[Dshield] Configuring iptables; need favorite port lists

Ed Truitt ed.truitt at etee2k.net
Thu Jun 19 12:00:21 GMT 2003


BTW, the reason I don't have a specific list of ports is that my IPTABLES
rules are built on the following philosophy:

1) Deny EVERYTHING by default.
2) Open specific ports for services running on the system.
3) Only allow NetBIOS traffic originating on the "internal" subnets (yes, I
actually segment my home network - I know, I need help... ;-)
4) Allow "return" packets (where the connection was initiated from my
system).

That "deny by default" thing has saved my tail on more than one occasion -
and I implemented it based on what I learned here!

Now, to quit replying to my own posts...

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."


----- Original Message ----- 
From: "Ed Truitt" <ed.truitt at etee2k.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, June 19, 2003 6:41 AM
Subject: Re: [Dshield] Configuring iptables; need favorite port lists


> I don't have a specific list, but I would look for the following:
>
> 1) what ports were the most commonly exploited for the OS I was running.
> 2) Ports vulnerable to exploits about 3-6 months old (right now, I would
> include TCP/UDP 389 (LDAP), 3268 (MS Global Catalog), and 161 (SNMP).
> 3) The common ports for proxy servers (81, 3128, 8080, 1080, etc.)
> 4) Ports used by some of the more common backdoors/trojans.
> 5) Ports used by IRC/chat/IM programs, if you aren't running them.
> 6) Ports used by common remote-control programs (if you are running
> Windows, definitely look at 3389).
>
> BTW, I have all my IPTABLES built with one port/entry, that way I can
> adjust it easily enough.  YMMV.
>
> Hope this helps.
>
>
>
> On Wed, 2003-06-18 at 22:28, John Sage wrote:
> > On Wed, Jun 18, 2003 at 10:40:20AM -0600, Kenton Smith wrote:
> > > I'm no IPTables expert, but can't you do a port range instead of
> > > individual ports?
> > >
> > > iptables -A INPUT -p tcp --dport 1024:5000
> > >
> > > My understanding is this will get cover all ports between 1024 and
5000.
> > >
> > > Kenton
> >
> > Yes.
> >
> > You can do ranges, but again, at the top I said that I wanted a
> > specific list of interesting source ports to listen for, not that I
> > wanted to listen for a range...
> >
> >
> > Anyone?
> >
> >
> >
> > - John
> -- 
> ---
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
>
> "Note to spammers:  my 'delete' key is connected to YOUR ISP.
>  Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list