Re: Port watching tool
From: Jeff Lane (crash_at_pinehurst.net)
Date: 08/22/03
- Previous message: Jimmy Sansi: "RE: Exchange Server and External Access"
- In reply to: Jim Clare: "Re: Port watching tool"
- Next in thread: George Peek: "RE: Port watching tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Aug 2003 16:58:32 -0400 To: jeempc@ittoolbox.com, security-basics@securityfocus.com
JThanks for the suggestions...
The earlier suggestion of PortDetective.com is not what I was looking
for... hope I wasnt too confusing! portdetective.com looks to me
(without having installed their client side software that is not
documented at all on their website (so I am hesitant to even install
it)) looks like it is basicall a web based port scanner... I have nmap
for that...
Active Ports only shows one connection to port 25 (which I am trying to
monitor) but netstat shows about 250 (about 50 show as ACTIVE, and the
rest show as either TIME_WAIT or CLOSE_WAIT) and those are the ones that
concern me...
I am finding certain IPs (thanks I believe to the sobig virus) to be
generating large numbers of SMTP connections to the server, and when I
find them wiht netstat, they are mostly in one of hte wait states.
So the idea was to have something alert me when there were more than X
number of connections from any single IP or in any single state, and
since I am not a programmer, I have little hope of doing that one on my
own... <grin>
good example, I am seeing three distinct IPs from AT&T blocks that have
about 100 connections to port 25 on my mail server. most of these are
in the TIME_WAIT or CLOSE_WAIT status.
I had considering black-listing the individual IPs locally, but that may
not be a good idea, since I may or may not be able to tell if these IPs
are dynamically allocated or static...
Jeff
im Clare wrote:
> ---------- Original Message ----------------------------------
> From: Jeff Lane <crash@pinehurst.net>
> Date: Fri, 22 Aug 2003 14:07:13 -0400
>
>
>>Hello,
>>
>>I have just a simple question... I have been searching aroud the net for
>>software to watch the ports on a Win2K machine but am not turning
>>anything up that would be useful to me, so I thought I would ask here...
>>
>>Could someone point me to a tool that will or can do the following:
>
>
>>A: monitor ports on a Win2K server
>
>
> www.devhood.com/tools/tool_details.aspx?tool_id=515 download and install. It's a cool little free program that will do this.
>
>
>>B: specifically monitor a certain port or range of ports
>
>
> go to www.grc.com and run the shields up test.
>
>
>
>
>
-- Jeffrey Lane, RHCE Systems Adminstrator ConnectNC, Inc DSL and Web hosting: http://www.connectnc.com List your child-related organization Online! http://www.sandhillskids.com --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
- Previous message: Jimmy Sansi: "RE: Exchange Server and External Access"
- In reply to: Jim Clare: "Re: Port watching tool"
- Next in thread: George Peek: "RE: Port watching tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
