Security Incidents mailing list archives
Re: Port 113 requests?
From: "Crist J . Clark" <cristjc () earthlink net>
Date: Thu, 6 Dec 2001 16:24:59 -0800
On Thu, Dec 06, 2001 at 01:51:33PM -0700, Slighter, Tim wrote:
you really should try and specify that the rule "drops" instead of reject so that the potential intruder is not provided with any information about their attempted connection.
It's a trade. If you drop the auth attempts silently, you usually then have to wait for the attempts to time out before whatever you did to prompt the auth attempt can proceed. If you send a RST or ICMP-unreachable, you don't have to wait for the time out. In this case, it's someone's mail server getting the auth connection attempt. Everyone knows where everybody else's mail servers are (receiving hubs have MX records, senders are in the mail headers). Sending RSTs on port 113 is just telling the world that you don't want their auth requests; you are not really giving anything away to an intruder.
-----Original Message----- From: Chris Wilkes [mailto:cwilkes () ladro com] Sent: Thursday, December 06, 2001 1:05 PM To: incidents () securityfocus com Subject: Re: Port 113 requests? On Thu, Dec 06, 2001 at 01:51:57PM -0500, Michael Ward wrote:I have been receiving the following entries at my firewall for since noon US Eastern Time (-5:00) on 12/4/01. They have been coming every 15 minutes since then. I notified the owner of the IP's and he hasn't responded yet. 12/04/2001 11:59:30.336 - TCP connection dropped - Source:mail.domain-i-edited.com, 40454, WAN - Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32Its the SMTP AUTH protocol where a mail server tries to do an authenication check on who is sending it mail. I've turned this off on my mail server as it really doesn't do any good. I think some IRC servers use this feature. In my firewall I've setup this rule to handle these requests: -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable In short, nothing to be concerned about. Chris ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Port 113 requests?, (continued)
- Re: Port 113 requests? Chris Wilkes (Dec 06)
- Re: Port 113 requests? Ryan Russell (Dec 06)
- Re: Port 113 requests? Helmut Springer (Dec 07)
- Re: Port 113 requests? Valdis . Kletnieks (Dec 07)
- Re: Port 113 requests? Ryan Russell (Dec 07)
- RE: Port 113 requests? Slighter, Tim (Dec 06)
- RE: Port 113 requests? Ryan McDonnell (Dec 07)
- RE: Port 113 requests? Andrew Leonard (Dec 07)
- RE: Port 113 requests? Todd Suiter (Dec 07)
- Re: Port 113 requests? Helmut Springer (Dec 07)
- Re: Port 113 requests? Crist J . Clark (Dec 07)
- Re: Port 113 requests? Greg A. Woods (Dec 07)
- Re: Port 113 requests? Paul Cardon (Dec 07)
- Re: Port 113 requests? Mike Meredith (Dec 07)
- RE: Port 113 requests? Tony Gale (Dec 07)
- Re: Port 113 requests? Florian Weimer (Dec 07)
- Re: Port 113 requests? Alexander Bochmann (Dec 07)
- Re: Port 113 requests? Patrick Patterson (Dec 07)
- Re: Port 113 requests? Paul Gear (Dec 07)
- Thread "Port 113 requests?" Mario van Velzen (Dec 07)
- Re: Port 113 requests? Valdis . Kletnieks (Dec 09)
(Thread continues...)