tpublic at dimensional
Jun 4, 2002, 2:57 PM
Post #8 of 10
On 4 Jun 2002, Michel Arboi wrote:
|H D Moore <hdm [at] digitaloffense> writes:
|> 443, 25, 80, 22, 53, 23, 110, 143, 264
|Ten packets per address will slow down the plugin. Should we keep the
|first three ones?
I wouldn't count on 53 unless things weren't set up well. 53/tcp is used
for zone transfers and large records, and I tend to only allow it between
name servers that are supposed to communicate, or filter it entirely. If
it's available for ping, I'd dock the client for letting it slide.
110 is another item that should probably only be setup for trusted clients,
or internal hosts only.
I would rely on well-known, well-used services (even if they are old) to
ping hosts. My picks are 21, 23, 80 and 25 -- in that order.
The original goal here is to tcp ping hosts that are firewalled. While you
would expect 21 and 23 to be blocked, I know folks who think those services
are "secure" because they demand authentication. It is also likely for
environments that do not have filters or firewalls that these ports will be
seen more often for administrative and management reasons (hell, HP printers
have FTP open).
Of course, 25 and 80 have obvious purposes, and should be expected to be
available from the outside. Given the popularity of Microsoft products
and the average experience of the person installing them, port 80 will also
pop up far more often than it should.
I think the statistical value of 109/110/143, 53, 443 and 264 would fair far
lower than 21, 23, 80 and 25. I tend to use those four anytime I want to
further investigate a host I know to be available to the outside world.