Re: [m0n0wall] Risky Ports to keep a lookout for

From:	Lee Sharp <leesharp at hal dash pc dot org>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Risky Ports to keep a lookout for
Date:	Wed, 06 Feb 2008 20:47:36 -0600

Chris Bagnall wrote:

> I tend to go the other way round, I have logging enabled on the default block rule, but then a
load of "block silently" rules that filter out common connection attempts that would otherwise
clutter the log.
> 
> So far I don't log 135,137,139,445 (SMB), 1026-1027 (MSRPC), 1433-1434 (MSSQL), 2967 (Symantec
AV), 4899 (radmin).
> 
> We see attempts on these ports every few seconds from random destinations, so there's nothing
useful to be gained by logging them, they're common and well-documented exploits looking for
unpatched services.
> 
> We log everything else, which a) isn't actually very much without the common exploits, and b)
means we can pick up fairly quickly on new exploits - e.g. we see many attempts to a specific port,
a quick google later and we can find out what that port's used for and some info about what they're
trying to exploit. A quick script in <insert choice of scripting language you're familiar with> can
query the logfiles every week and see what ports are scanned regularly, which you can then use for
further research.

Me too...  It is fun to be ahead of the curve. :)  See an uptick in a 
specific port, read about a new vulnerability.

			Lee