blocking RFC 793 ports 1024-49151

From: gaius.petronius (rut@linuxmail.org)
Date: 02/01/02

  • Next message: Ole Michaelsen: "Re: Tripwire failing install on Sparc Solaris 7" 

    From: rut@linuxmail.org (gaius.petronius)
Date: 31 Jan 2002 23:13:26 -0800

    blocking RFC 793 ports 1024-49151 (NOT inclusive)

    i have a particular server which runs only 4 services:
    http (apache 1.3)
    ftp (wu ftp 2.6)
    ssh (2.9)
    sendmail(local only: version 12)

    we somehow caught the attention of some taiwanese crackers and they
    have been hitting the ports with strange packets, perhaps seeking to
    cause a buffer overflow or i don't know what.

    i never tried this before and i never heard of anyone doing so, but
    this is what i attempted: using sed and awk on an RFC 793 document i
    inserted these lines into my firewall shell program,

    *****************************-excerpt-
    # port numbers in RFC that i am rejecting
    printf "rejecting RFC 793 port numbers\n"
    printf "defining ports in input chain as -j DENY\n"
    printf " port number service\n"

    printf " 1024 Reserved \n"
            ipchains -A input -p tcp -s 0/0 -d 0/0 1024 -j DENY
            ipchains -A input -p tcp -s 0/0 -d 0/0 1024 -j DENY
    # IANA <iana@iana.org>
    printf "blackjack 1025 network blackjack\n"
            ipchains -A input -p tcp -s 0/0 -d 0/0 1025 -j DENY
            ipchains -A input -p tcp -s 0/0 -d 0/0 1025 -j DENY
    # Unknown contact
    # 1026-1029 Unassigned
    printf "iad1 1030 BBN IAD\n"
            ipchains -A input -p tcp -s 0/0 -d 0/0 1030 -j DENY
            ipchains -A input -p tcp -s 0/0 -d 0/0 1030 -j DENY
    *****************************-excerpt-

    i think the concept is clear. i reasoned that if and when i opened ip
    more services i could just disable the appropriate lines.

    as soon as i activated these new directives the firewall denied
    everything from http to ssh.

    you will notice that the unassigned ranges are not blocked
    if these ports are already defined by the RFC to belong to specific
    services, then why the [expletive deleted] would they affect http,
    ftp, and ssh?

    Someone please explain this to me or point me to a document that does.
    system Linux RH 7.1 2.4.X kernel

    Relevant Pages

    • Re: IPTABLES doesnt work
      ... > ports with http servers on them) ftp, ssh, etc. ... -A FORWARD -j RH-Firewall-1-INPUT ...
      (Fedora)
    • Re: Linux Firewall on FC1
      ... I reject the following ports: ... SSH ... FTP ...
      (Fedora)
    • Re: Forward Port 20 on Server
      ... >>FTP is a notoriously insecure protocol. ... > I have a client that only supports FTP. ... > tunnelled in ssh, it is as secure as ssh itself. ... TCP/21 is tunneled to TCP/21 (server ports). ...
      (comp.os.linux.networking)
    • blocking RFC 793 ports 1024-49151
      ... ftp ... have been hitting the ports with strange packets, ... using sed and awk on an RFC 793 document i ... everything from http to ssh. ...
      (comp.security.firewalls)
    • blocking RFC 793 ports 1024-49151
      ... ftp ... have been hitting the ports with strange packets, ... using sed and awk on an RFC 793 document i ... everything from http to ssh. ...
      (comp.os.linux.security)
    • Quantcast