TCP/IP port#s

The "well known" ports 1- 1024 are well documented.
If somebody would be so kind as to post a URL
which lists the high port numbers & their "general" use.

My RH FC3 box started getting probed within FIVE minutes
of appearing in the 'Net. Many of the probes are to port
numbers > 1024 and I am not familar with what "they"
are after. I might decide to setup a honey pot if I
have the time to do so.

Also is there any Open Source package which is a preconfigured honeypot?


TIA!

"IANAL_VISTA" <(E-Mail Removed)> wrote in message
news:Xns95C8B9459E1CASunnySD@68.6.19.6...
> The "well known" ports 1- 1024 are well documented.
> If somebody would be so kind as to post a URL
> which lists the high port numbers & their "general" use.
>
> My RH FC3 box started getting probed within FIVE minutes
> of appearing in the 'Net. Many of the probes are to port
> numbers > 1024 and I am not familar with what "they"
> are after. I might decide to setup a honey pot if I
> have the time to do so.
>
> Also is there any Open Source package which is a preconfigured honeypot?
>
>
> TIA!

They are trying to hack into any windoze machines available.


Randy

On Fri, 24 Dec 2004 02:12:43 GMT, IANAL_VISTA wrote:
> The "well known" ports 1- 1024 are well documented.
> If somebody would be so kind as to post a URL
> which lists the high port numbers & their "general" use.

http://www.dshield.org/ for traffic count samples.
http://lists.gpick.com/portlist/lookup.asp?port=NNN <=== port number of intrest

> My RH FC3 box started getting probed within FIVE minutes of
> appearing in the 'Net.

Hmmm, that long. Not a busy net

> Many of the probes are to port numbers > 1024 and I am not familar
> with what "they" are after.

Trojaned systems.

Malware is being created at about 1 ever hour. Last number I saw, 20
new ones per 24 hours average.

There is not that many high ports being probed. Here are the noisy
ports I drop without logging. Count is for 13 days since my last reset.
Cable modem/system is on 24 hours a day. Only ss (22) and auth (113)
ports are not dropped.

pkts bytes target destination
310 14956 tcp dpt:1025
1099 911K udp dpts:1026:1029
110 44440 udp dpt:1434
295 14192 tcp dpt:1433
2 88 tcp dpt:1521
60 2928 tcp dpt:2082
265 12780 tcp dpt:2745
175 8452 tcp dpt:3127
47 2240 tcp dpt:3128
11 532 tcp dpt:3389
161 7732 tcp dpt:3410
16 764 tcp dpt:4000
598 29008 tcp dpt:4899
74 3568 tcp dpt:5000
151 7272 tcp dpt:5554
155 7456 tcp dpt:6129
153 7372 tcp dpt:9898
55 2648 tcp dpt:12345
4 192 tcp dpt:17300
18 864 tcp dpt:27374
3 144 tcp dpt:65506

"IANAL_VISTA" <(E-Mail Removed)> wrote in message
news:Xns95C8B9459E1CASunnySD@68.6.19.6...

> If somebody would be so kind as to post a URL
> which lists the high port numbers & their "general" use.

http://www.iana.org/assignments/port-numbers might be useful.

> My RH FC3 box started getting probed within FIVE minutes
> of appearing in the 'Net. Many of the probes are to port
> numbers > 1024 and I am not familar with what "they"
> are after. I might decide to setup a honey pot if I
> have the time to do so.

Why play games with "them"? Use iptables and reject or drop all unsolicited
or undesired traffic.

"ynotssor" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> "IANAL_VISTA" <(E-Mail Removed)> wrote in message
> news:Xns95C8B9459E1CASunnySD@68.6.19.6...
>
>> If somebody would be so kind as to post a URL
>> which lists the high port numbers & their "general" use.
>
> http://www.iana.org/assignments/port-numbers might be useful.
>
>> My RH FC3 box started getting probed within FIVE minutes
>> of appearing in the 'Net. Many of the probes are to port
>> numbers > 1024 and I am not familar with what "they"
>> are after. I might decide to setup a honey pot if I
>> have the time to do so.
>
> Why play games with "them"? Use iptables and reject or drop all
> unsolicited or undesired traffic.
>
>

It is via iptable LOG option that I am recording this activity.
Ignoring nefarious behavior only "encourages" more of it.
I want to make the perps pay for not being good 'Net neighbors.

So I'd still like to know what ports that are being probed
are supposed to do so I can provide some payback to those
who are playing with my doorknobs. They should not be on my
property seeing if I locked my back door.

On Fri, 24 Dec 2004 04:00:28 GMT, IANAL_VISTA wrote:
> It is via iptable LOG option that I am recording this activity.
> Ignoring nefarious behavior only "encourages" more of it.
> I want to make the perps pay for not being good 'Net neighbors.

And how do you think your are going to make them pay.
Only legal thing you can do is send logs to isp of offending ip owner.

What can the microsoft user do. New virus every hour.
It has to be caught by antivirus company, analyzed, added/tested to
database and user has to download it sometime later. Well hustle
around in 8 hours and your are 7 more viruses behind.

> So I'd still like to know what ports that are being probed
> are supposed to do so I can provide some payback to those
> who are playing with my doorknobs. They should not be on my
> property seeing if I locked my back door.

You better go back and read your Acceptable User Agreement put out by
your ISP. Just like the real world, you cannot go out and beat up the
person on your property.

"IANAL_VISTA" <(E-Mail Removed)> wrote in message
news:Xns95C8CB89ED5C1SunnySD@68.6.19.6...

> >> My RH FC3 box started getting probed within FIVE minutes
> >> of appearing in the 'Net. Many of the probes are to port
> >> numbers > 1024 and I am not familar with what "they"
> >> are after. I might decide to setup a honey pot if I
> >> have the time to do so.
> >
> > Why play games with "them"? Use iptables and reject or drop all
> > unsolicited or undesired traffic.
> >
>
> It is via iptable LOG option that I am recording this activity.
> Ignoring nefarious behavior only "encourages" more of it.
> I want to make the perps pay for not being good 'Net neighbors.
>
> So I'd still like to know what ports that are being probed
> are supposed to do so I can provide some payback to those
> who are playing with my doorknobs.

Payback makes you one of "them". Deny it if you like, but one is a loser if
one plays loser games.

"IANAL_VISTA" <(E-Mail Removed)> wrote in message
news:Xns95C8CB89ED5C1SunnySD@68.6.19.6...
> "ynotssor" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>> "IANAL_VISTA" <(E-Mail Removed)> wrote in message
>> news:Xns95C8B9459E1CASunnySD@68.6.19.6...
>>
>>> If somebody would be so kind as to post a URL
>>> which lists the high port numbers & their "general" use.
>>
>> http://www.iana.org/assignments/port-numbers might be useful.
>>
>>> My RH FC3 box started getting probed within FIVE minutes
>>> of appearing in the 'Net. Many of the probes are to port
>>> numbers > 1024 and I am not familar with what "they"
>>> are after. I might decide to setup a honey pot if I
>>> have the time to do so.
>>
>> Why play games with "them"? Use iptables and reject or drop all
>> unsolicited or undesired traffic.
>>
>>
>
> It is via iptable LOG option that I am recording this activity.
> Ignoring nefarious behavior only "encourages" more of it.
> I want to make the perps pay for not being good 'Net neighbors.
>
> So I'd still like to know what ports that are being probed
> are supposed to do so I can provide some payback to those
> who are playing with my doorknobs. They should not be on my
> property seeing if I locked my back door.

Most are from "the pacific rim" mainly mainland china. They are not
discouraged by their government. There is nothing you can do. Most of us
have already spent too much time trying to "catch" them and do something
about it.

I wish that the internet was split, theirs and ours. If they are in the US
they can be both criminally and civilly prosecuted.


Randy

On Fri, 24 Dec 2004 02:12:43 GMT, "IANAL_VISTA"
<(E-Mail Removed)> wrote:

>If somebody would be so kind as to post a URL
>which lists the high port numbers & their "general" use.

http://www.iana.org/assignments/port-numbers

You can find all sorts of interesting stuff:
http://www.iana.org/numbers.htm

--
Ken
http://www.ke9nr.net/

IANAL_VISTA wrote:
> The "well known" ports 1- 1024 are well documented.
> If somebody would be so kind as to post a URL
> which lists the high port numbers & their "general" use.
>
> TIA!

$ cat /etc/services

--
Even though I walk through the valley of the shadow of death,
I will fear no evil, for you are with me;
your rod and your staff, they comfort me.