This place suggests the top 10 ports. Which ones should I concern myself with - are any of them (such as 113) actually useful for anything? What other vital ports do you have blocked? Maybe this isn''t forum material (security as it is is at stake) - then again, I''d presume a simple port scan could easily determine precisely which ports you have blocked anyway. Without any peripheral software installed, how can I view network activity on certain ports?

"Finishing in second place, simply means you are the first loser." - PouyaCat

113 is the ident server, nothing special if you never use irc (some servers will kick you without ident)...


T2k

I block everything except the core daemons I need access to.

In other words, if I have a box running as a secure web server, the only two ports you can reach are 443 and 22.

Of course, this is a very simple example. Also, many of the blocked ports in that list are the result of specific vulnerabilities. You may very well need 3128 (standard proxy port, most ISPs also use 8080 or do a transparent redirect to 3128). In which case you''re not going to block it, just make sure you''re not running and open http proxy for some script kiddie to use as a jump point.

Sometimes port scans can be difficult depending on your firewall behavior, but tools like nmap make it easy to identify this behavior in most cases.

When you say "view network activity on certain ports" I''m assuming actually see the traffic? In which case you''ll need peripheral software. On *Nix systems, tcpdump is a command line packet capture program installed on most systems by default. Some OS vendors have their own package as well. For example, Solaris has "sniff". You can also use ethereal, which is one of my favorites.

If you just mean to see who''s connecting to your box or what your box is talking to, you can use netstat. Netstat also shows UNIX sockets, but you can pass most versions of netstat ''-f inet'' to only show the inet network socket types. Plenty of other command line switches as well to get more specific or expanded information. Linux also supports a command line switch with netstat in 2.4 I believe to show the running process that opened the socket origionally.

Interim

Like Interim said, you can do some of that with netstat (run netstat --udp --tcp --continuous for a nice show; running it as root you often can get more information about the connections than as a normal user). Using something like lsof -i :port will tell you information about a single port (as root). But if you really want to get serious about it and become willing to install peripheral software, you should look into Snort. Edit: inadvertant smiley removal.



[edited by - Null and Void on February 11, 2004 8:28:33 AM]

My rule of thumb... block every port, the only open the ports you absolutely require to do your work.

Thanks for the advice. However, I''m running a gateway router so I can''t block too much. I was more thinking along the lines of specific ports that are most frequently used to (from) attack my system, as in by a virus or some more human-like attacker. Anyway - I don''t know if this is related, but something really ouf od my league has come to life lately, which could be the result of some virus (which is why I was asking about blocking certain ports and monitoring them). I am starting a new thread since it really is off-topic in this one.

Unfortunately installing peripheral software is not much of a possibility omn the current system because of the complete lack of hard disk space, not to mention wouldn''t make sense effort-wise as the current router is due to be salvaged soon.

"Finishing in second place, simply means you are the first loser." - PouyaCat

My firewall blocks all ports by default. I allow TCP ports 80, 22, 25, 142, 993.