[Dshield] Configuring iptables; need favorite port lists

Ed Truitt ed.truitt at etee2k.net
Thu Jun 19 11:41:20 GMT 2003


I don't have a specific list, but I would look for the following:

1) what ports were the most commonly exploited for the OS I was running.
2) Ports vulnerable to exploits about 3-6 months old (right now, I would
include TCP/UDP 389 (LDAP), 3268 (MS Global Catalog), and 161 (SNMP).
3) The common ports for proxy servers (81, 3128, 8080, 1080, etc.)
4) Ports used by some of the more common backdoors/trojans.
5) Ports used by IRC/chat/IM programs, if you aren't running them.
6) Ports used by common remote-control programs (if you are running
Windows, definitely look at 3389).

BTW, I have all my IPTABLES built with one port/entry, that way I can
adjust it easily enough.  YMMV.

Hope this helps.



On Wed, 2003-06-18 at 22:28, John Sage wrote:
> On Wed, Jun 18, 2003 at 10:40:20AM -0600, Kenton Smith wrote:
> > I'm no IPTables expert, but can't you do a port range instead of
> > individual ports?
> > 
> > iptables -A INPUT -p tcp --dport 1024:5000
> > 
> > My understanding is this will get cover all ports between 1024 and 5000.
> > 
> > Kenton
> 
> Yes.
> 
> You can do ranges, but again, at the top I said that I wanted a
> specific list of interesting source ports to listen for, not that I
> wanted to listen for a range...
> 
> 
> Anyone?
> 
> 
> 
> - John
-- 
---
Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."




More information about the list mailing list