RE: Port 113 requests?

From: Slighter, Tim (tslighter@itc.nrcs.usda.gov)
Date: 12/06/01


From: "Slighter, Tim" <tslighter@itc.nrcs.usda.gov>
To: incidents@securityfocus.com
Date: Thu, 6 Dec 2001 13:51:33 -0700 

you really should try and specify that the rule "drops" instead of reject so
that the potential intruder is not provided with any information about their
attempted connection.

-----Original Message-----
From: Chris Wilkes [mailto:cwilkes@ladro.com]
Sent: Thursday, December 06, 2001 1:05 PM
To: incidents@securityfocus.com
Subject: Re: Port 113 requests?

On Thu, Dec 06, 2001 at 01:51:57PM -0500, Michael Ward wrote:
> I have been receiving the following entries at my firewall for since
> noon US Eastern Time (-5:00) on 12/4/01.
>
> They have been coming every 15 minutes since then. I notified the owner
> of the IP's and he hasn't responded yet.
>
> 12/04/2001 11:59:30.336 - TCP connection dropped -
> Source:mail.domain-i-edited.com, 40454, WAN -
> Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

Its the SMTP AUTH protocol where a mail server tries to do an
authenication check on who is sending it mail. I've turned this off on
my mail server as it really doesn't do any good. I think some IRC
servers use this feature.

In my firewall I've setup this rule to handle these requests:
        -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

In short, nothing to be concerned about.

Chris

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: A small quandary
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
    (Incidents)
  • RE: Anyone seen this before?
    ... The answer to this is, in task manager, you can right click on any app ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: fbi.gov weirdness?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Code Red - A Possible Origin?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Code Red - A Possible Origin?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)