[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Bad and good port lists

Posted on 2004-11-13
21
Medium Priority
?
448 Views
Last Modified: 2010-04-11
I'm building a IDS/Firewall, I have found many lists on this subject, but either they are two long, or are mixed. What I want is two separate lists that are not too long and contain the most common 'good' ports - 21, 8, etc; and the most common bad ports - trojan ports etc.

I do not want massive lists which are mixed

Also I would like a few ports which should be monitored and what to look for in the connection traffic.


Regards, SmallR2002
0
Comment
Question by:SmallR2002
  • 6
  • 6
  • 2
  • +4
19 Comments
 
LVL 2

Accepted Solution

by:
winkingtiger earned 500 total points
ID: 12575329
Might not be everything, but here is a good amount of info.

http://www.chebucto.ns.ca/~rakerman/port-table.html
0
 
LVL 32

Expert Comment

by:LucF
ID: 12575432
Hi SmallR2002,

> Also I would like a few ports which should be monitored and what to
> look for in the connection traffic.
As there are a lot of lists of ports available, I'll just give you simple input on this. Not even having one port open is safe in any way, all can be exploited once a hole is detected in the program that's listening on that port.

All connections should be monitored at all known exploids for the programs running behind them. For example port 80, you'll need to scan for exploids like Nimda uses. (easely recognisable in about every IIS logfile :o) ) What I can suggest you to do is to install another IDS like blackice on a testing system (as in, completely unpatched) then see what blackice will find. After you've been able to program your way to capture those (note that I'm not a programmer, so I can't help you with that, but there are a lot of excellent programmers around EE that might be able to help you with it) you'll have to keep following the latest exploids and find your way to include them.

Greetings,

LucF

p.s. I'm interested in the final product :)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12580213
how should such a list tell you which ports to monitor?
It's up to you to monitor *all* ports you consider unsecure, that are at least *all* those where there is a service listening.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:Hypoviax
ID: 12588132
Trogan Ports:

http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html

General Good list:

http://keir.net/portlist.html

The trouble is that many trogans use known ports that are usually considered 'good'. There is no reason why a trogan cant use the HTTP (80) port or the port normally used for Telnet (23). Like ahoffman said, all ports should be considered.

If you need assistence in programming the actual firewall post a question in the relevant language (Delphi, C++ etc)

Regards,

Hypoviax
0
 

Author Comment

by:SmallR2002
ID: 12588181
OK, so lets presume the list part is sorted, what do I need to look for in the traffic?
0
 
LVL 2

Expert Comment

by:billypg
ID: 12588212
There is no such thing as bad or good ports. First you have to know your network, what services are being ofer to the outside (or the other side of the firewall, whatever that is) and then you can choose which are the "good" ports: the ones you actually need to allow on your firewall and the "bad" ports: the ones you have no need to allow because are not being used. Every network is different, a list of good and bad ports is not a good approach to securing a network. Remember that you should deny everything by default and allow only what's explicitly defined and configured.

You should monitor as much ports as you can, for instance, if you're using an ftp server you might want to monitor where a connection request came from, how long the connection was open, the login name and so on. On the other hand, traffic such as DNS requests is very difficult to monitor and to log because of the huge number of requests that a name server receives in a short period of time.

For a list of ports commonly used by trojans visit http://www.doshelp.com/trojanports.htm
0
 

Author Comment

by:SmallR2002
ID: 12588239
yeah the dos help one is the one I'm currently on the fourth page of typing out...
0
 
LVL 2

Assisted Solution

by:billypg
billypg earned 500 total points
ID: 12588334
You should look for excessive connection attempts from one IP address or network range, port scanns, strange string requests designed to crash your server (ie: long http request trying to take advantage of a web server vulnerability), spoofing, unusual connection times for a given user, etc, etc.

0
 

Author Comment

by:SmallR2002
ID: 12588359
be a little more specific, where can i find lists of things to look for etc
0
 
LVL 2

Expert Comment

by:billypg
ID: 12588638
It all depends on what software you're running. Your firewall/ids might have some integrated log analysis tool that will give you pointers on suspicious activity and even will let you set alarms, if not or if you want to use other tools to monitor your network using log analysis you can try these http://www.phoneboy.com/bin/view.pl/FAQs/ThirdPartyProgramsLogAnalysis if you're using checkpoint . These will let know, for instance, which are the top dropped/rejected packets which are the ones you should start keeping an eye on.
http://tud.at/programm/fwanalog/ is another popular tool that you can try.

The reports these tools generate will guide you to know what you should look for in your environment.
0
 
LVL 2

Expert Comment

by:billypg
ID: 12588800
Here's a good article that gives you a list of things to look for:  http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2782699,00.html
0
 

Author Comment

by:SmallR2002
ID: 12596590
Can I remind you that I'm writing the program...
0
 
LVL 2

Expert Comment

by:billypg
ID: 12597234
oh yeah, i forgot .. sorry about that (however the article should have given you good ideas to implement on your program)

You probably already know these (i'm just brainstorming here):

You should take every packet see the source, destination, protocol and port fields and compare them to a table that holds your firewall configuration and decide wether to allow the packet through or drop it or reject it.

For intrusion detection that runs on the firewall instead of the hosts you could see how many dropped/rejected packets are coming from a particular source (net or host) and trigger an alert. Also to determine if a host behind the firewall is being scanned you should check for requests from the same source targgeting the host on different ports.

Depending on how complex you want your software to be you can add virtual servers such as smtp, ftp and so on and then forward the packets to the appropiate servers inside.

Hope this helps
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12597314
hmm, is this an exercise, or an attempt to re-envent the wheel?
0
 
LVL 2

Expert Comment

by:billypg
ID: 12597452
If it isn't an exersice it's better to use toolkits such as these http://www.cotse.com/tools/firewall.htm
0
 

Author Comment

by:SmallR2002
ID: 12598440
It is a bid to make money...
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12598604
What language are you programming in?

If Delphi i can help otherwise not. Have a look on sourceforg - you may be able to examine other firewalls and thus determine what data they examine etc

Regards,

Hypoviax
0
 

Author Comment

by:SmallR2002
ID: 12598715
I use VB, but I dotn need help with coding, I need help in what to code against. I can block, and examine traffic easily.
0
 
LVL 2

Expert Comment

by:Axe007
ID: 12751568
Why don't you use these well-known ports open by default and close all other ports, but with option to enable.

http://www.webopedia.com/quick_ref/portnumbers.asp
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question