On Thu, Aug 30, 2001 at 07:52:23PM -0700, Vineet Kumar wrote: > You're probably seeing most of those ident requests coming from mail and > irc servers your host connects to. I think "best practice" is to DENY > (rather than DROP) incoming traffic on 113. This makes it so that auth > requests are denied quickly, rather than waiting for a TCP timeout. wrong. DENY is a ipchains target which is the same as iptables DROP. both simply drop the packet on the floor with no reply whatsoever, this will cause a severe delay as the other end must wait for the connection to timeout before proceeding. in both ipchains and iptables you should use REJECT. > You really shouldn't need to enable an ident server, but if you find > that you do (e.g. your users insist on connecting to irc servers which > require it) try nullidentd. It comes with a short rant on why ident > sucks, and just returns "foobar" for every ident request. if your the only user on your machine then identd isn't of much use. however if you DO have users then identd can be very useful. the problem is most people don't understand what its for. identd is for the admin RUNNING the identd, not for the admin making identd requests, if one of your users is abusing someones network in some way (attempting to send spam, causing trouble on some irc network etc) the admin of the affected site will contact you (the admin of your site) and inform you of a troublesome user, he can then supply log snippets relevant to the alleged transgressions, complete with ident responses from your machines, if you configured your identd not to lie, and not to allow your users to make it lie you will most likely have an accurate pointer to the troublemaker so you can proceed to lart them. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpIN1mptPvyX.pgp
Description: PGP signature