Well, that might be overkill... Size File 19004 services (Mandrake 9) 11077 services (Bering 1.0) 101481 nmap-services (nmap 3.00)
What I was looking for is a services file with the service ports that are currently being commonly exploited. I'm using my Mandrake services file on my Bering firewall at the moment. 1433, 1434, 445, 53, 80, 443, 8080, 8081, 3128, 25 Some of these are new (newer than 1997) service ports, and new exploits. I would suspect that a pretty logfile with some human readable information might cut down on the posts from newbies thinking they have been hacked. I know this is not going to work, but here is a cut-and-paste of my current logfile. It is in a nice HTML table with the columns lined up. The Dest Port column has | Description (port#) | Date Time Firewall Rule Action In I/F Out I/F From IP Target IP Protocol Src Port Dest Port Feb 21 06:42:11 firewall all2all REJECT local eth0 12.243.225.129 192.43.244.18 TCP 1772 time (37) Feb 21 06:55:22 firewall net2all DROP eth0 local 211.222.248.167 12.243.225.129 TCP 2006 17300 Feb 21 06:55:28 firewall net2all DROP eth0 local 211.222.248.167 12.243.225.129 TCP 2006 17300 Feb 21 06:55:38 firewall net2all DROP eth0 local 211.222.248.167 12.243.225.129 TCP 2006 17300 Feb 21 06:55:50 firewall net2all DROP eth0 local 211.222.248.167 12.243.225.129 TCP 2006 17300 Feb 21 11:59:00 firewall net2all DROP eth0 local 212.64.132.107 12.243.225.129 TCP 42527 microsoft-ds (445) Feb 21 12:41:09 firewall net2all DROP eth0 local 38.112.96.157 12.243.225.129 UDP 1309 ms-sql-m (1434) Feb 21 13:54:32 firewall net2all DROP eth0 local 202.178.156.229 12.243.225.129 UDP 2046 ms-sql-m (1434) Feb 21 17:46:56 firewall net2all DROP eth0 local 160.33.16.238 12.243.225.129 UDP 1233 ms-sql-m (1434) Feb 21 21:43:14 firewall net2all DROP eth0 local 64.124.142.92 12.243.225.129 UDP 3004 ms-sql-m (1434) Feb 21 23:33:59 firewall net2all DROP eth0 local 24.158.21.53 12.243.225.129 TCP 3187 ftp (21) Feb 22 00:09:21 firewall net2all DROP eth0 local 67.210.111.63 12.243.225.129 UDP 2241 ms-sql-m (1434) Feb 22 00:55:09 firewall net2all DROP eth0 local 218.239.215.222 12.243.225.129 TCP 4207 12346 Feb 22 01:32:22 firewall net2all DROP eth0 local 128.242.107.15 12.243.225.129 UDP 55555 domain (53) Feb 22 03:59:27 firewall net2all DROP eth0 local 216.118.6.173 12.243.225.129 UDP 1773 ms-sql-m (1434) Feb 22 05:44:21 firewall net2all DROP eth0 local 66.196.20.36 12.243.225.129 UDP 3241 ms-sql-m (1434) Some ports are well know for being exploited (see FAQ: Firewall Forensics (What am I seeing?) for a nice list). Those would be good to add to the services file. Others we just might want to drop. Either way, we might want to start with a more modern version of the file. I guess one question I need answered is, is their a "maintainer" of ETC.lrp and Weblet.lrp? If so, should I submit my changes to them? Or should I just drop it in patch manager? Who decides if this is a "good" change? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Douthitt Sent: Tuesday, February 25, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-devel] Suggestion for ETC.LRP On 25 Feb 2003 09:53:25 -0500 "Sean E. Covel" <[EMAIL PROTECTED]> wrote: > I've been testing it on a Mandrake box, and then moved it to my Bering > box. The first thing I noticed was the calls to > getservbyport() wasn't returning the same information. I took a look > at the services file, and saw why. ITS FROM 1997. A bit out of date. > I suggest we update this to something a little more 21st Century. I have (or had) a file called services.lrp (or something like it) which contained the extra large services file from (I think) nmap. You could try that, but it is at least an order of magnitude larger than the current /etc/services file. ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
