LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   misc port traffic (https://www.linuxquestions.org/questions/linux-security-4/misc-port-traffic-368620/)

msound 09-30-2005 10:59 PM
misc port traffic
 
Whenever I check my router's logs during off hours (11pm - 4am), I still notice a lot of traffic coming in and going out on misc ports. My question is should be concerned about this or are they just harmless ICMP messages?

When I say misc ports I'm talking about numbers that ranges in the 3,000's, 4,000's, 5,000's, 30,000's, 40'000's, and 50,000's. I'm running a linux proxy/firewall between my router and lan so I could close off any unneeded ports.

Perhaps I should have done this already but so far I haven't noticed any malicous log in attempts on any of our servers (knocks on wood).

What do you all think? Should I close off all inbound and outbound traffic for all unused ports, and just keep the basics open like 25, 80, 110, 143, etc etc.

Obviously I will have to do some further configuration later on because services like windows update and symantec live update may stop working after I close off the ports. But correcting that should be a quick fix.

Holla back!

Capt_Caveman 10-01-2005 09:54 AM
Could you post an example of some of the traffic by capturing some packets with tcpdump? Is the traffic originating from one host in particular or is it just random IPs?

If this is an internet-facing router, then it's going to see alot of garbage packets from portscans and virus infected windows machines. That's just the normal background that's on the internet. I'd be concerned if the traffic was coming from a single host or if they were able to establish a connection to a strange port.

Wrt to firewalling, I would definitely recommend filtering any un-solicited incomming traffic. Egress filtering is a good idea as well, but can be a bit more difficult to get working properly.

MensaWater 10-03-2005 08:02 AM
You can turn on iptables to allow ONLY the ports you want. If it is internet facing I would recommend doing that.

Short of that you can just disable unusued services (telnet, ftpd etc...) in you inetd or xinetd (depending on distro) configuration. This will prevent it from opening ports just for LISTENING that hackers try to exploit.

Also for specific ports you can run "lsof -i :<portno>" to find out which process is associated with the port (has to be done while the port is still active - not for historical use.


All times are GMT -5. The time now is 11:23 AM.