Re: Port 113 requests?

From: Paul Cardon (@moquijo.com)
Date: 12/07/01


Date: Thu, 06 Dec 2001 23:25:28 -0500
From: Paul Cardon <"paul{no spam}"@moquijo.com>
To: "Slighter, Tim" <tslighter@itc.nrcs.usda.gov>

Slighter, Tim wrote:

> you really should try and specify that the rule "drops" instead of reject so
> that the potential intruder is not provided with any information about their
> attempted connection.

tcp 113 (auth) is a common exception because of performance issues with
legitimate traffic. Suppose you have a mail relay that sends out a
large volume of SMTP e-mail on behalf of users in your organization. If
you drop all of the auth requests coming back to your mail relay from
servers to which you are delivering outbound mail, each of those
connections must wait for the auth attempt to timeout before the mail
can be delivered. If you send a reject, the auth fails immediately and
the SMTP connection will complete in a timely fashion.

True, it is a workaround for what is in my opinion a completely useless
protocol. The right fix is to go and rebuild all those versions of
sendmail that have it enabled by default. Unfortunately, if you don't
use a reject policy and you do send large volumes of outbound e-mail you
may find that the mail relay is taking a significant performance hit.

-paul

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Why is command line ftp failing?
    ... >remote server and the ... >connection perpetually fails. ... >504 AUTH GSSAPI unsupported ... Note that you do have the opportunity to login! ...
    (comp.os.linux.networking)
  • Re: Automatic email relay agent?
    ... > Connection closed by foreign host. ... That is exactly what is to be expected: STARTTLS is offered, but no AUTH ... - just because you told Sendmail to only offer LOGIN and PLAIN AUTH ... That must be answered by Sendmail with a authentication success message. ...
    (Fedora)
  • Re: Which Spam Block List to use for a network?
    ... > Maybe in your area you can get a residential ISP whose mailrouters are ... its mailrouters usually work but do not always warn you ... scheme where the outbound mail relay would attempt a port 25 connection to ...
    (Debian-User)
  • Re: Migrating from wvdial to ppp
    ... And now you cancel the previous auth? ... Remove both the auth and noauth ... and close connection with: `C-c'. ... I would say killall pppd is cleaner and does not ...
    (comp.protocols.ppp)
  • RE: Port 113 requests?
    ... but auth is a special case due to how it is ... As previously stated certain mail systems will try an auth ... dropping these connection will result in these services not working ... This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)