you really should try and specify that the rule "drops" instead of reject so that the potential intruder is not provided with any information about their attempted connection. -----Original Message----- From: Chris Wilkes [mailto:cwilkesat_private] Sent: Thursday, December 06, 2001 1:05 PM To: incidentsat_private Subject: Re: Port 113 requests? On Thu, Dec 06, 2001 at 01:51:57PM -0500, Michael Ward wrote: > I have been receiving the following entries at my firewall for since > noon US Eastern Time (-5:00) on 12/4/01. > > They have been coming every 15 minutes since then. I notified the owner > of the IP's and he hasn't responded yet. > > 12/04/2001 11:59:30.336 - TCP connection dropped - > Source:mail.domain-i-edited.com, 40454, WAN - > Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32 Its the SMTP AUTH protocol where a mail server tries to do an authenication check on who is sending it mail. I've turned this off on my mail server as it really doesn't do any good. I think some IRC servers use this feature. In my firewall I've setup this rule to handle these requests: -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable In short, nothing to be concerned about. Chris ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 13:24:37 PST