> Currently I block port 113 (ident) on the firewall. I block everything and > pick and choose what to let in. Never got around to letting this in :) > Anyway, I have about 6-7 in.identd processes running all the time from > failed ident attempts. Nothing big really. System is working great. Logs get > filled a little much with DENY messages.
If you don't want to allow others to contact your IDENT port, then kill any in.identd processes (they're not needed) and block the inbound accesses with REJECT instead of DENY/DROP. If a remote server does an IDENT check (say a remote Sendmail server) then you want it to get a 'connection failed' notice right away, otherwise it will wait until the timeout occurs, and this ties down their system and slows down your ability to get the mail out the door. > So does evryone generally let these thru? Any exploits? is there a way to > get rid of those in.identd processes if I leave it blocked? Any way to get rid of them? Sure - kill them and turn them off in your /etc/rcX.d directories. (chkconfig on Red Hat, etc.) Or just kill them and uninstall identd entirely. -- Brian Hatch There you have the Systems and source of your Security Engineer popularity http://www.ifokr.org/bri/ -- your absense. Every message PGP signed
pgp00000.pgp
Description: PGP signature
