The reason the port shows as open is because it it. Your port is responding with a message that says "Yeah I'm here, but my connection stinks - you can only send me tiny packets of data." After that it doesn't respond - and the scanning machine (if teergrubbed) will send information forever (as far as I can tell) until it is shut down or disconnected from the 'net.
S >From: Steve Jeppesen <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]>, leaf-user <[EMAIL PROTECTED]> >Subject: Re: [Leaf-user] Unused IP's with LaBrea >Date: Sun, 3 Mar 2002 09:04:58 -0600 > > >I have Web and ssh running so I use > >/usr/sbin/LaBrea -i eth0 -l -v -p 80000 -z -x -F /etc/LaBrea.bpf > >You will want to watch your ramdisk (or maybe you have taken care of this >another way?) using the -v option >will cause your ramdisk to fill up very quickly. > > > with LaBrea.bpf containing: > > > > dst host 24.x.x.x > > and tcp[2:2] & 0xfc00 == 0 > > and not dst port (80 or 22) > > > > To test it, I logged to a remote site and telnet back to my host on some >low port, e.g. > > > > telnet 24.x.x.x 27 > >More on this "test" later > > >and I saw the following in my log: > > > > Mar 3 00:35:45 router kernel: device eth0 entered promiscuous mode > > Mar 3 00:35:45 router kernel: device eth0 left promiscuous mode > >This is good! You will see that because I believe you you added the - >to "ifconfig eth0 -promisc" >in /etc/init.d/LaBrea >Charles is one who would/did recommend this be done, however I believe >Simon is not taking his eth0 out of promiscuous mode. > > > Mar 3 01:36:30 router /usr/sbin/LaBrea: Teergrubing: 142.x.x.x 50384 -> >24.x.x.x 27 > > > > and then several lines like the following: > > Mar 3 01:36:30 router /usr/sbin/LaBrea: Activity: 142.x.x.x 50384 -> >24.x.x.x 27 > >Because of your settings you have listed in LaBrea.bpf contain: >dst host 24.x.x.x >and tcp[2:2] & 0xfc00 == 0 >and not dst port (80 or 22) > >You are telling LaBrea to run on all low ports <1024 except ports 80 and >22. So it basically is teergrubing (tarpitting) your attempt to telnet >into port 27. > >The lines in your log which are like this; >Mar 3 01:36:30 router /usr/sbin/LaBrea: Activity: 142.x.x.x 50384 -> >24.x.x.x 27 >are being logged because of the -v option you add in when starting LaBrea > > > If I do a lynx 24.x.x.x, nothing shows in the log and I got Web access. > >not too sure what is suppose to happen with a lynx 24.x.x.x > > > My questions are: > > > > 1. Is the syntax about ignoring 2 ports 80 and 22 above correct? > >Depends on what port you would use to telnet in, if you are going to >telnet to port 27, then you need to add 27 to (80 or 22)...but I do not >have any experience using the third line in LaBrea.bpf so maybe somebody >else can comment on the actual syntax. > > > 2. From the 'ps' and syslog I know that LaBrea is running and doing >something. But how do test it >thoroughly? I go to http://grc.com and >asked it to probe my ports and the replies saying some low ports >are open >which is correct. However why did they come back so fast? I thought that >it would take a while >before it can say so. Or may be GRC does not use >scanning packets? > >On the "how do you test", I know mine is working because of all the >"Teergrubing" messages I receive in syslog. It is running on all low >ports <1024 so it catches alot of activity. I have not done it myself, >but maybe a different port scanning service could provide better results >for you. > >GRC is using some new form of scanning your ports, and it is supposed to >be very quick. And because LaBrea is running, it should show your ports >open when you run a scan from GRC...or at least thats what happen to me >going to that scanning site. Anybody else please jump in on this one .. >should our ports be showing open just because we are using LaBrea? That >never happened to me before using LaBrea (using the scanner at GRC) - they >all showed "stealth" status before. > >Steve > >_______________________________________________ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
