[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] What does Portesentry actually do?
- Subject: Re: [cobalt-users] What does Portesentry actually do?
- From: Brian Curtis <admin@xxxxxxxxxxx>
- Date: Fri Mar 16 07:38:38 2001
- Organization: Pomfret Computer Technologies, LLC
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hello Dan,
Thursday, March 15, 2001, 3:48:35 PM, you wrote:
D> I have Portsentry running in advanced stealth mode - I have pretty much left
D> it on default settings (apart from telling it not to monitor ports I use).
D> Does it mean that it is only detecting portscans on ports 1023 (the default)
D> and below? What about the higher number ports? Sorry if this seems a daft
D> question, I've just not quite figured out what it monitors. I get worried
D> that hackers have exploited ports 9999 and 60000 on my Raq so far.
Ports <1024 are where the normal system processes will run (httpd,
dns, smtp, pop, etc). These are considered "privileged" ports and
cannot be bound to by users without the necessary permissions (ie.
root).
Ports above 1024 are "unprivileged" and can (normally) be bound to by
anyone with local access on your box.
A good utility I came across a while ago, called 'pidport', tries to
match a process to an open port. A good utility if you have local
users with shell access, or an open port that you don't remember
binding anything to. Search FreshMeat.net for it, or send me an
e-mail if you can't find it.
--
Best regards,
Brian Curtis