Re: "Authentication" attempts??

["Portnoy, Gary" <gportnoy () BELENOSINC COM>]

Port 113 is Ident.  It's used extensively by mail servers to verify who the
connecting server is.  You could block it, but there isn't much harm in
leaving it open, as long as it recent.  There are also secure versions of it
out there, as well as versions that give out fake info.  Check out
http://advice.networkice.com/advice/Reference/Networking/Misc/IDENT/default.
htm  for more info.

-Gary-

-----Original Message-----
From: Los, Ralph [mailto:rlos () ENVESTNET COM]
Sent: Monday, March 26, 2001 12:16 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: "Authentication" attempts??


Perhaps someone could help me understand this...

        I've been getting this from dozens of machines all accross the
Internet, aimed at one of my Exchange Server's private (NAT) address, coming
to port 113.  As far as I know, port 113 is only used for IRC (Internet
Relay Chat) authentication...no?

<snip>
03/23/2001 16:49:08.480 -       TCP connection dropped -
Source:<src-ip>, <src-prt>, Destination:192.168.34.2, 113
</snip>

The source IP's are completely random it seems, source ports are as well
(3105, 41259, 1931, 4675, 51134...and the list goes on).  Does anyone know
what this would be?  ...and perhaps WHY the target is my NAT address not the
public IP?  Is this somehow tied to the mail server (Exchange 5.5) that is
the target?

Any insight is greatly appreciated,

Ralph M. Los
Sr. Internet Systems & Security Admin.    (312) 827-3945 (direct)
EnvestNet Advisory Corp.                  (312) 296-9003 (wireless)
rlos () envestnet com