[plug] Attempted Intrusions

Craig Ringer craig at postnewspapers.com.au
Tue Oct 26 20:01:31 WST 2004


Tim White wrote:

> I'm just thinking it may be an idea to pick a really high port (>1024 
> for a start, >10000 is nice) that has obscure numbers (e.g. not 12345, 
> maybe 492716)

If your IP stack will let you bind to port 492716, I'd say it has a very 
"interesting" view of standards compliance.

The highest port supported by TCP/IP is port 65535.

> as a port scanner will normally scan the first 1024 ports 
> if it isn't looking for a specific service.

Most will also scan a whole bunch of higher ports that have at various 
points in time had interesting things like insecure services, common 
services, or trojans using them.

> Besides, hackers know that 
> people move services around onto different ports. A number that is high 
> and obscure takes a while to find (by which stage your NID script would 
> have definitely kicked in)

If they're looking for it, it's unlikely to take much time at all. The 
advantage of moving a service onto a non-standard port is that "dumb" 
malware like worms won't generally find it. It can also make it slightly 
less obvious that you're running a particular service on a casual scan.

--
Craig Ringer




More information about the plug mailing list