Re: Port 113 requests?

[Paul Cardon <"paul{no spam}"@moquijo.com>]

Slighter, Tim wrote:

> you really should try and specify that the rule "drops" instead of reject so
> that the potential intruder is not provided with any information about their
> attempted connection.


tcp 113 (auth) is a common exception because of performance issues with 
legitimate traffic.  Suppose you have a mail relay that sends out a 
large volume of SMTP e-mail on behalf of users in your organization.  If 
you drop all of the auth requests coming back to your mail relay from 
servers to which you are delivering outbound mail, each of those 
connections must wait for the auth attempt to timeout before the mail 
can be delivered.  If you send a reject, the auth fails immediately and 
the SMTP connection will complete in a timely fashion.

True, it is a workaround for what is in my opinion a completely useless 
protocol.  The right fix is to go and rebuild all those versions of 
sendmail that have it enabled by default.  Unfortunately, if you don't 
use a reject policy and you do send large volumes of outbound e-mail you 
may find that the mail relay is taking a significant performance hit.

-paul





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com