Security Incidents mailing list archives
RE: Port 113 requests?
From: Brian Cervenka <brian () zerobelow org>
Date: Fri, 7 Dec 2001 12:37:37 -0800 (PST)
It's a trade. If you drop the auth attempts silently, you usually then have to wait for the attempts to time out before whatever you did to prompt the auth attempt can proceed. If you send a RST or ICMP-unreachable, you don't have to wait for the time out. In this case, it's someone's mail server getting the auth connection attempt. Everyone knows where everybody else's mail servers are (receiving hubs have MX records, senders are in the mail headers). Sending RSTs on port 113 is just telling the world that you don't want their auth requests; you are not really giving anything away to an intruder.
It almost would be nice if we could get a stateful module for iptables and other firewall systems that allows us to send rst or icmp-port-unreachable to sites we connect to for mail, etc...and drop for others. --brian ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Port 113 requests?, (continued)
- RE: Port 113 requests? Tony Gale (Dec 07)
- Re: Port 113 requests? Florian Weimer (Dec 07)
- Re: Port 113 requests? Alexander Bochmann (Dec 07)
- Re: Port 113 requests? Patrick Patterson (Dec 07)
- Re: Port 113 requests? Paul Gear (Dec 07)
- Thread "Port 113 requests?" Mario van Velzen (Dec 07)
- Re: Port 113 requests? Valdis . Kletnieks (Dec 09)
- RE: Port 113 requests? Chris Keladis (Dec 07)
- RE: Port 113 requests? Jose Nazario (Dec 07)
- RE: Port 113 requests? Steve Stearns (Dec 07)
- RE: Port 113 requests? Jose Nazario (Dec 07)
- RE: Port 113 requests? Brian Cervenka (Dec 07)