Security Incidents mailing list archives

Re: Port 113 requests?

From: Patrick Patterson <ppatterson () carillonis com>
Date: Fri, 7 Dec 2001 12:27:09 -0500

-----BEGIN PGP SIGNED MESSAGE-----

Actually Tim, I think that Chris' response is better in this particular
case...

If this is a machine that is recieving mail from the outside world, it makes
no sense to just blackhole IDENT requests - and as has been said in other
posts, some SMTP servers require the AUTH part of the transaction to either
pass or fail before they can continue... if it just drops, then you will see
the hammering that the original poster is seeing (although 1 attempt every 15
minutes is hardly hammering).

Just REJECT the ident packets, and this issue will go away. In this case,
this has nothing to do with intruders, but has everything to do with servers
that are trying to pass legitimate traffic.

On Thursday 06 December 2001 15:51, Slighter, Tim wrote:

you really should try and specify that the rule "drops" instead of reject
so that the potential intruder is not provided with any information about
their attempted connection.

-----Original Message-----
From: Chris Wilkes [mailto:cwilkes () ladro com]
Sent: Thursday, December 06, 2001 1:05 PM
To: incidents () securityfocus com
Subject: Re: Port 113 requests?

Its the SMTP AUTH protocol where a mail server tries to do an
authenication check on who is sending it mail.  I've turned this off on
my mail server as it really doesn't do any good.  I think some IRC
servers use this feature.

In my firewall I've setup this rule to handle these requests:
      -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

In short, nothing to be concerned about.

Chris


- --

Patrick Patterson                       Tel: (514) 485-0789
Chief Security Architect                Fax: (514) 485-4737
Carillon Information Security Inc.      E-Mail: ppatterson () carillonIS com
- -----------------------------------------------------------------------
                The New Sound of Network Security
                     http://www.carillonIS.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: SR4O/YIctxV5HaazlSYq3VQAyb8NRDne

iQCVAwUBPBD78bqc3sMKNyclAQFXfQQAvRUI7roGGQnvwX+mrPrHLWjhibiYwYY6
5oxbso3jBr+VoZuTpsEoFns59N/pc9SPEfJN5cvYGmS6p6XASSm8ObgrvVI8MJC7
cvjygVK91JDC4GQUnmO8JBR0EatA+zJT3KtRXhQdmbh94BELkxR8RjAk5ftxB31a
vzbaBfZ5rzc=
=+Jc3
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Port 113 requests?, (continued)
- - RE: Port 113 requests? Andrew Leonard (Dec 07)
    - RE: Port 113 requests? Todd Suiter (Dec 07)
    - Re: Port 113 requests? Helmut Springer (Dec 07)
  - Re: Port 113 requests? Crist J . Clark (Dec 07)
    - Re: Port 113 requests? Greg A. Woods (Dec 07)
  - Re: Port 113 requests? Paul Cardon (Dec 07)
  - Re: Port 113 requests? Mike Meredith (Dec 07)
  - RE: Port 113 requests? Tony Gale (Dec 07)
  - Re: Port 113 requests? Florian Weimer (Dec 07)
  - Re: Port 113 requests? Alexander Bochmann (Dec 07)
  - Re: Port 113 requests? Patrick Patterson (Dec 07)
  - Re: Port 113 requests? Paul Gear (Dec 07)
    - Thread "Port 113 requests?" Mario van Velzen (Dec 07)
  - Re: Port 113 requests? Valdis . Kletnieks (Dec 09)
- RE: Port 113 requests? Chris Keladis (Dec 07)
  - RE: Port 113 requests? Jose Nazario (Dec 07)
    - RE: Port 113 requests? Steve Stearns (Dec 07)
- RE: Port 113 requests? Brian Cervenka (Dec 07)