Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cyber Security Awareness Month - Day 31, ident SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 31, ident

Welcome to day 31 of Cybersecurity Awareness Month!.  I hope that you have enjoyed reading and responding to it as much as we have enjoyed writing it!

We finish the month with a voyage into the history of the Internet. The Ident Protocol is defined in RFC 1413 and was intended  to help identify the user of a TCP connection.  Essentially, it acts as a server on port 113 TCP and historically was used by protocols such as FTP, SMTP, NNTP, and was an integral part of IRC by providing a mechanism to identify the user.

ident has fallen out of favor as security on the Internet has become a growing issue, mostly because it permits a way to enumerate userids on a system, but also because it uses an inbound query which is blocked by stateful inspection firewalls (unless explicitly permitted) because it has not been initiated from the inside.

Unfortunately, even though ident is largely deprecated and generally is not considered a safe protocol, you will often find it running on default operating system installs and on so called black boxes which will often come configured with ident running thus allowing a possible attack vector.

It is my personal belief that there is no good reason to allow ident into your network. or to run ident on your servers and workstations.  So I leave you with these questions...

Are there any legitimate uses of ident that warrant allowing ident into your network?

If you do allow ident into your network...how do you secure it?

As usual I look forward to your feedback. either via the comments or through our contact page.

Have an enjoyable All Hollow's Eve!

UPDATES:

Reader J.T. Moore points out that there are still rare occasions where ident is required.  In that case oidentd is an excellent ident server. "This provides a valid ident response which solves the problem with the IRC server, but it doesn't allow anyone to use ident to probe for user names or active connections."

 

-- Rick Wanner - rwanner at isc dot sans dot org

Rick

294 Posts
ISC Handler
freenode still requires ident for multi-user-per-ip access.
Anonymous
Is there a condensed list of all 31 days of info?
Anonymous
It's a coming! Watch for it later today.
Marcus

301 Posts
ISC Handler
Hey, I remember some older unix boxes requiring a response on IDENT before allowing SMTP transfer but we found that creating an ACE allowing inbound connections on IDENT without a corresponding PAT rule was enough, apparently a CLOSE instead of dropping the packet did the trick.
Marcus
1 Posts

Sign Up for Free or Log In to start participating in the conversation!