A couple of months ago, there was some discussion on this list about what a
firewall machine should do in response to an "ident" query.
The responses indicated that it must not block the port completely, as this
would cause anyone who was doing a legitimate ident query (which evidently
includes newer versions of sendmail) to delay for some timeout period before
doing their thing.
Someone posted a dummy ident server which always returned a userid of
"firewall" (or something like that). Somone else indicated that this was NOT
the correct way to handle this, and what should really be done, according to
the RFC was to return the HIDDEN-USER error. Upon reading the RFC myself, I
reached the same conclusion and modified this dummy server to return the
HIDDEN-USER error.
It occured to me, however, that there are problems with this approach as well.
If someone spoofing my IP address tries to break into another system, and that
system somehow (probably due to the spoofer not being as clever as he might be)
actually makes it back to my server with an ident query, I would like to return the correct "NO-USER" error condition (indicating this connection did NOT come
from me) rather than the incorrect "HIDDEN-USER" error condition (indicating
this connection did come from me, but I am not going to tell you the user name).
I think the return of the correct error condition would put us on much better
legal standing if the site being broken into tried to take legal action.
I think the real correct way to solve this is to modify the real ident server
so that it can be invoked with a "-hide" option (or something simillar) to cause
the HIDDEN-USER error to be generated in only those cases where it would
normally return a USERID, but to work normally in all other respects.
So, my question is, does anyone know of a public domain ident server which
would work under Ultrix 4.3 for which I could obtain source?
------------------------
Bill Gianopoulos
Raytheon Company
voice: 617-274-3221
email: u84718 @
sccux1 .
msd .
ray .
com
|
|
