Re: Port 113 requests?

From: Ryan Russell (
Date: 12/06/01

Date: Thu, 6 Dec 2001 13:31:31 -0700 (MST)
From: Ryan Russell <>
To: Michael Ward <>

On Thu, 6 Dec 2001, Michael Ward wrote:

> 12/04/2001 11:59:30.336 - TCP connection dropped -
>, 40454, WAN -
> Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

That's ident, pretty standard stuff. It's a protocol designed to allow
the server machine to query the client for what username and uin is
connecting to it. It's intended to be a weak authentication scheme,
though it's basically useless, since it's info supplied by the client.
Many mail servers will attempt to connect to your ident port when you try
to deliver mail to them. Presumably, if the server is able to connect and
get the ident info, it will put the info into the logs. The connections
are generally harmless, you can block them or allow them as you wish.
There have been one or two ident exploits over the years, so exercise the
usual caution before allowing.

One thing you may notice when trying to deliver mail to a host that is
checking for ident; if you silently drop the packets (i.e. no RST) then
you may experience delayed or dropped connections. Most mail servers that
want an ident connection will refuse to proceed with the rest of the SMTP
conversation until the ident attempt has succeeded or failed. So, if your
mail server sends either a RST or a SYN-ACK and finishes the conversation,
then the SMTP portion can proceed. If you silently drop the ident
attempt, then the mail server will have to wait until the TCP timeout is
up, and it will keep sending SYN packets in the meantime. This can be in
the neighborhood of 1-10 minutes.

So, what I used to do was allow the ident port, but not run an identd, so
when the packet hit, a RST would be sent, and the SMTP would proceed


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

Relevant Pages

  • Re: Identifying NATed machines
    ... You have to trust the ident ... server, and if it's not under trustworthy control, all bets are off. ... the server on your NAT box replies with the encrypted ... This may not be enough - as the complaining party would have to know to ...
  • Re: Odd identd behavior
    ... the ident port that was not consistent with an ident server. ... The conclusion of "it looks like an FTP server" is based on the fact ...
  • Re: A Few Questions
    ... > Only problem is it's an IRC Server that I need it for! ... > no Ident. ... > in the router/firewall hosted by this box. ... > LAN query I get an ident reply. ...
  • Re: Norton PF: how to unblock port 113?
    ... >useless to unblock this port. ... connection to the ident server will most likely be silently dropped ... there is no ident service running. ... refused and the connecting process will give up trying. ...
  • Re: Identd für Terminal Server 2003
    ... Also das Dansguardian/Squid ... Daher habe ich das jetzt mal mit Ident probiert. ... Auf den Desktops funktioniert das ohne Probleme, nur beim Terminal Server ... Somit packt ja immer nur eine ACL ...