to treat you like a muppet, you may not be, in fact because you have a firewall I know you not to be.

TCP/IP uses defined ports for services.
For a list look at your services file but will look a bit like

tcpmux 1/tcp # TCP port service multiplexer
tcpmux 1/udp # TCP port service multiplexer
rje 5/tcp # Remote Job Entry
rje 5/udp # Remote Job Entry
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
systat 11/udp users
daytime 13/tcp
daytime 13/udp
qotd 17/tcp quote
qotd 17/udp quote
msp 18/tcp # message send protocol
msp 18/udp # message send protocol
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp-data 20/udp
# 21 is registered to ftp, but also used by fsp
ftp 21/tcp
ftp 21/udp fsp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
telnet 23/tcp
telnet 23/udp
# 24 - private mail system
lmtp 24/tcp # LMTP Mail Delivery
lmtp 24/udp # LMTP Mail Delivery
smtp 25/tcp mail
smtp 25/udp mail ad so on

so a port scan is simply a device out on the internet that is sequencing through the port numbers trying to find a hole through your firewalll

Assumming you might run a couple of services for a home based server, you may for instance allow ssh traffic from the net on port 22 or mail on port 25 or pop3 on port 110 etc.

The box out there is simply looking for these holes. once it finds them then they may start to try to find a hole in the application behind the port such as a buffer overflow etc.

Please note ISPs also run checks on their own networks looking for servers that do not conform to their use policy etc. So if you isp does not want you to host services he could do a port scan on every device on his network.

I run a couple of tools on my servers to look for attacks, including port scans, where I detect them I then automatically drop packets that match the offending ip address, therefore having attempted a port scan against me etc then the offending device is prevented from using ports that I have open such as maill/http.

I am please that you use a firewall and even better look at the logs. You would not believe the number of people out there living in blissfull ignorance asssuming they are safe because they have a firewall. Vigilence is the most important part of any security policy
__________________
Not Grumpy, opinionated.
timwilky is offline   Reply With Quote