Re: Ports to block?
I work from a default-deny stance. Usual things to then allow in would be
25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if
you have bind running), and various ICMP (echo-reply/request,
source-quench, destination-unreachable, time-exceeded, and
parameter-problem are good ones).
I deny and log pretty much everything else, although I do have special DENY
rules for stuff like NetBIOS (137/138) so they don't hit the trap line at
the end which logs everything not caught above, filling up my logs.
I believe the 1028-UDP port you're talking about is the syslogd talking to
itself (you'll notice it's on the loopback address [127.0.0.1] and
established to Port 514, which is the syslog port). If you've got an
external address talking to your syslog port.. well... good luck.
At 12:57 PM 4/5/2001 -0700, Brandon High wrote:
Does anyone have a recommendation of ports that should be blocked (via
ipchains/netfilter/etc) to make a system more secure?
In light of the recent security holes, I did a netstat -an, then lsof -i for
all ports that were listening and/or UDP. I put a filter in the way of
everything that I didn't want externally visible, but UDP port 1028 shows
nothing listening lsof. I blocked it out of principle, but does anyone know
what it might be?
Brandon High firstname.lastname@example.org
We are Homer of Borg. Resistance is ... Ooo! Donuts!
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
Eric N. Valor
- This Space Intentionally Left Blank -