Security Incidents mailing list archives

Re: Port 113 requests?

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 6 Dec 2001 13:31:31 -0700 (MST)

On Thu, 6 Dec 2001, Michael Ward wrote:

12/04/2001 11:59:30.336 - TCP connection dropped -
Source:mail.domain-i-edited.com, 40454, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32


That's ident, pretty standard stuff.  It's a protocol designed to allow
the server machine to query the client for what username and uin is
connecting to it.  It's intended to be a weak authentication scheme,
though it's basically useless, since it's info supplied by the client.
Many mail servers will attempt to connect to your ident port when you try
to deliver mail to them.  Presumably, if the server is able to connect and
get the ident info, it will put the info into the logs.  The connections
are generally harmless, you can block them or allow them as you wish.
There have been one or two ident exploits over the years, so exercise the
usual caution before allowing.

One thing you may notice when trying to deliver mail to a host that is
checking for ident; if you silently drop the packets (i.e. no RST) then
you may experience delayed or dropped connections.  Most mail servers that
want an ident connection will refuse to proceed with the rest of the SMTP
conversation until the ident attempt has succeeded or failed.  So, if your
mail server sends either a RST or a SYN-ACK and finishes the conversation,
then the SMTP portion can proceed.  If you silently drop the ident
attempt, then the mail server will have to wait until the TCP timeout is
up, and it will keep sending SYN packets in the meantime.  This can be in
the neighborhood of 1-10 minutes.

So, what I used to do was allow the ident port, but not run an identd, so
when the packet hit, a RST would be sent, and the SMTP would proceed
immediately.

                                                Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Port 113 requests? Michael Ward (Dec 06)
- Re: Port 113 requests? Chris Wilkes (Dec 06)
- Re: Port 113 requests? Ryan Russell (Dec 06)
  - Re: Port 113 requests? Helmut Springer (Dec 07)
  - Re: Port 113 requests? Valdis . Kletnieks (Dec 07)
    - Re: Port 113 requests? Ryan Russell (Dec 07)
- <Possible follow-ups>
- RE: Port 113 requests? Slighter, Tim (Dec 06)
  - RE: Port 113 requests? Ryan McDonnell (Dec 07)
  - RE: Port 113 requests? Andrew Leonard (Dec 07)
    - RE: Port 113 requests? Todd Suiter (Dec 07)
    - Re: Port 113 requests? Helmut Springer (Dec 07)
  - Re: Port 113 requests? Crist J . Clark (Dec 07)
    - Re: Port 113 requests? Greg A. Woods (Dec 07)

(Thread continues...)