Re: port 16001 and 111

To: Jean Christophe ANDRÉ <jean-christophe.andre@auf.org>, debian-security@lists.debian.org
Subject: Re: port 16001 and 111
From: ben <benfoley@rcn.com>
Date: Mon, 28 Oct 2002 23:58:07 -0800
Message-id: <[🔎] E186RGK-0000ym-00@benzone.com>
In-reply-to: <[🔎] 20021029075924.GD6352@virus.home>
References: <[🔎] 20021015052730.GB28690@erpland> <[🔎] 20021029013649.GA12042@pinky.its.adelaide.edu.au> <[🔎] 20021029075924.GD6352@virus.home>

On Monday 28 October 2002 11:59 pm, Jean Christophe ANDRÉ wrote:
> Tom Cook écrivait :
> > What the....
> > What's wrong with 'lsof -i :111' and 'lsof -i :16001'?
>
> Nothing wrong with it! :)
>
> > It tells you precisely what's attempting to connect...
>
> Yes, except in his case there is no connection since there is no installed
> daemon on this port, only some connection attempts he is trying to track.
>
> So my solution is just to provide a mini-daemon allowing connecting and so
> tracking. Use netstat or lsof in /root/spy.sh as you want. I just use to
> use netstat so I gave an example with netstat, but you can use lsof instead
> off course! :)
>
> Cheers, J.C.

way overkill. 16001 isn't being scanned and 111 is the most common target 
after 25. you're suggesting that the guy turn his server into a honeypot--to 
what end? disable portmap and nothing can get at 111. there's a difference 
between simply securing a box and assuming a role as cyber-detective. the 
former solves the problem, the latter has no end.

ben

Reply to:

Follow-Ups:
- Re: port 16001 and 111
  - From: Jean Christophe ANDRÉ <jean-christophe.andre@auf.org>

References:
- port 16001 and 111
  - From: Jussi Ekholm <ekhowl@goa-head.org>
- Re: port 16001 and 111
  - From: Tom Cook <tom.cook@adelaide.edu.au>
- Re: port 16001 and 111
  - From: Jean Christophe ANDRÉ <jean-christophe.andre@auf.org>

Prev by Date: Re: port 16001 and 111
Next by Date: Re: port 16001 and 111
Previous by thread: Re: port 16001 and 111
Next by thread: Re: port 16001 and 111
Index(es):
- Date
- Thread