[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is ident secure?

On Thu, Aug 30, 2001 at 07:52:23PM -0700, Vineet Kumar wrote:

> You're probably seeing most of those ident requests coming from mail and
> irc servers your host connects to. I think "best practice" is to DENY
> (rather than DROP) incoming traffic on 113. This makes it so that auth
> requests are denied quickly, rather than waiting for a TCP timeout.

wrong.  DENY is a ipchains target which is the same as iptables DROP.
both simply drop the packet on the floor with no reply whatsoever,
this will cause a severe delay as the other end must wait for the
connection to timeout before proceeding.  

in both ipchains and iptables you should use REJECT.  

> You really shouldn't need to enable an ident server, but if you find
> that you do (e.g. your users insist on connecting to irc servers which
> require it) try nullidentd. It comes with a short rant on why ident
> sucks, and just returns "foobar" for every ident request.

if your the only user on your machine then identd isn't of much use.
however if you DO have users then identd can be very useful.  the
problem is most people don't understand what its for.

identd is for the admin RUNNING the identd, not for the admin making
identd requests, if one of your users is abusing someones network in
some way (attempting to send spam, causing trouble on some irc network
etc) the admin of the affected site will contact you (the admin of
your site) and inform you of a troublesome user, he can then supply
log snippets relevant to the alleged transgressions, complete with
ident responses from your machines, if you configured your identd not
to lie, and not to allow your users to make it lie you will most
likely have an accurate pointer to the troublemaker so you can proceed
to lart them.

Ethan Benson

Attachment: pgpAEBJ7rVQPp.pgp
Description: PGP signature

Reply to: