[ previous ] [ next ] [ threads ]
 
 From:  "Chris Bagnall" <lists at minotaur dot cc>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Risky Ports to keep a lookout for
 Date:  Thu, 7 Feb 2008 00:55:36 -0000
> Since m0n0wall logs to much information, when setting the default rule
> to log activity to on, I was wondering if you guys mind sharing what
> ports would be interesting to monitor to the log ?
> Currently I have disabled logging on the default rule, and have added a
> rule to block ping requests... with the logging enabled.

I tend to go the other way round, I have logging enabled on the default block rule, but then a load
of "block silently" rules that filter out common connection attempts that would otherwise clutter
the log.

So far I don't log 135,137,139,445 (SMB), 1026-1027 (MSRPC), 1433-1434 (MSSQL), 2967 (Symantec AV),
4899 (radmin).

We see attempts on these ports every few seconds from random destinations, so there's nothing useful
to be gained by logging them, they're common and well-documented exploits looking for unpatched
services.

We log everything else, which a) isn't actually very much without the common exploits, and b) means
we can pick up fairly quickly on new exploits - e.g. we see many attempts to a specific port, a
quick google later and we can find out what that port's used for and some info about what they're
trying to exploit. A quick script in <insert choice of scripting language you're familiar with> can
query the logfiles every week and see what ports are scanned regularly, which you can then use for
further research.

Regards,

Chris
-- 
C.M. Bagnall, Director, Minotaur I.T. Limited
For full contact details visit http://www.minotaur.it
This email is made from 100% recycled electrons