Re: Port questionJun 25 2009 12:08AM Marco Shaw (marco shaw gmail com)
RE: Port questionJun 24 2009 10:57PM David Gillett (gillettdavid fhda edu) (1 replies)
Re: Port questionJun 25 2009 03:33PM Patrick J Kobly (patrick kobly com)
The protocol that is typically listening on 113 is identd. It is
defined in RFC1413
http://tools.ietf.org/html/rfc1413
It allows a particular node to assert the local username of the user
that owns a particular connection. While this may have been moderately
useful some time ago, it is of dubious (or no) value now.
I haven't seen POP servers use ident in a while, but regularly see IRC
servers do so - and in that case the problem is exactly as David describes.
PK
David Gillett wrote:
> Closing port 113 is a good trade-off between security and
> performance.
>
> For historical reasons, generally when a client connects to
> an email server via POP to download their email, the server
> attempts to connect back to them on port 113. I believe this
> service was intended for the case where the user is one of
> several sharing a multi-user machine, but I'm not certain about
> that.
> The thing is that >98% of modern client machines will ignore
> this connection attempt. The email server will wait for anywhere
> between 30 seconds and 5 minutes for an answer, and then will
> continue the download session and deliver the requested email.
>
> ShieldsUp is complaining because it got an RST ("reset") packet
> back from that port; the firewall, instead of silently dropping
> the SYN packet for that port, has explicitly rejected the
> connection. The bad side of this is that the firewall has, by
> doing this, revealed its presence; the good side is that the
> email server will stop waiting at that point and so the user's
> email will download promptly instead of waiting for that connection
> to time out first.
>
> This configuration is sufficiently common that I would not take
> that "failed" score seriously.
>
> David Gillett
>
>
>
>> -----Original Message-----
>> From: Ken Pryor [mailto:kdpryor (at) gmail (dot) com [email concealed]]
>> Sent: Wednesday, June 24, 2009 8:39 AM
>> To: security-basics (at) securityfocus (dot) com [email concealed]
>> Subject: Port question
>>
>> Hello all, I just joined the list and this is my first post
>> to it. I am a networking noob and am not sure if this is
>> something I should worry about or not. I just set up a
>> Smoothwall Express firewall and later ran a Shields Up scan
>> at grc. com It showed all ports as stealth except one, port
>> 113, which it showed as closed. Shields Up gave my system a
>> "failed" score based on that one port showing as closed. My
>> question is, is this anything I need to worry about and, if
>> so, how might I fix it?
>> Thanks to all who offer their knowledge and help to those of
>> us just getting started.
>> Ken Pryor
>>
>> --------------------------------------------------------------
>> ----------
>> Securing Apache Web Server with thawte Digital Certificate In
>> this guide we examine the importance of Apache-SSL and who
>> needs an SSL certificate. We look at how SSL works, how it
>> benefits your company and how your customers can tell if a
>> site is secure. You will find out how to test, purchase,
>> install and use a thawte Digital Certificate on your Apache
>> web server. Throughout, best practices for set-up are
>> highlighted to help you ensure efficient ongoing management
>> of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
>> e13b6be442f727d1
>> --------------------------------------------------------------
>> ----------
>>
>>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
>
>
--
Patrick Kobly, CISSP
T: 403-274-9033
C: 403-463-6141
F: 866-786-9459
56 388 Sandarac Dr NW
Calgary, Alberta
T3K 4E3
http://www.kobly.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
defined in RFC1413
http://tools.ietf.org/html/rfc1413
It allows a particular node to assert the local username of the user
that owns a particular connection. While this may have been moderately
useful some time ago, it is of dubious (or no) value now.
I haven't seen POP servers use ident in a while, but regularly see IRC
servers do so - and in that case the problem is exactly as David describes.
PK
David Gillett wrote:
> Closing port 113 is a good trade-off between security and
> performance.
>
> For historical reasons, generally when a client connects to
> an email server via POP to download their email, the server
> attempts to connect back to them on port 113. I believe this
> service was intended for the case where the user is one of
> several sharing a multi-user machine, but I'm not certain about
> that.
> The thing is that >98% of modern client machines will ignore
> this connection attempt. The email server will wait for anywhere
> between 30 seconds and 5 minutes for an answer, and then will
> continue the download session and deliver the requested email.
>
> ShieldsUp is complaining because it got an RST ("reset") packet
> back from that port; the firewall, instead of silently dropping
> the SYN packet for that port, has explicitly rejected the
> connection. The bad side of this is that the firewall has, by
> doing this, revealed its presence; the good side is that the
> email server will stop waiting at that point and so the user's
> email will download promptly instead of waiting for that connection
> to time out first.
>
> This configuration is sufficiently common that I would not take
> that "failed" score seriously.
>
> David Gillett
>
>
>
>> -----Original Message-----
>> From: Ken Pryor [mailto:kdpryor (at) gmail (dot) com [email concealed]]
>> Sent: Wednesday, June 24, 2009 8:39 AM
>> To: security-basics (at) securityfocus (dot) com [email concealed]
>> Subject: Port question
>>
>> Hello all, I just joined the list and this is my first post
>> to it. I am a networking noob and am not sure if this is
>> something I should worry about or not. I just set up a
>> Smoothwall Express firewall and later ran a Shields Up scan
>> at grc. com It showed all ports as stealth except one, port
>> 113, which it showed as closed. Shields Up gave my system a
>> "failed" score based on that one port showing as closed. My
>> question is, is this anything I need to worry about and, if
>> so, how might I fix it?
>> Thanks to all who offer their knowledge and help to those of
>> us just getting started.
>> Ken Pryor
>>
>> --------------------------------------------------------------
>> ----------
>> Securing Apache Web Server with thawte Digital Certificate In
>> this guide we examine the importance of Apache-SSL and who
>> needs an SSL certificate. We look at how SSL works, how it
>> benefits your company and how your customers can tell if a
>> site is secure. You will find out how to test, purchase,
>> install and use a thawte Digital Certificate on your Apache
>> web server. Throughout, best practices for set-up are
>> highlighted to help you ensure efficient ongoing management
>> of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
>> e13b6be442f727d1
>> --------------------------------------------------------------
>> ----------
>>
>>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
>
>
--
Patrick Kobly, CISSP
T: 403-274-9033
C: 403-463-6141
F: 866-786-9459
56 388 Sandarac Dr NW
Calgary, Alberta
T3K 4E3
http://www.kobly.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKQ5jbCODE1AJ6UNoRAkSYAKCk6RFmnR6Le4hm0ztev36rFRHzvACbB+BI
JNEt2GWo6/pW7JU98meWvKM=
=NeXD
-----END PGP SIGNATURE-----
[ reply ]