[84535] in North American Network Operators' Group
Re: commonly blocked ISP ports
daemon@ATHENA.MIT.EDU (Fergie (Paul Ferguson))
Wed Sep 14 17:58:35 2005
From: "Fergie (Paul Ferguson)" <fergdawg@netzero.net>
Date: Wed, 14 Sep 2005 21:55:51 GMT
To: lukep@centurytel.net
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
A couple of decent barometers:
http://www.dshield.org/topports.php
and:
http://www.mynetwatchman.com/default.asp
- ferg
-- Luke Parrish <lukep@centurytel.net> wrote:
Not quite looking for tips to manage my network and ACL's or if should or
should not be blocking, more looking for actual ports that other ISP's are
blocking and why.
For example:
port 5 worm 2.5
port 67 virus 8.2
At 03:12 PM 9/14/2005, Valdis.Kletnieks@vt.edu wrote:
>On Wed, 14 Sep 2005 14:42:56 CDT, Luke Parrish said:
> > We have a list, some reactive and some proactive, however we need to
> remove
> > ports that are no longer a threat and add new ones as they are published.
>
>All ports that are open are threats, at least potentially. What you *should*
>be doing is:
>
>a) When you block a new port due to a current exploit, log the fact.
>b) Work with customers/users to make sure they're patched, and that new
>machines
>are patched before they go live.
>c) When probing for the port stops (which it never does), or some sufficient
>number of downstream boxes are patched and safe, remove the block.
>
>Either that, or block the world, and open ports on request.
>
>Remember - *you* are the only one on this list who really knows if a given
>port is a threat anymore....
>
>(And that's totally skipping all the noise about corporate firewalls
>versus ISP
>firewalls and different expectations regarding security/transparency...)
Luke Parrish
Centurytel Internet Operations
318-330-6661
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg@netzero.net or fergdawg@sbcglobal.net
ferg's tech blog: http://fergdawg.blogspot.com/
