Re: Port 113 requests?

From: Patrick Patterson (ppattersonat_private)
Date: Fri Dec 07 2001 - 09:27:09 PST

Next message: Paul Gear: "Re: Port 113 requests?"

Previous message: Paul Dokas: "6112/TCP scans"
In reply to: Slighter, Tim: "RE: Port 113 requests?"
Next in thread: Paul Gear: "Re: Port 113 requests?"
Next in thread: Chris Keladis: "RE: Port 113 requests?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

Actually Tim, I think that Chris' response is better in this particular
case...

If this is a machine that is recieving mail from the outside world, it makes
no sense to just blackhole IDENT requests - and as has been said in other
posts, some SMTP servers require the AUTH part of the transaction to either
pass or fail before they can continue... if it just drops, then you will see
the hammering that the original poster is seeing (although 1 attempt every 15
minutes is hardly hammering).

Just REJECT the ident packets, and this issue will go away. In this case,
this has nothing to do with intruders, but has everything to do with servers
that are trying to pass legitimate traffic.

On Thursday 06 December 2001 15:51, Slighter, Tim wrote:
> you really should try and specify that the rule "drops" instead of reject
> so that the potential intruder is not provided with any information about
> their attempted connection.
>
> -----Original Message-----
> From: Chris Wilkes [mailto:cwilkesat_private]
> Sent: Thursday, December 06, 2001 1:05 PM
> To: incidentsat_private
> Subject: Re: Port 113 requests?
>
> Its the SMTP AUTH protocol where a mail server tries to do an
> authenication check on who is sending it mail.  I've turned this off on
> my mail server as it really doesn't do any good.  I think some IRC
> servers use this feature.
>
> In my firewall I've setup this rule to handle these requests:
> 	-p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
>
> In short, nothing to be concerned about.
>
> Chris

- --

Patrick Patterson			Tel: (514) 485-0789
Chief Security Architect		Fax: (514) 485-4737
Carillon Information Security Inc.	E-Mail: ppattersonat_private
- -----------------------------------------------------------------------
		The New Sound of Network Security
		     http://www.carillonIS.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: SR4O/YIctxV5HaazlSYq3VQAyb8NRDne

iQCVAwUBPBD78bqc3sMKNyclAQFXfQQAvRUI7roGGQnvwX+mrPrHLWjhibiYwYY6
5oxbso3jBr+VoZuTpsEoFns59N/pc9SPEfJN5cvYGmS6p6XASSm8ObgrvVI8MJC7
cvjygVK91JDC4GQUnmO8JBR0EatA+zJT3KtRXhQdmbh94BELkxR8RjAk5ftxB31a
vzbaBfZ5rzc=
=+Jc3
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Paul Gear: "Re: Port 113 requests?"
Previous message: Paul Dokas: "6112/TCP scans"
In reply to: Slighter, Tim: "RE: Port 113 requests?"
Next in thread: Paul Gear: "Re: Port 113 requests?"
Next in thread: Chris Keladis: "RE: Port 113 requests?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 14:26:16 PST