Security Basics mailing list archives
Re: Port watching tool
From: Jeff Lane <crash () pinehurst net>
Date: Fri, 22 Aug 2003 16:58:32 -0400
JThanks for the suggestions...The earlier suggestion of PortDetective.com is not what I was looking for... hope I wasnt too confusing! portdetective.com looks to me (without having installed their client side software that is not documented at all on their website (so I am hesitant to even install it)) looks like it is basicall a web based port scanner... I have nmap for that...
Active Ports only shows one connection to port 25 (which I am trying to monitor) but netstat shows about 250 (about 50 show as ACTIVE, and the rest show as either TIME_WAIT or CLOSE_WAIT) and those are the ones that concern me...
I am finding certain IPs (thanks I believe to the sobig virus) to be generating large numbers of SMTP connections to the server, and when I find them wiht netstat, they are mostly in one of hte wait states.
So the idea was to have something alert me when there were more than X number of connections from any single IP or in any single state, and since I am not a programmer, I have little hope of doing that one on my own... <grin>
good example, I am seeing three distinct IPs from AT&T blocks that have about 100 connections to port 25 on my mail server. most of these are in the TIME_WAIT or CLOSE_WAIT status.
I had considering black-listing the individual IPs locally, but that may not be a good idea, since I may or may not be able to tell if these IPs are dynamically allocated or static...
Jeff im Clare wrote:
---------- Original Message ---------------------------------- From: Jeff Lane <crash () pinehurst net> Date: Fri, 22 Aug 2003 14:07:13 -0400Hello,I have just a simple question... I have been searching aroud the net for software to watch the ports on a Win2K machine but am not turning anything up that would be useful to me, so I thought I would ask here...Could someone point me to a tool that will or can do the following:A: monitor ports on a Win2K serverwww.devhood.com/tools/tool_details.aspx?tool_id=515 download and install. It's a cool little free program that will do this.B: specifically monitor a certain port or range of portsgo to www.grc.com and run the shields up test.
-- Jeffrey Lane, RHCE Systems Adminstrator ConnectNC, Inc DSL and Web hosting: http://www.connectnc.com List your child-related organization Online! http://www.sandhillskids.com ---------------------------------------------------------------------------Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
Current thread:
- Port watching tool Jeff Lane (Aug 22)
- <Possible follow-ups>
- RE: Port watching tool Gaston, Ryder W (Aug 22)
- Re: Port watching tool Jim Clare (Aug 22)
- Re: Port watching tool Jeff Lane (Aug 25)
- RE: Port watching tool George Peek (Aug 25)
- RE: Port watching tool Dave Gonsalves (Aug 26)
- Re: Port watching tool Logan Rogers-Follis - TNTNetworx.net (Aug 26)