TcpPortAlias Enumeration

Named ports that are frequently attacked using the port name in a way that they are easily identified by service [Name]_[Port] naming standard

Namespace: Walter.BOM
Assembly: Walter.BOM (in Walter.BOM.dll)

Syntax

public enum TcpPortAlias

Members

	Member name	Description
	UserDefined	A user defined port
	None	indicated that the value was not configured
	Echo_7	Ping - port 7
	FTP1_20	File transfer protocol - port 20
	FTP2_21	File transfer protocol - port 21
	SSH_22	Secure Shell port 22
	Telnet_23	Telnet -port 23
	SMTP_25	Simple Mail Transfer Protocol - port 25
	MSGIPC_29	Internet Cache Protocol (ICP)
	IPSec1_50	Internet Protocol Security - Port 50
	IPSec2_51	Internet Protocol Security - Port 51
	DNS_53	Domain Name System - Port 53
	Finger_79	The Finger User Information Protocol
	HTTP_80	HyperText Transfer Protocol (do not use when you expose port 80)
	POP3_110	Post Office Protocol
	NNTP_119	Network News Transport Protocol -Port 119
	NetBIOS_135	NetBIOS (RPC) - Port 135
	NetBIOS_136	NetBIOS (Profile Name Service)- Port 136
	NetBIOS_137	NetBIOS (CIFS)- Port 137
	NetBIOS_138	NetBIOS - Port 138
	NetBIOS_139	NetBIOS - Port 139
	IMAP_143	Internet Message Access Protocol - Port 134
	SNMP_161	Simple Network Management Protocol - Port 161
	SNMP_162	Simple Network Management Protocol - Port 162
	LDAP_389	Lightweight Directory Access Protocol - Port 389
	SSL_443	HTTP with Secure Sockets Layer - Port 443
	FTPSSL_989	FTP over Secure Socket Layer (SSL) - Port 989
	FTPTLS_990	FTP over TLS Transport Layer Security (TLS)- Port 990
	IMAP_993	Internet Messaging Protocol IMAP encrypted
	TSQL_1433	Microsoft SQL server
	Oracle_1521	oracle server
	OpenEdge_20931	open edge database
	Sybase_2638	Sybase database
	RDP_3389	Remote Desktop Protocol - Port 3389
	MYSQL_3306	MySQL database port 3306
	WAC_6516	The windows administration center
	Tomcat_8443	The default port for Apache Tomcat

Remarks

Each port number identifies a distinct service, this enum's list the services with the default port mapped. you can create a alias on your GateWay and map the ports not external used to the firewall and the firewall will detect them, ideally you would map them from the default port to a detect port not used by the server to avoid conflicts, you can map ports to a maximum value of value of 65,535

You can use the firewall's disk reporting NuGet package to generate PoweShell script to block and unblock the IP address are seeking exploits

The Firewall and HoneyPotService exposes the OnPortAccessDetected that can be used for controlling the detected signal in real-time

Examples

port monitoring in services configuration

Configure the application to monitor ports

services.UsePortScannerProtection(options => {
                  /* Map the service ports to a local port on your computer
                  *  Redirect the requests to your computer and open the firewall
                  *  for the redirected ports
                  *
                  * In this sample you'd map original port to a custom port to not interfere with the
                  * original service on your servers firewall open the ports 64000-64006 to enable detection
                  */
                  options.SSH    = 64000; // map port 22 to port 64000 on your router
                  options.TSQL   = 64001; // map port 1433 to port 64001 on your router
                  options.Telnet = 64002; // map port 23 to port 64002 on your router
                  options.MYSQL  = 64005; // map port 3306 to port 64005 on your router
                  options.DNS    = 64006; // map port 53 to port 64005 on your router

                  /*you can manually map port aliases in the range from 0 till 65535*/
                  options.AddOrUpdate(externalPort: 587, internalPort:4007, name:"ESMTP Extended Simple Mail Transfer Protocol");
                  options.AddOrUpdate(externalPort: 647, internalPort:4008, name:"DHCP Fail-over");

                  /*Record up-to 8,000 character when someone is trying to attack the service for legal reporting*/
                  options.MaximumDataSizeToAccept = 254;

                  /*Look between every 100ms and 30000ms if someone is trying to gain access to the system */
                  options.PoolFrequency = 100;

                  /* Add a default reply to any connection, you can send a auto reply
                   * You can use the template values:
                   * {IP}  - the attackers IP address
                   * {Port}- the port being attacked
                   * {Name}- the name of the alias being used
                   * {ISP} - the name of the Internet service provider that the attacker is using will be injected
                   * {Country} - the country name will be injected
                   * to personalize the message or leave it blank to record silently*/
                  options.DefaultReply = "This service is being monitored and we have detected your intentions attack {Name}" +
                                         " via {IP}:{Port} to gain unlawful access to the system, please note that any unlawful" +
                                         " activity will be reported to {ISP} as well as the relevant authorities in {Country}";

              })

TcpPortAlias Enumeration

Syntax

Members

Remarks

Examples

See Also