Bad and good port lists

I'm building a IDS/Firewall, I have found many lists on this subject, but either they are two long, or are mixed. What I want is two separate lists that are not too long and contain the most common 'good' ports - 21, 8, etc; and the most common bad ports - trojan ports etc.

I do not want massive lists which are mixed

Also I would like a few ports which should be monitored and what to look for in the connection traffic.


Regards, SmallR2002
SmallR2002Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

winkingtigerCommented:
Might not be everything, but here is a good amount of info.

http://www.chebucto.ns.ca/~rakerman/port-table.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LucFEMEA Server EngineerCommented:
Hi SmallR2002,

> Also I would like a few ports which should be monitored and what to
> look for in the connection traffic.
As there are a lot of lists of ports available, I'll just give you simple input on this. Not even having one port open is safe in any way, all can be exploited once a hole is detected in the program that's listening on that port.

All connections should be monitored at all known exploids for the programs running behind them. For example port 80, you'll need to scan for exploids like Nimda uses. (easely recognisable in about every IIS logfile :o) ) What I can suggest you to do is to install another IDS like blackice on a testing system (as in, completely unpatched) then see what blackice will find. After you've been able to program your way to capture those (note that I'm not a programmer, so I can't help you with that, but there are a lot of excellent programmers around EE that might be able to help you with it) you'll have to keep following the latest exploids and find your way to include them.

Greetings,

LucF

p.s. I'm interested in the final product :)
0
ahoffmannCommented:
how should such a list tell you which ports to monitor?
It's up to you to monitor *all* ports you consider unsecure, that are at least *all* those where there is a service listening.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

HypoviaxCommented:
Trogan Ports:

http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html

General Good list:

http://keir.net/portlist.html

The trouble is that many trogans use known ports that are usually considered 'good'. There is no reason why a trogan cant use the HTTP (80) port or the port normally used for Telnet (23). Like ahoffman said, all ports should be considered.

If you need assistence in programming the actual firewall post a question in the relevant language (Delphi, C++ etc)

Regards,

Hypoviax
0
SmallR2002Author Commented:
OK, so lets presume the list part is sorted, what do I need to look for in the traffic?
0
billypgCommented:
There is no such thing as bad or good ports. First you have to know your network, what services are being ofer to the outside (or the other side of the firewall, whatever that is) and then you can choose which are the "good" ports: the ones you actually need to allow on your firewall and the "bad" ports: the ones you have no need to allow because are not being used. Every network is different, a list of good and bad ports is not a good approach to securing a network. Remember that you should deny everything by default and allow only what's explicitly defined and configured.

You should monitor as much ports as you can, for instance, if you're using an ftp server you might want to monitor where a connection request came from, how long the connection was open, the login name and so on. On the other hand, traffic such as DNS requests is very difficult to monitor and to log because of the huge number of requests that a name server receives in a short period of time.

For a list of ports commonly used by trojans visit http://www.doshelp.com/trojanports.htm
0
SmallR2002Author Commented:
yeah the dos help one is the one I'm currently on the fourth page of typing out...
0
billypgCommented:
You should look for excessive connection attempts from one IP address or network range, port scanns, strange string requests designed to crash your server (ie: long http request trying to take advantage of a web server vulnerability), spoofing, unusual connection times for a given user, etc, etc.

0
SmallR2002Author Commented:
be a little more specific, where can i find lists of things to look for etc
0
billypgCommented:
It all depends on what software you're running. Your firewall/ids might have some integrated log analysis tool that will give you pointers on suspicious activity and even will let you set alarms, if not or if you want to use other tools to monitor your network using log analysis you can try these http://www.phoneboy.com/bin/view.pl/FAQs/ThirdPartyProgramsLogAnalysis if you're using checkpoint . These will let know, for instance, which are the top dropped/rejected packets which are the ones you should start keeping an eye on.
http://tud.at/programm/fwanalog/ is another popular tool that you can try.

The reports these tools generate will guide you to know what you should look for in your environment.
0
billypgCommented:
Here's a good article that gives you a list of things to look for:  http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2782699,00.html
0
SmallR2002Author Commented:
Can I remind you that I'm writing the program...
0
billypgCommented:
oh yeah, i forgot .. sorry about that (however the article should have given you good ideas to implement on your program)

You probably already know these (i'm just brainstorming here):

You should take every packet see the source, destination, protocol and port fields and compare them to a table that holds your firewall configuration and decide wether to allow the packet through or drop it or reject it.

For intrusion detection that runs on the firewall instead of the hosts you could see how many dropped/rejected packets are coming from a particular source (net or host) and trigger an alert. Also to determine if a host behind the firewall is being scanned you should check for requests from the same source targgeting the host on different ports.

Depending on how complex you want your software to be you can add virtual servers such as smtp, ftp and so on and then forward the packets to the appropiate servers inside.

Hope this helps
0
ahoffmannCommented:
hmm, is this an exercise, or an attempt to re-envent the wheel?
0
billypgCommented:
If it isn't an exersice it's better to use toolkits such as these http://www.cotse.com/tools/firewall.htm
0
SmallR2002Author Commented:
It is a bid to make money...
0
HypoviaxCommented:
What language are you programming in?

If Delphi i can help otherwise not. Have a look on sourceforg - you may be able to examine other firewalls and thus determine what data they examine etc

Regards,

Hypoviax
0
SmallR2002Author Commented:
I use VB, but I dotn need help with coding, I need help in what to code against. I can block, and examine traffic easily.
0
Axe007Commented:
Why don't you use these well-known ports open by default and close all other ports, but with option to enable.

http://www.webopedia.com/quick_ref/portnumbers.asp
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.