RE: Port 113 requests?

From: Slighter, Tim (tslighterat_private)
Date: Thu Dec 06 2001 - 12:51:33 PST

  • Next message: Ryan McDonnell: "RE: Port 113 requests?"

    you really should try and specify that the rule "drops" instead of reject so
    that the potential intruder is not provided with any information about their
    attempted connection.
    
    -----Original Message-----
    From: Chris Wilkes [mailto:cwilkesat_private]
    Sent: Thursday, December 06, 2001 1:05 PM
    To: incidentsat_private
    Subject: Re: Port 113 requests?
    
    
    On Thu, Dec 06, 2001 at 01:51:57PM -0500, Michael Ward wrote:
    > I have been receiving the following entries at my firewall for since
    > noon US Eastern Time (-5:00) on 12/4/01.
    > 
    > They have been coming every 15 minutes since then.  I notified the owner
    > of the IP's and he hasn't responded yet.
    > 
    > 12/04/2001 11:59:30.336 - TCP connection dropped -
    > Source:mail.domain-i-edited.com, 40454, WAN -
    > Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32
    
    Its the SMTP AUTH protocol where a mail server tries to do an
    authenication check on who is sending it mail.  I've turned this off on
    my mail server as it really doesn't do any good.  I think some IRC
    servers use this feature.
    
    In my firewall I've setup this rule to handle these requests:
    	-p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
    
    In short, nothing to be concerned about.
    
    Chris
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 13:24:37 PST