Re: deny !Safe_ports, any critical reasons? (abuse..)

From: Chris Wedgwood <cw@dont-contact.us>
Date: Thu, 7 Jan 1999 22:51:52 +1300

On Thu, Jan 07, 1999 at 02:24:01PM +1300, Jason Haar wrote:

> acl unsafe_ports port 1 7 9 11 13 15 17 19 20 22 23 25 26 27 37 43
> 53 57 70 77 79 87 88 95 101 102 103 109 110 110 111 111 113 115 117
> 119 123 137 138 143 144 465 563 512 513 514 515 520 526 530 531 532
> 540 543 544 556 600 749 750 751 754 992 993 995 989 990 442 465 563
> 992 993 994 995 989 990 901 1080

OK -- this still leaves plenty of ports people might do bad things
with.

I think a policy of 'allow all except some' is generally a bad idea;
'allow none except some' is better IMO.

(Off the top of my head) Your list doesn't include 21 (ftp command),
139 (Windows NetBIOS), 135 (Windows DCOM), 1433 (MS SQL server), 7010
(common Sybase SQL server), etc.

I could make this list as long as I wanted if I had the time to spend
thinking about it (many protocols use different ports at differnet
times).

> I basically scanned my services file for known services and told
> Squid not to allow those ports - but to allow everything else.

Why?

> I agree with you that the best idea is to scan your logs to see
> what ports people are using...

Why -- I only allow people to use connect with 443 and 563 -- I see
no reason for them to use a squid proxy a connection on any other
port.

> I think this is a real nasty piece of work - for us it's not "a
> problem" as only our users can use our Squid server and we trust
> our users ;-)

Many people can't trust their users -- it's just not possible to
trust spottle little 12-year old kidz who download c00l WaReZ and
play with exploits found on rootshell and bugtraq...

-cw
Received on Thu Jan 07 1999 - 02:48:30 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:55 MST