> Can anyone explain to me if exist any attack using port 113/tcp ????
>
> I had seen some packets Deny in my logs, incoming from
> various IP address.
113 is the auth ("ident") port. People can use this
information to determine what user id daemons are
running as. The idea is that it's much more enticing
to get a daemon running as root to send back a shell
than a daemon running as nobody.
It can also be used to determine what user is trying
to make a connection to a server for logging purposes.
This is popular for POP and FTP servers so the
originating username can be logged.
That being said, port 113 is useless and should be
blocked. Better yet, don't even run the daemon at
all. Back in the days the auth port was good because
the Net was open and people were honest. Now, if
the auth port is even open, the data is to be
untrusted. You can configure identd to return bogus
information, incomplete information, or even no
information. And this is just using identd. This
doesn't even cover funny stuff like writing your
own daemon to answer queries or using netcat to
spit out garbage.
~Patrick
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
