File: README.methods

package info (click to toggle)
portsentry 1.2-16
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 648 kB
  • sloc: ansic: 3,670; makefile: 414; sh: 202; perl: 94; csh: 31
file content (132 lines) | stat: -rw-r--r-- 5,364 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
 
PortSentry Errata
=-=-=-=-=-=-=-=-=

$Id: README.methods,v 1.15 2003/05/23 17:42:28 crowland Exp crowland $


This is file contains some answers to questions we've been asked, or you
may be wondering.

1) How did you pick the ports in the default .conf file?

2) Why should I be careful about running the PortSentry program?
   (PLEASE READ THIS)

Why did you pick the ports in the default .conf file?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

There are some methods to the madness in the way ports were picked. Allow 
me to explain:


TCP Ports - Chosen for a particular interest that they pose to an attacker.
These ports are generally the most likely to be abused by a person seeking
to gain access to a host. 

Low Range - Ports: 1-20

These ports are chosen for two specific purposes:

1) Because some scanners do sequential scanning starting at 1 and working
up. This will allow the PortSentry to respond rapidly to a scan before any real 
services are revealed.

2) Several of these services (systat, netstat) are used by attackers as recon
mechanisms and are frequently looked for when they are performing a targeted
non-sequential port sweep.

Low-Mid Range - Ports: 20-500

These ports contain a large number of services that are very commonly
looked for by attackers. Some of these services can be used for recon
purposes or for full remote access.

Mid Range - Ports: 500-1024

These ports contain a host of services commonly looked for by attackers (rsh,
rlogin, rexec, mountd). 

Mid-High Range - Ports: 1024-32768

These ports contain a wealth of services such as X-Windows, IRC servers, 
router serial ports, MUDs and others. One particular port (31337) is
sometimes used as a backdoor, and is used by the program "netcat" to 
facilitate UDP (yes that's UDP) scanning of the target host. 

High Range - Ports 32769-65535

These ports are generally not used, with the exception of a really nasty bug
in Solaris in which the portmapper service (normally on port 111) would
present a copy of itself listening in the 327XX range of ports. This allows
an attacker to use a modified portmapper probe to hop filters and dump
RPC services on the target. Some scans target this range specifically.
The port 49724 is used by the scanning tool "nmap" to do UDP scanning
much like netcat as well. 

-------------------------------------------------------------------------------

UDP Ports - These ports harbor a large number of services (largely RPC related)
and have become the frequent target of "stealth" RPC scanning in which the
attacker attempts to locate RPC services manually instead of using
portmapper. This prevents notification of admins of unauthorized use
of the portmapper, a feature found in Wietse Venema's portmapper version.

Low Range - Ports: 1-20

As above, some scanners do sequential scanning starting at 1 and working
up. These ports will allow the PortSentry to respond rapidly to a scan before 
any real services are revealed.

Low-Mid Range - Ports: 20-500

TFTP(69), SNMP(161,162), and SMB(137,138) are commonly sought ports in this
region for the information and compromise potential they provide.

Mid Range - Ports: 500-1024

A large number of RPC services are located in this area. Some attempts
to do "stealth" RPC scanning concentrate a UDP scan in the 500-700
range. This will allow admins to get notification of this activity.

Mid-High Range - Ports: 1024-32768

NFS (2049) is the main problem here, along with some RPC services and
Back Orifice (31337).


High Range - Ports 32769-65535

These ports are generally not used, again though, Solaris has a habit of 
concentrating services in the 327XX range. Waiting here for connections
will find people probing for these services quickly. People shouldn't be 
here unless portmapper sent them, and since we don't register with 
portmapper they shouldn't know about us unless they are up to no good.


Why should I be careful about running the PortSentry program? 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Because you have the potential of presenting information to an attacker
that may tempt them to return at a later date. If you show a person
a load of ports open then it may pique their curiosity. If they return
they may find a real problem with your system that the PortSentry cannot
defend. Additionally you may do something un-professional like present
a banner to them that says "You k-rad HaX0r d00d you'll NeVEr brek
r00t heRe!!" and this then makes it a challenge. This is something 
to consider. 

With UDP/stealth scan detection, there is the possibility that an
attacker can flood your host with bogus packets causing PortSentry to
continuously activate and write out warnings to your log. This can create
a denial of service attack that you should be aware of. We do not recommend 
running UDP/stealth scan detection on an Internet host that is
high-profile and subject to frequent abuse. 

It is our experience though that spoofed scans are not an issue and we
recommend people use auto-blocking knowing that %99.9 of the time it 
will block a scan. If you run into a denial of service problem on 
your host, just go back to "classic" TCP mode and the problem will go away.

Again though, we strongly feel that the benefits of blocking hosts 
*far outweighs* the limited risk you take by having auto-blocking turned on.