Re: "Authentication" attempts??

[Peter Moody <peter.moody () lutris com>]

While I don't have an exchange server running, I've seen a lot
of connection attempts to the auth or ident daemon (port 113) to various
machines inside my dmz (all of which get blocked by the pix fw).
I have come to the conclusion that a lot of mail servers employ
this very basic form of authentication.

-Peter

Los, Ralph wrote:
> Perhaps someone could help me understand this...
>
>       I've been getting this from dozens of machines all accross the
> Internet, aimed at one of my Exchange Server's private (NAT) address, coming
> to port 113.  As far as I know, port 113 is only used for IRC (Internet
> Relay Chat) authentication...no?
>
> <snip>
> 03/23/2001 16:49:08.480 -     TCP connection dropped -
> Source:<src-ip>, <src-prt>, Destination:192.168.34.2, 113
> </snip>
>
> The source IP's are completely random it seems, source ports are as well
> (3105, 41259, 1931, 4675, 51134...and the list goes on).  Does anyone know
> what this would be?  ...and perhaps WHY the target is my NAT address not the
> public IP?  Is this somehow tied to the mail server (Exchange 5.5) that is
> the target?
>
> Any insight is greatly appreciated,
>
> Ralph M. Los
> Sr. Internet Systems & Security Admin.    (312) 827-3945 (direct)
> EnvestNet Advisory Corp.                  (312) 296-9003 (wireless)
> rlos () envestnet com

--
Peter Moody          Systems Administrator      
Lutris Technologies  peter.moody () lutris com
:wq