On Thu, Jan 07, 1999 at 10:51:52PM +1300, Chris Wedgwood wrote:
> On Thu, Jan 07, 1999 at 02:24:01PM +1300, Jason Haar wrote:
>
> > acl unsafe_ports port 1 7 9 11 13 15 17 19 20 22 23 25 26 27 37 43
> > 53 57 70 77 79 87 88 95 101 102 103 109 110 110 111 111 113 115 117
> > 119 123 137 138 143 144 465 563 512 513 514 515 520 526 530 531 532
> > 540 543 544 556 600 749 750 751 754 992 993 995 989 990 442 465 563
> > 992 993 994 995 989 990 901 1080
>
> OK -- this still leaves plenty of ports people might do bad things
> with.
>
> I think a policy of 'allow all except some' is generally a bad idea;
> 'allow none except some' is better IMO.
>
> (Off the top of my head) Your list doesn't include 21 (ftp command),
> 139 (Windows NetBIOS), 135 (Windows DCOM), 1433 (MS SQL server), 7010
> (common Sybase SQL server), etc.
21 is needed to do FTP proxying...
> I could make this list as long as I wanted if I had the time to spend
> thinking about it (many protocols use different ports at differnet
> times).
3306, mySQL. I'm currently compiling a large database of portnumbers for
widely (and not-so-widely) used services which aren't listed in any
standards documents (like all those SQL servers, or port 3128 for Squid..)
This database is running here locally (PHP+mySQL) but will soon be moved
to a permanent connection, so you guys can all use it :)
When I'm online, you can find it at http://home.attic.vuurwerk.nl/services/
Oh.. and the comments are in Dutch.. but the interface should be
intuitive (to me it is, anyway :)
> > I basically scanned my services file for known services and told
> > Squid not to allow those ports - but to allow everything else.
>
> Why?
>
> > I agree with you that the best idea is to scan your logs to see
> > what ports people are using...
>
> Why -- I only allow people to use connect with 443 and 563 -- I see
> no reason for them to use a squid proxy a connection on any other
> port.
Agreed.
> > I think this is a real nasty piece of work - for us it's not "a
> > problem" as only our users can use our Squid server and we trust
> > our users ;-)
>
> Many people can't trust their users -- it's just not possible to
> trust spottle little 12-year old kidz who download c00l WaReZ and
> play with exploits found on rootshell and bugtraq...
Didn't you just LOVE sshdwarez.c? The greatest hack of the year.. a f*cking
trojan. Hacked 3 script kiddies with it :)
Greetz, Peter.
-- <squeezer> AND I AM GONNA KILL MIKE | Peter van Dijk <squeezer> hardbeat, als je nog nuchter bent: | peter@attic.vuurwerk.nl <squeezer> @date = localtime(time); | realtime security d00d <squeezer> $date[5] += 2000 if ($date[5] < 37); | <squeezer> $date[5] += 1900 if ($date[5] < 99); | -x- available -x-Received on Thu Jan 07 1999 - 08:04:02 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:55 MST