Security Incidents mailing list archives
RE: Port 113 requests?
From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Fri, 07 Dec 2001 16:06:17 +1100
The only bad thing about 'rejecting' i can think of, is TCP/IP stack fingerprinting of the returned RST packet.
Well, also the ability to enumerate that tcp/113 returns an RST which will show up in nmap.
I think the best way to deal with these things is to tune the firewalls TCP/IP stack to obscure fingerprinting attempts and configure the firewall to return an RST on behalf of the protected host, to work around the extended timeout problem.
At least this way if someone enables ident on their machine for whatever reason, the firewall continues to send RSTs on behalf of the host, unless the firewall admin specifically allows ident into the protected host.
Sure someone can enumerate you have blocked tcp/113 a different way than the other ports, but if it's blocked, it's blocked.
You can defeat (at least, obfuscate) nmap enumeration by making all ports return RSTs, if enumeration is a concern.
Coupled with a unique fingerprint, you can have the best of both worlds.I guess it's a balance of performance vs security factors your willing to live with.
Regards, Chris. At 01:51 PM 6/12/2001 -0700, Slighter, Tim wrote:
you really should try and specify that the rule "drops" instead of reject so that the potential intruder is not provided with any information about their attempted connection. -----Original Message----- From: Chris Wilkes [mailto:cwilkes () ladro com] Sent: Thursday, December 06, 2001 1:05 PM To: incidents () securityfocus com Subject: Re: Port 113 requests? On Thu, Dec 06, 2001 at 01:51:57PM -0500, Michael Ward wrote: > I have been receiving the following entries at my firewall for since > noon US Eastern Time (-5:00) on 12/4/01. > > They have been coming every 15 minutes since then. I notified the owner > of the IP's and he hasn't responded yet. > > 12/04/2001 11:59:30.336 - TCP connection dropped - > Source:mail.domain-i-edited.com, 40454, WAN - > Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32 Its the SMTP AUTH protocol where a mail server tries to do an authenication check on who is sending it mail. I've turned this off on my mail server as it really doesn't do any good. I think some IRC servers use this feature. In my firewall I've setup this rule to handle these requests: -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable In short, nothing to be concerned about. Chris ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Port 113 requests?, (continued)
- Re: Port 113 requests? Greg A. Woods (Dec 07)
- Re: Port 113 requests? Paul Cardon (Dec 07)
- Re: Port 113 requests? Mike Meredith (Dec 07)
- RE: Port 113 requests? Tony Gale (Dec 07)
- Re: Port 113 requests? Florian Weimer (Dec 07)
- Re: Port 113 requests? Alexander Bochmann (Dec 07)
- Re: Port 113 requests? Patrick Patterson (Dec 07)
- Re: Port 113 requests? Paul Gear (Dec 07)
- Thread "Port 113 requests?" Mario van Velzen (Dec 07)
- Re: Port 113 requests? Valdis . Kletnieks (Dec 09)
- RE: Port 113 requests? Chris Keladis (Dec 07)
- RE: Port 113 requests? Jose Nazario (Dec 07)
- RE: Port 113 requests? Steve Stearns (Dec 07)
- RE: Port 113 requests? Jose Nazario (Dec 07)
- RE: Port 113 requests? Brian Cervenka (Dec 07)