Re: Malicious Ports

ciscothejam00 · ‎06-15-2006

Hi,

can i have a list of Malicious ports that i have to block on my Firewall.

Thanks

Fady

chrisbicm · ‎06-15-2006

Fady,

Thats really dependant on what you do and dont want to block from your environment.... there are many different ports associated with attacks... although a lot of the time these ports are used for other functions. I would take a look at your infrastructure and decide what protocols you need to allow through your Firewall (some protocols are assoiciated with certain ports ie. port 21 FTP port 80 and 8080 http etc.) and which you dont and go from there.

Good Luck,

Chris

ph0enix · ‎06-15-2006

In addition to what Chris said, basically you want to block anything that doesn't need to be explicitly allowed.

ciscothejam00 · ‎06-16-2006

Hi,

You're right, but i want some malicious ports, like "cold red" where i can apply it to internal routers to avoid their spread internally.

regards

Fady

vladrac-ccna · ‎06-16-2006

Hello Fady,

I"m not sure if there's a official list, but check this link:

http://www.jlathamsite.com/dslr/suspectports.htm

Also, let me show you what we use:

deny tcp any any eq 135

deny udp any any eq 135

deny tcp any any eq 137

deny udp any any eq 137

deny tcp any any eq 138

deny udp any any eq 138

deny tcp any any eq 139

deny udp any any eq 139

deny tcp any any eq 445

deny udp any any eq 445

deny tcp any any eq 666

deny udp any any eq 666

deny tcp any any eq 1080

deny udp any any eq 1080

deny tcp any any eq 1337

deny udp any any eq 1337

deny tcp any any eq 1434

deny udp any any eq 1434

deny tcp any any eq 2255

deny udp any any eq 2255

deny tcp any any eq 3128

deny udp any any eq 3128

deny tcp any any eq 4000

deny udp any any eq 4000

deny tcp any any eq 5522

deny udp any any eq 5522

deny tcp any any eq 6060

deny udp any any eq 6060

deny tcp any any eq 6346

deny udp any any eq 6346

deny tcp any any eq 6665

deny udp any any eq 6665

deny tcp any any eq 6666

deny udp any any eq 6666

deny tcp any any eq 6667

deny udp any any eq 6667

deny tcp any any eq 6668

deny udp any any eq 6668

deny tcp any any eq 6669

deny udp any any eq 6669

deny tcp any any eq 6969

deny udp any any eq 6969

deny tcp any any eq 7000

deny udp any any eq 7000

deny tcp any any eq 8080

deny udp any any eq 8080

deny tcp any any eq 8585

deny udp any any eq 8585

deny udp any any eq 8998

deny tcp any any eq 16660

deny udp any any eq 16660

deny tcp any any eq 26274

deny udp any any eq 26274

deny tcp any any eq 27444

deny udp any any eq 27444

deny tcp any any eq 27665

deny udp any any eq 27665

deny tcp any any eq 31335

deny udp any any eq 31335

deny tcp any any eq 31337

deny udp any any eq 31337

HTH,

if it does, please rate this post.

vlad

chrisbicm · ‎06-16-2006

Fady,

Just pulled this off the cisco site for you, follow the link.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008054ebf4.html#wp1007738

Just scroll down to see the port list.

Please Rate if this helps you out.

Thanks,

Chris

pgalligan · ‎06-18-2006

The correct answer from a security engineer would be:

"Block all ports except those which you explicitly wish to permit!" (eg. allowing port 80 to your webserver)

:)