Connections to localhost on port 113

[markosolo]

Hi all,

I have log_in_vain enabled on all my freebsd FreeBSD servers and I noticed all of them are seeing constant attempts to localhost port 113, at least every hour. I know this is the authd service that is supposed to listen on this port, but I don't know how to find out what is trying to make the connection so I can disable it and clean up the logs. Any ideas?

Apr  4 23:02:14 test-box kernel: TCP: [127.0.0.1]:51653 to [127.0.0.1]:113 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Apr  5 00:00:04 test-box kernel: TCP: [127.0.0.1]:31493 to [127.0.0.1]:113 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port

 

[SirDice]

The packets seem to originate on your box so it's something you're running that's causing it.

 

[RusDyr]

Thanks, Captain Obvious...

markosolo, try to check crontab.

 

[SirDice]

Thanks, Captain Obvious...

Obvious to you and me but perhaps not for markosolo.

 

[RusDyr]

It's not an answer to the main question - how to find what's the program/process/uid trying to connect. Probably audit help?

 

[markosolo]

The packets seem to originate on your box so it's something you're running that's causing it.

Thanks for the laugh.

Yep, so I have checked cron, nothing in there at all. Will try have a look at audit and see what I come up with...

 

[gkontos]

Thanks for the laugh.

Yep, so I have checked cron, nothing in there at all. Will try have a look at audit and see what I come up with...

Are you running a mail server there?

 

[aa]

TCP port 113 mostly used by mailserver sendmail, postfix. To shut your sendmail up, set 0 as timeout in /etc/mail/sendmail.cf:

O Timeout.ident=0s

AFAIK TCP-113 it is a pretty required standard when you set up a mailserver. You might better open it and edit/uncomment /etc/inetd:

auth   stream  tcp     nowait  root    internal

Or better yet (it should be much faster), block and return-reset in firewall

 

[SirDice]

AFAIK TCP-113 it is a pretty required standard when you setup a mailserver. You might better open it and edit/uncomment /etc/inetd:

auth   stream  tcp     nowait  root    internal

ident is not needed for the correct handling of mail. In fact, from a security standpoint, you are highly advised not to enable it.

The only thing I have ever seen that used ident is IRC, some IRC networks refuse to let you on if they can't ident you.

 

[gkontos]

ident is not needed for the correct handling of mail. In fact, from a security standpoint, you are highly advised not to enable it.

The only thing I have ever seen that used ident is IRC, some IRC networks refuse to let you on if they can't ident you.

You are right. Some old versions of sendmail were performing auth lookups but from a security point of view it should be disabled.

 

[aa]

Yeah right, nobody adheres to the standard anymore anyway
On publicly accessible server, I will suggest to do a more conservative approach. Not in this case.