[Dshield] ...so much hurt trough hacking one day...

Bruce Lilly blilly at erols.com
Tue Nov 26 19:48:41 GMT 2002


> From: Johannes Ullrich <jullrich at euclidian.com>
> Date: Tue, 26 Nov 2002 09:37:17 -0500

> port 113 is used by the 'ident' daemon. Harmless if 66.70.82.80 is a
> mail server or irc server you connect to.

> From: "Bjørn Ruberg" <bjorn at ruberg.no>
> Date: Tue, 26 Nov 2002 16:08:02 +0100 (CET)

> Port 113 is ident requests, and you should either allow them (not
> dangerous) or reject them. Dropping them leads to several internet based
> services either waiting a long time for a response (e.g. FTP) or right out
> denying access (e.g. IRC).

Port 113 connects are not necessarily harmless and can be quite
dangerous in a number of ways:
1. There are known exploita against some ident (a.k.a. auth) servers.
    Search CERT for port 113, ident, auth
2. The ident protocol may reveal information which you would prefer
    not to disclose to nosy individuals. It can return information
    about the type and version of OS on your computer, id of logged in
    users, etc., all of which is invaluable to hackers.

Here, port 113 connection attempts are dropped and logged, and the logs
submitted to Dshield.  Ftp and smtp work fine and I don't use IRC.
Nobody needs to know what OS is in use here or who is logged in at
any given time.




More information about the list mailing list