113 danger ???

gabsik · 07-19-2006, 04:09 AM

Somewhere i found packets generated by 113 identd are of some danger.Can someone point me details about this also because i often get this in my logs:

Code:

Jul 19 10:20:08 argo NOPASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=x.x.x.x DST=192.168.0.2 LEN=71 TOS=00 PREC=0x00 TTL=49 ID=51326 CE DF PROTO=TCP SPT=113 DPT=35345 SEQ=4220458516 ACK=281092887 WINDOW=5840 ACK PSH URGP=0
Jul 19 10:20:08 argo NOPASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=x.x.x.x DST=192.168.0.2 LEN=40 TOS=00 PREC=0x00 TTL=49 ID=51328 CE DF PROTO=TCP SPT=113 DPT=35345 SEQ=4220458547 ACK=281092887 WINDOW=5840 ACK FIN URGP=0
Jul 19 10:20:11 argo NOPASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=x.x.x.x DST=192.168.0.2 LEN=71 TOS=00 PREC=0x00 TTL=49 ID=51330 CE DF PROTO=TCP SPT=113 DPT=35345 SEQ=4220458516 ACK=281092887 WINDOW=5840 ACK PSH FIN URGP=0

Thanks !!!!

unSpawn · 07-20-2006, 06:09 AM

Somewhere i found packets generated by 113 identd are of some danger.
Where's that?

Identd could be used to disclose information about users on the system and old distribution releases contained an identd that could be compromised or DoSsed (check CVE/NVD vulnerability databases). Generally the service is considered deprecated and AFAIK is only used by MTA's and for IRC. If TCP/113 is needed for MTA then AFAIK a --reject-with tcp-reset rule could speed up auth. Else there are identd that are hardened and only hand out fake information. See your distributions repo's, SecurityFocus, Linuxsecurity or Freshmeat or Sourceforge.