Re: Port 113 security

From: Hal Flynn (flynn@securityfocus.com)
Date: 03/10/03

  • Next message: Gergely Czuczy: "Re: Traffic Shaping." 
    Date: Mon, 10 Mar 2003 13:54:34 -0700 (MST)
From: Hal Flynn <flynn@securityfocus.com>
To: focus-linux@securityfocus.com

    One recurring theme I've seen within this thread is that running identd
    poses a security threat. However, I haven't seen any real examples of it.
    For the benefit of those that are really interested in the "WHY," I wanted
    to offer you the following information.

    When I was tinkering with identd last winter, I realized it's possible to
    identify most MTAs without performing header analysis if the host is
    running identd. This was accomplished by manually connecting to port 25
    of the host, then in another connection issuing an ident request to the
    system.

    By issuing the request, I was able to determine the following:

    1) users that had installed qmail, following djb's guidelines to the tee.
    When issuing the request, identd would respond to the request
    letting the issuer know that the user of the email server is qmail.
    2) users that had installed postfix, following Wietse's guidelines to the
    tee. When issuing the request, identd would respond to the request
    letting the issuer know that the user of the email server is postfix.
    3) The same of course, applies to sendmail, user varying by operating
    system.

    Of course, there are much easier ways of getting this information without
    making the noise required to use identd, such as searching mailing list
    posts, or just googling. The point, of course, is that identd will leak
    information about any processes that allow interactive connections from
    remote hosts.

    I thought this was a new issue, but after talking with Lane Davis (some of
    you may recognize him as Merc), he pointed me to a post made several years
    ago by David Goldsmith. Here is an URL to the original post:

    http://www.securityfocus.com/archive/1/4314/1996-02-07/1996-02-13/0

    This can of course be extended to other services run on the system, such
    as POP, HTTP, and the like. So, any of you wondering about the WHY should
    have a little more information that's useful in making an informed
    decision about this particular service.

    Cheers,

    Hal Flynn
    Symantec Corp.

    "....You guys are the Marine's doctors; There's no better in the business
    than a Navy Corpsman...."
      -- Lieutenant General Lewis B. "Chesty" Puller, U.S.M.C.

  • Next message: Gergely Czuczy: "Re: Traffic Shaping."