[plug] Attempted Intrusions
Craig Ringer
craig at postnewspapers.com.au
Tue Oct 26 20:01:31 WST 2004
Tim White wrote:
> I'm just thinking it may be an idea to pick a really high port (>1024
> for a start, >10000 is nice) that has obscure numbers (e.g. not 12345,
> maybe 492716)
If your IP stack will let you bind to port 492716, I'd say it has a very
"interesting" view of standards compliance.
The highest port supported by TCP/IP is port 65535.
> as a port scanner will normally scan the first 1024 ports
> if it isn't looking for a specific service.
Most will also scan a whole bunch of higher ports that have at various
points in time had interesting things like insecure services, common
services, or trojans using them.
> Besides, hackers know that
> people move services around onto different ports. A number that is high
> and obscure takes a while to find (by which stage your NID script would
> have definitely kicked in)
If they're looking for it, it's unlikely to take much time at all. The
advantage of moving a service onto a non-standard port is that "dumb"
malware like worms won't generally find it. It can also make it slightly
less obvious that you're running a particular service on a casual scan.
--
Craig Ringer
More information about the plug
mailing list