Re: Port questionJun 25 2009 12:08AM Marco Shaw (marco shaw gmail com)
RE: Port questionJun 24 2009 10:57PM David Gillett (gillettdavid fhda edu) (1 replies)
Closing port 113 is a good trade-off between security and
performance.
For historical reasons, generally when a client connects to
an email server via POP to download their email, the server
attempts to connect back to them on port 113. I believe this
service was intended for the case where the user is one of
several sharing a multi-user machine, but I'm not certain about
that.
The thing is that >98% of modern client machines will ignore
this connection attempt. The email server will wait for anywhere
between 30 seconds and 5 minutes for an answer, and then will
continue the download session and deliver the requested email.
ShieldsUp is complaining because it got an RST ("reset") packet
back from that port; the firewall, instead of silently dropping
the SYN packet for that port, has explicitly rejected the
connection. The bad side of this is that the firewall has, by
doing this, revealed its presence; the good side is that the
email server will stop waiting at that point and so the user's
email will download promptly instead of waiting for that connection
to time out first.
This configuration is sufficiently common that I would not take
that "failed" score seriously.
David Gillett
> -----Original Message-----
> From: Ken Pryor [mailto:kdpryor (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, June 24, 2009 8:39 AM
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Port question
>
> Hello all, I just joined the list and this is my first post
> to it. I am a networking noob and am not sure if this is
> something I should worry about or not. I just set up a
> Smoothwall Express firewall and later ran a Shields Up scan
> at grc. com It showed all ports as stealth except one, port
> 113, which it showed as closed. Shields Up gave my system a
> "failed" score based on that one port showing as closed. My
> question is, is this anything I need to worry about and, if
> so, how might I fix it?
> Thanks to all who offer their knowledge and help to those of
> us just getting started.
> Ken Pryor
>
> --------------------------------------------------------------
> ----------
> Securing Apache Web Server with thawte Digital Certificate In
> this guide we examine the importance of Apache-SSL and who
> needs an SSL certificate. We look at how SSL works, how it
> benefits your company and how your customers can tell if a
> site is secure. You will find out how to test, purchase,
> install and use a thawte Digital Certificate on your Apache
> web server. Throughout, best practices for set-up are
> highlighted to help you ensure efficient ongoing management
> of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
> e13b6be442f727d1
> --------------------------------------------------------------
> ----------
>
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
performance.
For historical reasons, generally when a client connects to
an email server via POP to download their email, the server
attempts to connect back to them on port 113. I believe this
service was intended for the case where the user is one of
several sharing a multi-user machine, but I'm not certain about
that.
The thing is that >98% of modern client machines will ignore
this connection attempt. The email server will wait for anywhere
between 30 seconds and 5 minutes for an answer, and then will
continue the download session and deliver the requested email.
ShieldsUp is complaining because it got an RST ("reset") packet
back from that port; the firewall, instead of silently dropping
the SYN packet for that port, has explicitly rejected the
connection. The bad side of this is that the firewall has, by
doing this, revealed its presence; the good side is that the
email server will stop waiting at that point and so the user's
email will download promptly instead of waiting for that connection
to time out first.
This configuration is sufficiently common that I would not take
that "failed" score seriously.
David Gillett
> -----Original Message-----
> From: Ken Pryor [mailto:kdpryor (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, June 24, 2009 8:39 AM
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Port question
>
> Hello all, I just joined the list and this is my first post
> to it. I am a networking noob and am not sure if this is
> something I should worry about or not. I just set up a
> Smoothwall Express firewall and later ran a Shields Up scan
> at grc. com It showed all ports as stealth except one, port
> 113, which it showed as closed. Shields Up gave my system a
> "failed" score based on that one port showing as closed. My
> question is, is this anything I need to worry about and, if
> so, how might I fix it?
> Thanks to all who offer their knowledge and help to those of
> us just getting started.
> Ken Pryor
>
> --------------------------------------------------------------
> ----------
> Securing Apache Web Server with thawte Digital Certificate In
> this guide we examine the importance of Apache-SSL and who
> needs an SSL certificate. We look at how SSL works, how it
> benefits your company and how your customers can tell if a
> site is secure. You will find out how to test, purchase,
> install and use a thawte Digital Certificate on your Apache
> web server. Throughout, best practices for set-up are
> highlighted to help you ensure efficient ongoing management
> of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
> e13b6be442f727d1
> --------------------------------------------------------------
> ----------
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]