Security Incidents mailing list archives
Re: "Authentication" attempts??
From: "Portnoy, Gary" <gportnoy () BELENOSINC COM>
Date: Mon, 26 Mar 2001 09:27:01 -0500
Port 113 is Ident. It's used extensively by mail servers to verify who the connecting server is. You could block it, but there isn't much harm in leaving it open, as long as it recent. There are also secure versions of it out there, as well as versions that give out fake info. Check out http://advice.networkice.com/advice/Reference/Networking/Misc/IDENT/default. htm for more info. -Gary- -----Original Message----- From: Los, Ralph [mailto:rlos () ENVESTNET COM] Sent: Monday, March 26, 2001 12:16 AM To: INCIDENTS () SECURITYFOCUS COM Subject: "Authentication" attempts?? Perhaps someone could help me understand this... I've been getting this from dozens of machines all accross the Internet, aimed at one of my Exchange Server's private (NAT) address, coming to port 113. As far as I know, port 113 is only used for IRC (Internet Relay Chat) authentication...no? <snip> 03/23/2001 16:49:08.480 - TCP connection dropped - Source:<src-ip>, <src-prt>, Destination:192.168.34.2, 113 </snip> The source IP's are completely random it seems, source ports are as well (3105, 41259, 1931, 4675, 51134...and the list goes on). Does anyone know what this would be? ...and perhaps WHY the target is my NAT address not the public IP? Is this somehow tied to the mail server (Exchange 5.5) that is the target? Any insight is greatly appreciated, Ralph M. Los Sr. Internet Systems & Security Admin. (312) 827-3945 (direct) EnvestNet Advisory Corp. (312) 296-9003 (wireless) rlos () envestnet com
Current thread:
- "Authentication" attempts?? Los, Ralph (Mar 25)
- Re: "Authentication" attempts?? Peter Moody (Mar 26)
- Re: "Authentication" attempts?? Valdis Kletnieks (Mar 26)
- Re: "Authentication" attempts?? Chris Ess (Mar 26)
- <Possible follow-ups>
- Re: "Authentication" attempts?? Portnoy, Gary (Mar 26)
- Re: "Authentication" attempts?? Peter Moody (Mar 26)