Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port 113

Sooo when scanning the system i've noticed 113 is the only port showing as closed / reject. Since the other ports are Drop I've created a rule to drop 113 from all connections but SFOS isn't honoring the rule. Why?  Why would they decided to reject only 113?



This thread was automatically locked due to age.
Parents
  • Where did you run the test from?

    Ian

    What is on port 113?
    Port 113 Details. Port 113 used for Identification/Authorization service. When a client program on your end contacts a remote server for services such as POP, IMAP, SMTP, IRC, FTP, etc. that remote server sends back a query to the IDENT port 113 asking for identification from your system...
    Should I close port 113?
    Although seemingly contrary to conventional wisdom of closing ports from hackers, this port, which is used for ident requests, should be opened. Port 113 initially was used as an authentication port, and later defined as an identification port (see RFC 1413).25 Dec 2016

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Having ident "open" to the internet is a terrible idea. I cant even take your response seriously. You should totally open 113 if you believe what you wrote.

    A security system / firewall should allow you to control what's allowed and what isn't. Bit of a security issue being scanners can identify the system because of it.  nmap even knows the system is based on the CyberRoam UTM which Sophos bought.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • I copied those entries from a google search.

    With your reject did you create addend nat rule?

    A firewall will open and close ports as the various applications request access, so you might have had a mail client requesting an update. You did not answer whether you ran the test internally or externally.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Its a drop rule. Sending the traffic to nothing shouldn't be required.

    The port shouldn't be closed when all the other ports are Drop by default. It seems SFOS is doing some trickery on the backend. This isn't a new issue and has been around for 20 years with Astaro, CyberRoam, and SFOS. I just happened to be the most recent user attacking our own system and finding it. Maybe I'll just take it direct to Sophos Support and if I get an answer i'll inform the community. SFOS lists 113 as Auth but i don't see the system using it. Hence my questions.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • How are you testing? I have just quickly ran a portscan on one of my environments with a V20 SFOS using the ShieldsUP page from grc.com and get all stealth ports but 443 which is open (and in our case expected to be open since the VPN portal is running on it).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thanks for the reply. 

    I was using nmap. Below is using Shieldsup.  113 shows closed. This is basically a fresh install of v20.  So both scanners show 113 closed. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Here is my SFOS v20 Home system I updated from 19.5.  113 isn't showing. Gurrrrrrrrr. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Must be some reason that it is closed in one environment and stealth in the other... No clue however what migt cause this.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • Must be some reason that it is closed in one environment and stealth in the other... No clue however what migt cause this.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data