General discussion

Locked

Who Looks at Firewall Logs?

By zczc2311 ·
Who Look in Firewall Logs

After 6 month at a quick analysis of a general MS office installation and Windows XP Pro SP2 of what ended up in SP2 firewall logs it became apparent that I could almost certainly bock the following Ports without causing any function change or pain to any application.

The following list must be seen as a guide only ? many who run legacy or cross platform applications may rely on ports contained in this list.

This list is published without warranty, but almost certainly most standard straight forward MS office installation will function without error and a home/office should feel no pain

If you have Web Servers, hopefully, these are shielded by a separate route away from office operational workstations

Ports designated as unassigned were at the time true and correct as of November 2004.

I hope this may help many ? trying to sort what to inhibit and offer a degree of security.


unassigned01 TCP/UDP: All -> 26
netstat TCP/UDP: All -> 15
dsp TCP/UDP: All -> 246
bhmds TCP/UDP: All -> 310
shell TCP: All -> 514
activesync TCP/UDP: All -> 1034
sbl TCP/UDP: All -> 1039
netarax TCP/UDP: All -> 1040
afrog TCP/UDP: All -> 1042
fpitp TCP/UDP: All -> 1045
td-postman TCP/UDP: All -> 1049
corba-cma TCP/UDP: All -> 1050
optima-vnet TCP/UDP: All -> 1051
vfo TCP/UDP: All -> 1056
startron TCP/UDP: All -> 1057
polestar TCP/UDP: All -> 1057
jstel TCP/UDP: All -> 1064
syscomlan TCP/UDP: All -> 1065
instl_boots TCP/UDP: All -> 1067
instl_bootc TCP/UDP: All -> 1068
imgames TCP/UDP: All -> 1077
avocent-proxy TCP/UDP: All -> 1078
cplscrambler-lg TCP/UDP: All -> 1086
cplscrambler-in TCP/UDP: All -> 1084
cplscrambler-al TCP/UDP: All -> 1088
Ff-annunc TCP/UDP: All -> 1089
Ff-fms TCP/UDP: All -> 1090
Ff-sm TCP/UDP: All -> 1091
pt2-discover TCP/UDP: All -> 1101
adobeserver-1 TCP/UDP: All -> 1102
adobeserver-2 TCP/UDP: All -> 1103
ftranhc TCP/UDP: All -> 1105
unassigned02 TCP/UDP: All -> 1113
availant-mgr TCP/UDP: All -> 1122
hpvmmcontrol TCP/UDP: All -> 1124
unassigned03 TCP/UDP: All -> 1127-1154
sddp TCP/UDP: All -> 1163
vchat TCP/UDP: All -> 1168
dossier TCP/UDP: All -> 1175
dkmessenger TCP/UDP: All -> 1177
llsurfup-http TCP/UDP: All -> 1183
llsurfup-https TCP/UDP: All -> 1184
unet TCP/UDP: All -> 1189
dmidi TCP/UDP: All -> 1199
ssslog-mgr TCP/UDP: All -> 1204
ipcd3 TCP/UDP: All -> 1209
mpc-lifenet TCP/UDP: All -> 1213
kazaa TCP/UDP: All -> 1214
scanstat-1 TCP/UDP: All -> 1215
hpss-ndapi TCP/UDP: All -> 1217
aeroflight-ads TCP/UDP: All -> 1218
novell-zfs TCP/UDP: All -> 1229
search-agent TCP/UDP: All -> 1234
hacl-qs TCP/UDP: All -> 1238
dka TCP/UDP: All -> 1263
pdps TCP/UDP: All -> 1314
streetperfect TCP/UDP: All -> 1330
esbroker TCP/UDP: All -> 1342
icap TCP/UDP: All -> 1344
equationbuilder TCP/UDP: All -> 1351
ftsrv TCP/UDP: All -> 1359
linx TCP/UDP: All -> 1361
iclpv-nlc TCP/UDP: All -> 1394
igi-lm TCP/UDP: All -> 1404
here-lm TCP/UDP: All -> 1409
innosys-acl TCP/UDP: All -> 1413
ibm-cics TCP/UDP: All -> 1435
novell-lu6-2 TCP/UDP: All -> 1416
world-lm TCP/UDP: All -> 1462
nucleus TCP/UDP: All -> 1463
ica TCP/UDP: All -> 1494
orasrv TCP/UDP: All -> 1525
ampr-inter TCP/UDP: All -> 1536
sdsc-lm TCP/UDP: All -> 1537
three-3m-image-lm TCP/UDP: All -> 1550
mil-2045-47001 TCP/UDP: All -> 1581
sixtrak TCP/UDP: All -> 1594
picknfs TCP/UDP: All -> 1598
icabrowser TCP/UDP: All -> 1604
slm-api TCP/UDP: All -> 1606
rsap TCP/UDP: All -> 1647
sixnetudr TCP/UDP: All -> 1658
netview-aix-1-10 TCP/UDP: All -> 1661-1670
blockade-bpsp TCP/UDP: All -> 2574
tclprodebugger TCP/UDP: All -> 2576
scipticslsrvr TCP/UDP: All -> 2577
mpfoncl TCP/UDP: All -> 2576
argis-te TCP/UDP: All -> 2581
argis-ds TCP/UDP: All -> 2582
snapd TCP/UDP: All -> 2599
lmdp TCP/UDP: All -> 2623
sybaseanywhere TCP/UDP: All -> 2638
corel_vncadmin TCP/UDP: All -> 2654
patrol-mq-nm TCP/UDP: All -> 2665
ewnn TCP/UDP: All -> 2674
mpnjsocl TCP/UDP: All -> 2685
banyan-net TCP/UDP: All -> 2708
dicom-iscl TCP/UDP: All -> 2761
dicom-tls TCP/UDP: All -> 2762
ridgeway2 TCP/UDP: All -> 2777
aic-oncrpc TCP/UDP: All -> 2786
aaftp TCP/UDP: All -> 2794
glishd TCP/UDP: All -> 2833
metaconsole TCP/UDP: All -> 2850
daishi TCP/UDP: All -> 2870
radix TCP/UDP: All -> 2872
topflow TCP/UDP: All -> 2885
sm-pas-4 TCP/UDP: All -> 2941
sm-pas-5 TCP/UDP: All -> 2942
sm-pas-2-5 TCP/UDP: All -> 2939-2942
agriserver TCP/UDP: All -> 3021
panasas TCP/UDP: All -> 3095
umm-port TCP/UDP: All -> 3098
cardbox TCP/UDP: All -> 3105
edix TCP/UDP: All -> 3213
intraintra TCP/UDP: All -> 3202
unite TCP/UDP: All -> 3217
isns TCP/UDP: All -> 3205
tip2 TCP/UDP: All -> 3272
fxaengine-net TCP/UDP: All -> 3202
kfxaclicensing TCP/UDP: All -> 3581
comcam-io TCP/UDP: All -> 3605
rt-event-s TCP/UDP: All -> 3707
listcrt-port TCP/UDP: All -> 3913
hyperip TCP/UDP: All -> 3919
mpl-gprs-port TCP/UDP: All -> 3924
syam-webserver TCP/UDP: All -> 3930
unassined04 TCP/UDP: All -> 3997-3999
unassigned05 TCP/UDP: All -> 4223-4824
unassigned06 TCP/UDP: All -> 26
dsp3270 TCP/UDP: All -> 246
blackjack-network TCP/UDP: All -> 1025
ssdp TCP/UDP: All -> 1900
isakmp1 UDP: All -> 500
Unassigned TCP/UDP: All -> 4900-4982
API-1 TCP/UDP: All -> 3408
http-rpc-epmap TCP/UDP: All -> 593

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

You've got it backwards.

by apotheon In reply to Who Looks at Firewall Log ...

The way to handle it is not to identify all the ports you don't need and block them: it is to block everything, then selectively unblock only the very specific ports you must have open.

Collapse -

Backwards??!!!!!!!!!!!!

by zczc2311 In reply to You've got it backwards.

With 65536 Ports good luck in doing it backwards

Collapse -

Yes, backwards.

by apotheon In reply to Backwards??!!!!!!!!!!!!

If you've got a firewall that forces you to hand-select every port you want blocked/closed/stealthed, you need a new firewall.

Collapse -

Functionality asside

by zczc2311 In reply to Yes, backwards.

Functionality aside ? as stated this list is a compiled audit of the most hits on the software firewall that were knocked back. It has been presented in a IANA format ? Ports associated with Service.

Functionally I can hardware block 1-65535 in about 2 minutes; however this is not the issue here.

It has been presented in such a manner that if others can see a required service, they leave that one alone.

Lets leave the functional application of this information as so.

The list was presented for IT staff to block these ports at a hardware level.

Collapse -

Blackjack Network needed here to join domain

by f18sim In reply to Functionality asside

Sorry for awaking an old thread but... I've been doing lot's of experiments on different reasons why machines don't join a domain and one of the ports that needs to be open is the Blackjack port 1025 tcp. I verified this through the pfirewall.log on the windows 2003 server. If that port is blocked the vista test machine I have will get the "RCP server is unavailable" error while trying to join the domain. RCP port 135 tcp is open on my firewall. So why does AD need the blackjack port anyway?

Collapse -

With 65,536 ports...

by TechExec2 In reply to Backwards??!!!!!!!!!!!!

.
With 65,536 ports, good luck in being secure from network threats by choosing the "right" ones to block and leaving all of the rest open.


The Short Career

Your office building has 65,536 doors. Some of them open into valuable areas, some open into areas you don't care about. Burglars are trying the door knobs on the doors every night. How does your security department know they've locked right ones unless they lock them all and keep a very short list of unlocked doors?

Security Chief: "Don't worry sir! I have implemented a great security policy where all 65,536 doors are kept unlocked except those on my list here."

CEO: "You're fired. And when you get to your new job, visit this link:".

http://tinyurl.com/6wbv

;-)

Collapse -

I do

by The Listed 'G MAN' In reply to Who Looks at Firewall Log ...

in fact I have a dedicated screen with scrolling logs for all my firewalls shown.

Looks cool to the non IT user and every day I check the logs to make sure everything is as it should be..

Back to Security Forum
7 total posts (Page 1 of 1)  

Security Forums