Actually, it's common practice to REJECT port 113 requests rather than DENY because a DENY completely ignores the received packet which makes the source system hang until a timeout occurs. By specifying REJECT, your system will acknowledge the source and tell it there is nothing there instead of just leaving it hanging. Saves bandwidth and time in transferring mail from server to server. Ryan McDonnnell ryanat_private <mailto:ryanat_private> -----Original Message----- From: Slighter, Tim [mailto:tslighterat_private] Sent: Thursday, December 06, 2001 12:52 PM To: incidentsat_private Subject: RE: Port 113 requests? you really should try and specify that the rule "drops" instead of reject so that the potential intruder is not provided with any information about their attempted connection. -----Original Message----- From: Chris Wilkes [mailto:cwilkesat_private] Sent: Thursday, December 06, 2001 1:05 PM To: incidentsat_private Subject: Re: Port 113 requests? On Thu, Dec 06, 2001 at 01:51:57PM -0500, Michael Ward wrote: > I have been receiving the following entries at my firewall for since > noon US Eastern Time (-5:00) on 12/4/01. > > They have been coming every 15 minutes since then. I notified the owner > of the IP's and he hasn't responded yet. > > 12/04/2001 11:59:30.336 - TCP connection dropped - > Source:mail.domain-i-edited.com, 40454, WAN - > Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32 Its the SMTP AUTH protocol where a mail server tries to do an authenication check on who is sending it mail. I've turned this off on my mail server as it really doesn't do any good. I think some IRC servers use this feature. In my firewall I've setup this rule to handle these requests: -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable In short, nothing to be concerned about. Chris ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 09:50:35 PST