Walter.BOM Namespace
Walter.Web.FireWall Namespace
ASP-WAF Web application firewall for .Net 6, .Net 5, .Net Standard 2.1 and .Net Core 3.x

TcpPortAlias Enumeration

Named ports that are frequently attacked using the port name in a way that they are easily identified by service [Name]_[Port] naming standard

Namespace:  Walter.BOM
Assembly:  Walter.BOM (in Walter.BOM.dll)

Syntax


public enum TcpPortAlias

Members


Member nameDescription
UserDefined A user defined port
None indicated that the value was not configured
Echo_7 Ping - port 7
FTP1_20 File transfer protocol - port 20
FTP2_21 File transfer protocol - port 21
SSH_22 Secure Shell port 22
Telnet_23 Telnet -port 23
SMTP_25 Simple Mail Transfer Protocol - port 25
MSGIPC_29 Internet Cache Protocol (ICP)
IPSec1_50 Internet Protocol Security - Port 50
IPSec2_51 Internet Protocol Security - Port 51
DNS_53 Domain Name System - Port 53
Finger_79 The Finger User Information Protocol
HTTP_80 HyperText Transfer Protocol (do not use when you expose port 80)
POP3_110 Post Office Protocol
NNTP_119 Network News Transport Protocol -Port 119
NetBIOS_135 NetBIOS (RPC) - Port 135
NetBIOS_136 NetBIOS (Profile Name Service)- Port 136
NetBIOS_137 NetBIOS (CIFS)- Port 137
NetBIOS_138 NetBIOS - Port 138
NetBIOS_139 NetBIOS - Port 139
IMAP_143 Internet Message Access Protocol - Port 134
SNMP_161 Simple Network Management Protocol - Port 161
SNMP_162 Simple Network Management Protocol - Port 162
LDAP_389 Lightweight Directory Access Protocol - Port 389
SSL_443 HTTP with Secure Sockets Layer - Port 443
FTPSSL_989 FTP over Secure Socket Layer (SSL) - Port 989
FTPTLS_990 FTP over TLS Transport Layer Security (TLS)- Port 990
IMAP_993 Internet Messaging Protocol IMAP encrypted
TSQL_1433 Microsoft SQL server
Oracle_1521 oracle server
OpenEdge_20931 open edge database
Sybase_2638 Sybase database
RDP_3389 Remote Desktop Protocol - Port 3389
MYSQL_3306 MySQL database port 3306

Remarks


Each port number identifies a distinct service, this enum's list the services with the default port mapped. you can create a alias on your GateWay and map the ports not external used to the firewall and the firewall will detect them, ideally you would map them from the default port to a detect port not used by the server to avoid conflicts, you can map ports to a maximum value of value of 65,535

You can use the firewall's disk reporting NuGet package to generate PoweShell script to block and unblock the IP address are seeking exploits

The Firewall and HoneyPotService exposes the OnPortAccessDetected that can be used for controlling the detected signal in real-time

Examples


port monitoring in services configuration
Configure the application to monitor ports
services.UsePortScannerProtection(options => {
                  /* Map the service ports to a local port on your computer
                  *  Redirect the requests to your computer and open the firewall
                  *  for the redirected ports
                  *
                  * In this sample you'd map original port to a custom port to not interfere with the
                  * original service on your servers firewall open the ports 64000-64006 to enable detection
                  */
                  options.SSH    = 64000; // map port 22 to port 64000 on your router
                  options.TSQL   = 64001; // map port 1433 to port 64001 on your router
                  options.Telnet = 64002; // map port 23 to port 64002 on your router
                  options.MYSQL  = 64005; // map port 3306 to port 64005 on your router
                  options.DNS    = 64006; // map port 53 to port 64005 on your router

                  /*you can manually map port aliases in the range from 0 till 65535*/
                  options.AddOrUpdate(externalPort: 587, internalPort:4007, name:"ESMTP Extended Simple Mail Transfer Protocol");
                  options.AddOrUpdate(externalPort: 647, internalPort:4008, name:"DHCP Fail-over");

                  /*Record up-to 8,000 character when someone is trying to attack the service for legal reporting*/
                  options.MaximumDataSizeToAccept = 254;

                  /*Look between every 100ms and 30000ms if someone is trying to gain access to the system */
                  options.PoolFrequency = 100;

                  /* Add a default reply to any connection, you can send a auto reply
                   * You can use the template values:
                   * {IP}  - the attackers IP address
                   * {Port}- the port being attacked
                   * {Name}- the name of the alias being used
                   * {ISP} - the name of the Internet service provider that the attacker is using will be injected
                   * {Country} - the country name will be injected
                   * to personalize the message or leave it blank to record silently*/
                  options.DefaultReply = "This service is being monitored and we have detected your intentions attack {Name}" +
                                         " via {IP}:{Port} to gain unlawful access to the system, please note that any unlawful" +
                                         " activity will be reported to {ISP} as well as the relevant authorities in {Country}";

              })