[Dshield] Configuring iptables; need favorite port lists

Louis Hablas Lou.Hablas at rzim.org
Thu Jun 19 13:45:07 GMT 2003


Now, to quit replying to my own posts...



this made me laugh...thanks.

-----Original Message-----
From: Ed Truitt [mailto:ed.truitt at etee2k.net]
Sent: Thursday, June 19, 2003 8:00 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Configuring iptables; need favorite port lists


BTW, the reason I don't have a specific list of ports is that my IPTABLES
rules are built on the following philosophy:

1) Deny EVERYTHING by default.
2) Open specific ports for services running on the system.
3) Only allow NetBIOS traffic originating on the "internal" subnets (yes, I
actually segment my home network - I know, I need help... ;-)
4) Allow "return" packets (where the connection was initiated from my
system).

That "deny by default" thing has saved my tail on more than one occasion -
and I implemented it based on what I learned here!

Now, to quit replying to my own posts...

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."


----- Original Message ----- 
From: "Ed Truitt" <ed.truitt at etee2k.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, June 19, 2003 6:41 AM
Subject: Re: [Dshield] Configuring iptables; need favorite port lists


> I don't have a specific list, but I would look for the following:
>
> 1) what ports were the most commonly exploited for the OS I was running.
> 2) Ports vulnerable to exploits about 3-6 months old (right now, I would
> include TCP/UDP 389 (LDAP), 3268 (MS Global Catalog), and 161 (SNMP).
> 3) The common ports for proxy servers (81, 3128, 8080, 1080, etc.)
> 4) Ports used by some of the more common backdoors/trojans.
> 5) Ports used by IRC/chat/IM programs, if you aren't running them.
> 6) Ports used by common remote-control programs (if you are running
> Windows, definitely look at 3389).
>
> BTW, I have all my IPTABLES built with one port/entry, that way I can
> adjust it easily enough.  YMMV.
>
> Hope this helps.
>
>
>
> On Wed, 2003-06-18 at 22:28, John Sage wrote:
> > On Wed, Jun 18, 2003 at 10:40:20AM -0600, Kenton Smith wrote:
> > > I'm no IPTables expert, but can't you do a port range instead of
> > > individual ports?
> > >
> > > iptables -A INPUT -p tcp --dport 1024:5000
> > >
> > > My understanding is this will get cover all ports between 1024 and
5000.
> > >
> > > Kenton
> >
> > Yes.
> >
> > You can do ranges, but again, at the top I said that I wanted a
> > specific list of interesting source ports to listen for, not that I
> > wanted to listen for a range...
> >
> >
> > Anyone?
> >
> >
> >
> > - John
> -- 
> ---
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
>
> "Note to spammers:  my 'delete' key is connected to YOUR ISP.
>  Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


The information contained in this message may be CONFIDENTIAL and is for the
intended addressee only.  Any unauthorized use, dissemination of the
information, or copying of this message is prohibited.  If you are not the
intended addressee, please notify the sender immediately and delete this
message.




More information about the list mailing list