Security Incidents mailing list archives
Re: Port 113 requests?
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 6 Dec 2001 13:31:31 -0700 (MST)
On Thu, 6 Dec 2001, Michael Ward wrote:
12/04/2001 11:59:30.336 - TCP connection dropped - Source:mail.domain-i-edited.com, 40454, WAN - Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32
That's ident, pretty standard stuff. It's a protocol designed to allow the server machine to query the client for what username and uin is connecting to it. It's intended to be a weak authentication scheme, though it's basically useless, since it's info supplied by the client. Many mail servers will attempt to connect to your ident port when you try to deliver mail to them. Presumably, if the server is able to connect and get the ident info, it will put the info into the logs. The connections are generally harmless, you can block them or allow them as you wish. There have been one or two ident exploits over the years, so exercise the usual caution before allowing. One thing you may notice when trying to deliver mail to a host that is checking for ident; if you silently drop the packets (i.e. no RST) then you may experience delayed or dropped connections. Most mail servers that want an ident connection will refuse to proceed with the rest of the SMTP conversation until the ident attempt has succeeded or failed. So, if your mail server sends either a RST or a SYN-ACK and finishes the conversation, then the SMTP portion can proceed. If you silently drop the ident attempt, then the mail server will have to wait until the TCP timeout is up, and it will keep sending SYN packets in the meantime. This can be in the neighborhood of 1-10 minutes. So, what I used to do was allow the ident port, but not run an identd, so when the packet hit, a RST would be sent, and the SMTP would proceed immediately. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Port 113 requests? Michael Ward (Dec 06)
- Re: Port 113 requests? Chris Wilkes (Dec 06)
- Re: Port 113 requests? Ryan Russell (Dec 06)
- Re: Port 113 requests? Helmut Springer (Dec 07)
- Re: Port 113 requests? Valdis . Kletnieks (Dec 07)
- Re: Port 113 requests? Ryan Russell (Dec 07)
- <Possible follow-ups>
- RE: Port 113 requests? Slighter, Tim (Dec 06)
- RE: Port 113 requests? Ryan McDonnell (Dec 07)
- RE: Port 113 requests? Andrew Leonard (Dec 07)
- RE: Port 113 requests? Todd Suiter (Dec 07)
- Re: Port 113 requests? Helmut Springer (Dec 07)
- Re: Port 113 requests? Crist J . Clark (Dec 07)
- Re: Port 113 requests? Greg A. Woods (Dec 07)
(Thread continues...)