Re: port 16001 and 111

[ben <benfoley@rcn.com>]

On Tuesday 29 October 2002 01:02 am, Jean Christophe ANDRÉ wrote:
> Hi,
>
> ben écrivait :
> > way overkill. 16001 isn't being scanned and 111 is the most common target
> > after 25. you're suggesting that the guy turn his server into a
> > honeypot--to what end? disable portmap and nothing can get at 111.
> > there's a difference between simply securing a box and assuming a role as
> > cyber-detective. the former solves the problem, the latter has no end.
>
> Please read the full thread before posting (or even only the first post).
>
> He actually *is* asking for tracking the *internal* process trying
> to connect *localy* to its port 111.
>
> He knows about such attempts because he had filtered them.
> But he can't guess which process attempt to connect to it.
> And he just *want* to know.
>
> Tracking connection attempts *is* part of security, since it allow you
> to know how things work, and better tune it once you understand it.
>

you're missing the point. running a portmap daemon is the only 
vulnerability that the 111 port scans are attempting to exploit. that 
attempted exploit is part of the weather of being hooked up, in the same way 
that 25 is attempted to be used as a mail relay. there are--to the best of my 
knowledge--no internal apps or daemons that will cause the fashion of log 
alarm that the op is concerned to address. you're assuming that internal apps 
attempt external connections. for that to be a possibility, you'd have to 
have a mighty weird local setup. if you, or anybody, can give me a real 
example to justify your hypothesis, please do.

ben