Re: port 113
also sprach Anne Carasik [EMAIL PROTECTED] [2002.12.02.1703 +0100]: Port 113 is auth/identd. IMHO, it makes sense to not let these in through your firewall. Yes. You should DROP the Windoze crap (135-139, 445) and REJECT the ident requests. or else you might have to wait ages to connect to certain FTP or IRC servers. -- .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system NOTE: The public PGP keyservers are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc pgpWas00GXkSz.pgp Description: PGP signature
RE: port 113
Hi All, Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? Some service you or your computer is connecting to is checking your ident. Disable the identd daemon or comment out the entry in inetd.conf if you do it that way. Usually happens when you IRC, or some FTP sites check. Don't recall a vulnerability for it. Andy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 113
On Mon, Dec 02, 2002 at 10:55:28AM +, jjj3 wrote: Hi All, Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? start here!! http://groups.google.com/groups?q=port+113meta=site%3Dgroups -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 113
Ok, but if the port is 137 is that a problem? jjj3 Andy Coates writes: Hi All, Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? Some service you or your computer is connecting to is checking your ident. Disable the identd daemon or comment out the entry in inetd.conf if you do it that way. Usually happens when you IRC, or some FTP sites check. Don't recall a vulnerability for it. Andy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: port 113
Netbios related probes I think (windows machines). If you don't have any win machines, ignore it. Easiest place for these sort of queries is google - plenty of people ask the same type of questions. Andy. Ok, but if the port is 137 is that a problem? jjj3 Andy Coates writes: Hi All, Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? Some service you or your computer is connecting to is checking your ident. Disable the identd daemon or comment out the entry in inetd.conf if you do it that way. Usually happens when you IRC, or some FTP sites check. Don't recall a vulnerability for it. Andy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 113
* jjj3 [EMAIL PROTECTED]: Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? You might want to have a look at RFC 1413. Port 113 belongs to the auth protocol. Somei Mail- and IRC-Servers connect to this port if you use their Service. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: port 113
Hi All, Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? Some service you or your computer is connecting to is checking your ident. Disable the identd daemon or comment out the entry in inetd.conf if you do it that way. Usually happens when you IRC, or some FTP sites check. Don't recall a vulnerability for it. Andy.
Re: port 113
On Mon, Dec 02, 2002 at 10:55:28AM +, jjj3 wrote: Hi All, Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? start here!! http://groups.google.com/groups?q=port+113meta=site%3Dgroups -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com
Re: port 113
Ok, but if the port is 137 is that a problem? jjj3 Andy Coates writes: Hi All, Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? Some service you or your computer is connecting to is checking your ident. Disable the identd daemon or comment out the entry in inetd.conf if you do it that way. Usually happens when you IRC, or some FTP sites check. Don't recall a vulnerability for it. Andy.
RE: port 113
Netbios related probes I think (windows machines). If you don't have any win machines, ignore it. Easiest place for these sort of queries is google - plenty of people ask the same type of questions. Andy. Ok, but if the port is 137 is that a problem? jjj3 Andy Coates writes: Hi All, Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? Some service you or your computer is connecting to is checking your ident. Disable the identd daemon or comment out the entry in inetd.conf if you do it that way. Usually happens when you IRC, or some FTP sites check. Don't recall a vulnerability for it. Andy.
Re: port 113
On Mon, Dec 02, 2002 at 11:13:28AM -, Andy Coates wrote: Netbios related probes I think (windows machines). If you don't have any win machines, ignore it. Easiest place for these sort of queries is google - plenty of people ask the same type of questions. Better yet: www.portsdb.org Javi pgp8rC78LueKg.pgp Description: PGP signature
Re: port 113
* jjj3 [EMAIL PROTECTED]: Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? You might want to have a look at RFC 1413. Port 113 belongs to the auth protocol. Somei Mail- and IRC-Servers connect to this port if you use their Service.
Re: port 113
Ports 135-139 (and I think 445) are Netbios ports. Port 113 is auth/identd. IMHO, it makes sense to not let these in through your firewall. -Anne jjj3 grabbed a keyboard and typed... Ok, but if the port is 137 is that a problem? jjj3 Andy Coates writes: Hi All, Logs in my firewall shows me incoming connections to port 113 of the firewall!! What it means? Some service you or your computer is connecting to is checking your ident. Disable the identd daemon or comment out the entry in inetd.conf if you do it that way. Usually happens when you IRC, or some FTP sites check. Don't recall a vulnerability for it. Andy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgptlMvWE95wK.pgp Description: PGP signature
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 09:39:00PM +0100, Johannes Weiss wrote: I have a security question: On my HTTP(s)/MAIL(SMTP,POP,IMAP)/SSH-Server: should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. -B -- Brandon High [EMAIL PROTECTED] 1998 Kawasaki ZX-7R Wasabi, 1998 Kawasaki EX500, 1994 BMW K75s I started out with nothing still have most of it left. msg05637/pgp0.pgp Description: PGP signature
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 09:39:00PM +0100, Johannes Weiss wrote: Hi, I have a security question: On my HTTP(s)/MAIL(SMTP,POP,IMAP)/SSH-Server: should I open(accept) or close(deny, perhaps reject?) the port 113??? Accept if you've chosen to run an ident server; otherwise, reject, but don't deny. The deny target dosen't send back indication that the traffic was dropped, so if you send mail to a mailserver that does ident queries, you'll have to wait for the queries to time out before the mail can go through. (The only case where I can see accept on tcp/113 being dangerous if you're not running an ident server is if you're firewalled against inbound SYNs to all your other ports that don't have daemons listening and if someone broke in using a non-identd entry point and left a backdoor listening on 113. I'm not aware of any standard kiddie-friendly rootkits in the wild doing this, but an clued attacker might do it.) -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign 3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news! 9A26 BB92 6329 2D3E 199D 8C7B X / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: [...] should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. We've been through at least once, haven't we? *sigh* Please read the whole thread: http://lists.debian.org/debian-security/2001/debian-security-200108/msg00297.html s. -- (0 Jakub Jankowski [url]: s.atn.pl Life is a bitch, //\ shasta@IRCnet [rlu]: 174516 and then you die V_/_ [EMAIL PROTECTED] [ekg]: 921514 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 10:07:45PM +0100, Jakub Jankowski wrote: On 2002-02-09, Brandon High wrote: [...] should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. We've been through at least once, haven't we? *sigh* I know what port 113 is for: schitzo:~[1] grep 113 /etc/services auth113/tcp authentication tap ident I just don't know what you might need the ident server for. -B -- Brandon High [EMAIL PROTECTED] 1998 Kawasaki ZX-7R Wasabi, 1998 Kawasaki EX500, 1994 BMW K75s Do they ever shut up on your planet? msg05640/pgp0.pgp Description: PGP signature
Re: Port 113 (auth) accept or deny?
Brandon High [EMAIL PROTECTED] writes: should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. We've been through at least once, haven't we? *sigh* Obligatory link: http://logi.cc/linux/reject_or_deny.php3. I say you should close the port with a TCP RST flag unless you know otherwise. I know what port 113 is for: schitzo:~[1] grep 113 /etc/services auth113/tcp authentication tap ident I just don't know what you might need the ident server for. You use it to provide userid details to folks who want to know who's responsible for a given connection from your machine. Notably this includes mail, FTP and IRC servers. ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: should I open(accept) or close(deny, perhaps reject?) the port 113??? [...] I just don't know what you might need the ident server for. That's why you should read that thread. It was explained there several times, IIRC. s. -- (0 Jakub Jankowski [url]: s.atn.pl Life is a bitch, //\ shasta@IRCnet [rlu]: 174516 and then you die V_/_ [EMAIL PROTECTED] [ekg]: 921514 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 09:39:00PM +0100, Johannes Weiss wrote: I have a security question: On my HTTP(s)/MAIL(SMTP,POP,IMAP)/SSH-Server: should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. -B -- Brandon High [EMAIL PROTECTED] 1998 Kawasaki ZX-7R Wasabi, 1998 Kawasaki EX500, 1994 BMW K75s I started out with nothing still have most of it left. pgpoXYeBXzkDD.pgp Description: PGP signature
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 09:39:00PM +0100, Johannes Weiss wrote: Hi, I have a security question: On my HTTP(s)/MAIL(SMTP,POP,IMAP)/SSH-Server: should I open(accept) or close(deny, perhaps reject?) the port 113??? Accept if you've chosen to run an ident server; otherwise, reject, but don't deny. The deny target dosen't send back indication that the traffic was dropped, so if you send mail to a mailserver that does ident queries, you'll have to wait for the queries to time out before the mail can go through. (The only case where I can see accept on tcp/113 being dangerous if you're not running an ident server is if you're firewalled against inbound SYNs to all your other ports that don't have daemons listening and if someone broke in using a non-identd entry point and left a backdoor listening on 113. I'm not aware of any standard kiddie-friendly rootkits in the wild doing this, but an clued attacker might do it.) -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign 3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news! 9A26 BB92 6329 2D3E 199D 8C7B X / \
Re: Port 113 (auth) accept or deny?
On Sat, Feb 09, 2002 at 10:07:45PM +0100, Jakub Jankowski wrote: On 2002-02-09, Brandon High wrote: [...] should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. We've been through at least once, haven't we? *sigh* I know what port 113 is for: schitzo:~[1] grep 113 /etc/services auth113/tcp authentication tap ident I just don't know what you might need the ident server for. -B -- Brandon High [EMAIL PROTECTED] 1998 Kawasaki ZX-7R Wasabi, 1998 Kawasaki EX500, 1994 BMW K75s Do they ever shut up on your planet? pgpNi91PpXkzs.pgp Description: PGP signature
Re: Port 113 (auth) accept or deny?
Brandon High [EMAIL PROTECTED] writes: should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. We've been through at least once, haven't we? *sigh* Obligatory link: http://logi.cc/linux/reject_or_deny.php3. I say you should close the port with a TCP RST flag unless you know otherwise. I know what port 113 is for: schitzo:~[1] grep 113 /etc/services auth113/tcp authentication tap ident I just don't know what you might need the ident server for. You use it to provide userid details to folks who want to know who's responsible for a given connection from your machine. Notably this includes mail, FTP and IRC servers. ~Tim -- http://spodzone.org.uk/
Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: should I open(accept) or close(deny, perhaps reject?) the port 113??? [...] I just don't know what you might need the ident server for. That's why you should read that thread. It was explained there several times, IIRC. s. -- (0 Jakub Jankowski [url]: s.atn.pl Life is a bitch, //\ [EMAIL PROTECTED] [rlu]: 174516 and then you die V_/_ [EMAIL PROTECTED] [ekg]: 921514
