RE: Port 113 requests?

["Slighter, Tim" <tslighter () itc nrcs usda gov>]

you really should try and specify that the rule "drops" instead of reject so
that the potential intruder is not provided with any information about their
attempted connection.

-----Original Message-----
From: Chris Wilkes [mailto:cwilkes () ladro com]
Sent: Thursday, December 06, 2001 1:05 PM
To: incidents () securityfocus com
Subject: Re: Port 113 requests?


On Thu, Dec 06, 2001 at 01:51:57PM -0500, Michael Ward wrote:
> I have been receiving the following entries at my firewall for since
> noon US Eastern Time (-5:00) on 12/4/01.
>
> They have been coming every 15 minutes since then.  I notified the owner
> of the IP's and he hasn't responded yet.
>
> 12/04/2001 11:59:30.336 - TCP connection dropped -
> Source:mail.domain-i-edited.com, 40454, WAN -
> Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

Its the SMTP AUTH protocol where a mail server tries to do an
authenication check on who is sending it mail.  I've turned this off on
my mail server as it really doesn't do any good.  I think some IRC
servers use this feature.

In my firewall I've setup this rule to handle these requests:
        -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

In short, nothing to be concerned about.

Chris

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com