Ports

I get thousands of unsolicited inbound traffic/hit's on the Watchguard everyday that are being dropped at the FW and I'll assume the same is happening for you. One should be concerned about inbound from a remote IP if it's due to some solicitation by a machine behind the SW that sent outbound to a remote IP.

You can use this instead of dumping the logs into Excel as it works with your TZ170 and does all the analysis for you. And you'll be able to see traffic flow in real time a lot better with WW or go back in time with WW.

formatting link
You want to know about those other port numbers and what can use them or what they are dedicated for like port 1433 the Microsoft SQL Server Database port, then Google is your friend. You got MS SQL Server running on a machine with port 1433 opened/forwarded exposing the machine with SQL Server running to the public Internet. If you don't, then you should forget about and the others too.

Duane :)

Reply to
Duane Arnold
Loading thread data ...

As long as your firewall is blocking unknown or unassociated connections, a log is of casual use only. "If it's working, don't change it".

Those are the "official" uses registered with IANA. However, there is nothing that requires that only this or that service use this or that port. Face it - how many virus/trojan/worm writers have sent a note to IANA asking that a port number be associated with their mal-ware.

Port numbers are defined into three groups by IANA.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through 65535

Well known ports are assigned by the IANA and on most well designed systems can only be used by system (or root) processes or by programs executed by privileged users. These are the ports used by "standard" processes, like telnet (23), mail transport (25), DHCP/BOOTP servers (68), web service (80), and so on. The idea is that this is a standard, and a client wanting to use this or that service defaults to using the well known port for that service. This is not to say that someone can't configure a server to operate on a different port - the problem is that others will not know (without you telling them) that you moved the service to a different port.

The Registered Ports are listed by the IANA and on most well designed systems can be used by ordinary user processes or programs executed by ordinary users. As far as microsoft is concerned, there is no difference between well known and registered ports, as they don't use the process separation concept. The Dynamic and/or Private Ports are less commonly used by services, and are often used as the outgoing end of a connection.

No - 1433 is used by MS SQL server, and most often connection attempts to that port are looking to exploit security holes in that server. I believe the connections to 4899 are looking for known holes in the RAdmin (remote administration) server. 6129 was a zombie controller called DameWare. 15118 is a new one to me.

The bottom line is that your firewall is blocking these connection attempts and that is all that matters. The fact that some host in Korea or Kenya attempted to connect to a trojan that you don't have installed is of no use what-so-ever.

Old guy

Reply to
Moe Trin

Hi,

My Sonicwall TZ170 sends me the log each day which I paste into Excel to analyse.

The log shows that the ports attacked are as below (ranked in order of number of attacks with highest number first):-

Port 1433 associated with MS SQL server Port 4899 associated with RAdmin Port 15118 is unassigned Ports 1025/1026 associated with Blackjack and Calendar Port 6129 is unassigned

My understanding is that ports 1025 and 1026 are used for pop-ups by the spammers. Is that what the other ports are used for as well?

Reply to
JC

There's still some SQL-Slammers out there? Amazing...

An exploit for that one was published last week...

And Windows Task Planner.

Juergen Nieveler

Reply to
Juergen Nieveler

formatting link
Duane :)

Reply to
Duane Arnold

You're correct about the firewall dropping these probes so I am safe and can ignore them. I was just curious about what the probes were attempting to achieve. Is there a web site that details what attacks on certain ports re trying to achieve?

One other thing I had noticed was that a lot of the probes appear in the log in pairs and then never appear in the log again that month. I have been assuming that these are using spoofed addresses.

Reply to
JC

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.