port 113

pangfai · 06-04-2002, 09:16 PM

I found from my firewall monitor, our linux server keeps using port 113 to connect to a few external IP addresses. This did not happened before.

Based on my firewall information, it is my server which directly contact those external IP instead of coming in (our firewall blocks incoming signals from port 113).

Does anyone know what can I do about it ?

MartBrooks · 06-05-2002, 02:36 AM

If you take a look at /etc/services you'll see that port 113 is used by ident. Unless you need it, disable it.

Regards

pangfai · 06-05-2002, 02:59 AM

We are currently running Apache, Sendmail and POP3 service in the Linux server. Is port 113 useful ?

I used the firewall to blocked all outgoing signals from port 113, it appears the server need this port to send something back to our e-mail users (but I don't know it is used in POP3 or SMTP).

No matter what, blocking this port seems not affecting our e-mails at this moment.

Noerr · 06-05-2002, 04:33 AM

i think it mostly used for ftp and pop3 so you'll probably have to keep it

TruckStuff · 06-05-2002, 08:46 AM

Try rejecting instead of dropping. There is still a time lag when users try to log in, but it isn't nearly as bad with a REJECT rather than a DROP.

pangfai · 06-05-2002, 10:12 PM

when I issue command : netstat , I found the Linux server is using port 4256, 4257, 4258.... instead of Port 113, POP3 and SMTP. And the destination IPs are in line with the outgoing addresses captured by our firewall from Port 113 of the Linux.

I feel uncomfortable and wonder my server has been trojan. Any software allows me to watch what is the data passing through these port ?

neo77777 · 06-06-2002, 12:34 AM

man tcpdump
the expression allows you to specify port

Noerr · 06-06-2002, 05:53 AM

go rather for sniffit progie; really nice and adjustable