Security Incidents mailing list archives
Re: Port 113 requests?
From: Patrick Patterson <ppatterson () carillonis com>
Date: Fri, 7 Dec 2001 12:27:09 -0500
-----BEGIN PGP SIGNED MESSAGE----- Actually Tim, I think that Chris' response is better in this particular case... If this is a machine that is recieving mail from the outside world, it makes no sense to just blackhole IDENT requests - and as has been said in other posts, some SMTP servers require the AUTH part of the transaction to either pass or fail before they can continue... if it just drops, then you will see the hammering that the original poster is seeing (although 1 attempt every 15 minutes is hardly hammering). Just REJECT the ident packets, and this issue will go away. In this case, this has nothing to do with intruders, but has everything to do with servers that are trying to pass legitimate traffic. On Thursday 06 December 2001 15:51, Slighter, Tim wrote:
you really should try and specify that the rule "drops" instead of reject so that the potential intruder is not provided with any information about their attempted connection. -----Original Message----- From: Chris Wilkes [mailto:cwilkes () ladro com] Sent: Thursday, December 06, 2001 1:05 PM To: incidents () securityfocus com Subject: Re: Port 113 requests? Its the SMTP AUTH protocol where a mail server tries to do an authenication check on who is sending it mail. I've turned this off on my mail server as it really doesn't do any good. I think some IRC servers use this feature. In my firewall I've setup this rule to handle these requests: -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable In short, nothing to be concerned about. Chris
- -- Patrick Patterson Tel: (514) 485-0789 Chief Security Architect Fax: (514) 485-4737 Carillon Information Security Inc. E-Mail: ppatterson () carillonIS com - ----------------------------------------------------------------------- The New Sound of Network Security http://www.carillonIS.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: SR4O/YIctxV5HaazlSYq3VQAyb8NRDne iQCVAwUBPBD78bqc3sMKNyclAQFXfQQAvRUI7roGGQnvwX+mrPrHLWjhibiYwYY6 5oxbso3jBr+VoZuTpsEoFns59N/pc9SPEfJN5cvYGmS6p6XASSm8ObgrvVI8MJC7 cvjygVK91JDC4GQUnmO8JBR0EatA+zJT3KtRXhQdmbh94BELkxR8RjAk5ftxB31a vzbaBfZ5rzc= =+Jc3 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Port 113 requests?, (continued)
- RE: Port 113 requests? Andrew Leonard (Dec 07)
- RE: Port 113 requests? Todd Suiter (Dec 07)
- Re: Port 113 requests? Helmut Springer (Dec 07)
- Re: Port 113 requests? Crist J . Clark (Dec 07)
- Re: Port 113 requests? Greg A. Woods (Dec 07)
- Re: Port 113 requests? Paul Cardon (Dec 07)
- Re: Port 113 requests? Mike Meredith (Dec 07)
- RE: Port 113 requests? Tony Gale (Dec 07)
- Re: Port 113 requests? Florian Weimer (Dec 07)
- Re: Port 113 requests? Alexander Bochmann (Dec 07)
- Re: Port 113 requests? Patrick Patterson (Dec 07)
- Re: Port 113 requests? Paul Gear (Dec 07)
- Thread "Port 113 requests?" Mario van Velzen (Dec 07)
- Re: Port 113 requests? Valdis . Kletnieks (Dec 09)
- RE: Port 113 requests? Andrew Leonard (Dec 07)
- RE: Port 113 requests? Chris Keladis (Dec 07)
- RE: Port 113 requests? Jose Nazario (Dec 07)
- RE: Port 113 requests? Steve Stearns (Dec 07)
- RE: Port 113 requests? Jose Nazario (Dec 07)
- RE: Port 113 requests? Brian Cervenka (Dec 07)