Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 31, ident

Published: 2009-10-31
Last Updated: 2009-11-01 16:39:33 UTC
by Rick Wanner (Version: 2)
4 comment(s)

Welcome to day 31 of Cybersecurity Awareness Month!.  I hope that you have enjoyed reading and responding to it as much as we have enjoyed writing it!

We finish the month with a voyage into the history of the Internet. The Ident Protocol is defined in RFC 1413 and was intended  to help identify the user of a TCP connection.  Essentially, it acts as a server on port 113 TCP and historically was used by protocols such as FTP, SMTP, NNTP, and was an integral part of IRC by providing a mechanism to identify the user.

ident has fallen out of favor as security on the Internet has become a growing issue, mostly because it permits a way to enumerate userids on a system, but also because it uses an inbound query which is blocked by stateful inspection firewalls (unless explicitly permitted) because it has not been initiated from the inside.

Unfortunately, even though ident is largely deprecated and generally is not considered a safe protocol, you will often find it running on default operating system installs and on so called black boxes which will often come configured with ident running thus allowing a possible attack vector.

It is my personal belief that there is no good reason to allow ident into your network. or to run ident on your servers and workstations.  So I leave you with these questions...

Are there any legitimate uses of ident that warrant allowing ident into your network?

If you do allow ident into your network...how do you secure it?

As usual I look forward to your feedback. either via the comments or through our contact page.

Have an enjoyable All Hollow's Eve!

UPDATES:

One commenter pointed out that popular IRC host Freenode still requires ident when multiple users connect using the same IP address.

Reader J.T. Moore points out that there are still occasions where ident is required.  In that case a substitute identd server like oidentd is a great solution. Properly configured oidentd can be configured to "provide a valid ident response which solves the problem with the IRC server, but it doesn't allow anyone to use ident to probe for user names or active connections."

 

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: CSAM2009 ident
4 comment(s)
Diary Archives