LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-07-2001, 05:05 PM   #1
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Rep: Reputation: 15
Interesting


K, my server was lagging big time today, and when I looked at my snort logs there was a huge amount of access to my system from a source port below 1024. I know that ports 0 - 1024 are reserved, and therefore a system connecting to my system should be using a port above 1024, but what would it mean if they weren't. Most hits from a system below 1024 ports, is focused on my domain port. I have since blocked all access to any source originating on a port below 1024 but I was just curious what type of attack I might be dealing with, and why it makes a difference what port they originate the "call" on.

TIA
Mike.
 
Old 11-08-2001, 01:37 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602
It means the (human)scanner has got root access on the other box (if below 1024).
I'd say you could do worse than install Snort, it'll pick out the different exploits, IIRC the BIND exploit was used with Ramen and the likes.
Also look up the source addresses at SANS, could give some info if mass attacks are taking place.
 
Old 11-08-2001, 07:37 AM   #3
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Original Poster
Rep: Reputation: 15
Thanks for the reply, it's good to know. Sorry for the ignorance, but what is SANS?

Thanks.
Mike.
 
Old 11-08-2001, 01:44 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602Reputation: 2602
SANS(.org) is like CERT(.org) an organisation that provide security advisories, guidelines etc etc, btw SANS reroutes their info to incidents.org which has 24/7 coverage with OTF reporting by human security officers who track attacks etc.
The next best 2 sources (IMHO) are securityfocus.com and bugtraq (hosted at secfocus).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
interesting? oobe Linux - General 1 04-08-2004 09:40 PM
Interesting Article Risc91 Linux - General 1 10-21-2003 10:14 AM
This is interesting...... radix Slackware 4 09-05-2003 08:58 PM
interesting article ??? bigjohn Linux - General 1 01-12-2003 07:14 PM
I think it maybe interesting :) nautilus_1987 General 7 09-29-2002 12:21 PM


All times are GMT -5. The time now is 05:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration