RE: how to block connections running on non-default ports

• Previous message: paavan shah: "Enumerating X server remotely"
• In reply to: Niranjan S Patil: "how to block connections running on non-default ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <security-basics@securityfocus.com>
Date: Fri, 19 Aug 2005 20:28:41 +0100

        As far as I am aware, telnet will not generally be detected as
masqueraded connections because all the telnet protocol does is send any
received data to the screen and anything typed to the remote computer.
This is why you can use telnet to connect to a website on port 80 and
send raw HTTP commands, or send an email from a mail-server via raw SMTP
on port 25. A telnet connection on port 443 (normally used for SSL) is
indistinguishable from an SSL connection coming from a browser. As far
as the server is concerned, it is using the SSL protocol - not the
telnet protocol. If you telnet to port 443 you will not receive a shell,
you will connect to the SSL server (if one is running). If you wish to
block port 443, you should do so at the firewall - after checking that
it is not needed.

James Scott-Brown

-----Original Message-----
From: Niranjan S Patil [mailto:niranjan.patil@gmail.com]
Sent: 15 August 2005 16:36
To: security-basics@securityfocus.com
Subject: how to block connections running on non-default ports

Hi list,

I recently noticed that our corporate IDS could not block some of
connections that are seemingly unauthorised.

I launched a telnet connection to a remote server on Internet on port
23 and it was successfully blocked by our firewall. I change the
listening port of the telnet server to 443 and launched another telnet
connection on port 443. Neither our firewall or IDS was able to block
this connection.

Aren't IDS supposed to block such masqueraded connections, i.e.,
protocols with non-default ports.

I have less knowledge on IDS, but isn't it simple for them to check
packet headers and block/filter if they are not on right
protocol/port?

Is this normal with all IDS?

Any help is appreciated.

-- 
Regards,
Niranjan S Patil

• Previous message: paavan shah: "Enumerating X server remotely"
• In reply to: Niranjan S Patil: "how to block connections running on non-default ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Processs PreciseMail AntiSpam Gateway - any experience so far ? ... >>This protocol is designed to be used between domain Email Service ... > randomly generated the port number and communicated that back to the sender ... > before closing the connection. ... if the receiver ESP can make that work. ... (comp.os.vms) Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second ... When Nmap (or many ... > other applications, such as Telnet) does a connectcall, the OS is ... > supposed to choose a good souce port to bind to for the connection. ... I saw a familiar "Connection reset by peer" every time the random port ... (Incidents) Re: IP Blocker in SBS2003 exchange ... > What I was trying to explain in the telnet section was that I realise ... > the server is listening for connections on ports 110 and 25. ... > but he can connect to port 110. ... > well as another wireless broadband connection. ... (microsoft.public.windows.server.sbs) Re: NetworkFacade 0.4 ... This means that the protocol is similar to DRb, but different, ... with regards to connection caching and what happens if connections are ... can be made in both directions down the same socket. ... hostname and a port on the firewall which forwards inbound connections. ... (comp.lang.ruby) Re: Port 25 blocked ? ... Thx for you cue i did try like you suggest to telnet other mx and no ... If you want to confirm it, just try a telnet on port 25 to some one else's ... Is there a way to tell if Port 25 is block for outbound connection? ... (microsoft.public.windows.server.sbs)