LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-07-2001, 06:05 PM   #1
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Rep: Reputation: 15
Interesting


K, my server was lagging big time today, and when I looked at my snort logs there was a huge amount of access to my system from a source port below 1024. I know that ports 0 - 1024 are reserved, and therefore a system connecting to my system should be using a port above 1024, but what would it mean if they weren't. Most hits from a system below 1024 ports, is focused on my domain port. I have since blocked all access to any source originating on a port below 1024 but I was just curious what type of attack I might be dealing with, and why it makes a difference what port they originate the "call" on.

TIA
Mike.
 
Old 11-08-2001, 02:37 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
It means the (human)scanner has got root access on the other box (if below 1024).
I'd say you could do worse than install Snort, it'll pick out the different exploits, IIRC the BIND exploit was used with Ramen and the likes.
Also look up the source addresses at SANS, could give some info if mass attacks are taking place.
 
Old 11-08-2001, 08:37 AM   #3
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Original Poster
Rep: Reputation: 15
Thanks for the reply, it's good to know. Sorry for the ignorance, but what is SANS?

Thanks.
Mike.
 
Old 11-08-2001, 02:44 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
SANS(.org) is like CERT(.org) an organisation that provide security advisories, guidelines etc etc, btw SANS reroutes their info to incidents.org which has 24/7 coverage with OTF reporting by human security officers who track attacks etc.
The next best 2 sources (IMHO) are securityfocus.com and bugtraq (hosted at secfocus).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
interesting? oobe Linux - General 1 04-08-2004 10:40 PM
Interesting Article Risc91 Linux - General 1 10-21-2003 11:14 AM
This is interesting...... radix Slackware 4 09-05-2003 09:58 PM
interesting article ??? bigjohn Linux - General 1 01-12-2003 08:14 PM
I think it maybe interesting :) nautilus_1987 General 7 09-29-2002 01:21 PM


All times are GMT -5. The time now is 10:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration