On Sat, Feb 09, 2002 at 09:39:00PM +0100, Johannes Weiss wrote:
>
> Hi,
> I have a security question:
> On my HTTP(s)/MAIL(SMTP,POP,IMAP)/SSH-Server:
> should I open(accept) or close(deny, perhaps reject?) the port 113???
Accept if you've chosen to run an ident server; otherwise, reject, but
don't deny. The deny target dosen't send back indication that the traffic
was dropped, so if you send mail to a mailserver that does ident queries,
you'll have to wait for the queries to time out before the mail can go
through.
(The only case where I can see accept on tcp/113 being dangerous if
you're not running an ident server is if you're firewalled against inbound
SYNs to all your other ports that don't have daemons listening and if
someone broke in using a non-identd entry point and left a backdoor
listening on 113. I'm not aware of any standard kiddie-friendly rootkits
in the wild doing this, but an clued attacker might do it.)
--
William Aoki [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign
3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news!
9A26 BB92 6329 2D3E 199D 8C7B X
/ \
