113 Could Be Your Lucky Number

Though seldom needed, port 113 is often left detectable to port scans, allowing hackers to discover the router and possibly probe further. The port was originally designed to allow network clients to identify themselves to servers, but despite a few revisions, the standard behind the port never really took off. Today, only a few Unix server programs use the port.

So why is port 113 left detectable? A port can be open, closed or in stealth mode. If it's open or closed, the router will actively send acceptance or rejection messages to computers requesting a connection on that port. Either response tells hackers that a computer or firewall is at the given IP address. Putting all of a router's ports in stealth mode prevents the router from responding at all, effectively hiding it and making it appear that the router's IP address is unused.

But on rare occasions, that raises issues with the way port 113 operates. If a server on the Internet makes an identity request on port 113 and the firewall is in stealth mode and ignores the traffic coming into that port, the server will never know what happened to its request. So it will await a reply and, after a time, send another request and so on. As a result, the server will get bogged down as it waits for one time-out after another.

Though port 113 is rarely used, firewall manufacturers would rather leave it closed as opposed to placing it in stealth mode so customers never encounter the time-outs. If the port is set to the closed state, at least the server gets a response and is likely to grant a computer access without probing for more ID information.

Sponsored post

However, it's easy to bolt down port 113, provided that solution providers know a little trick.

Start by determining if the port is open by checking the firewall settings or running a port scan through the Internet. One of my favorite Web sites that provides port scans (and more) is www.grc.com. If port 113 is open or closed, check the firewall settings to see if it can be put in stealth mode. If not, use the router's virtual server capability to redirect port 113 traffic to a nonexistent IP address on the LAN. Something high in the class of addresses should work. The packets will effectively be routed to the wild blue yonder--preventing a response--but check with another scan to be sure.

As a final step, run your client's business applications to see if they are broken. If not, you're home free.

How do you handle port 113? Let me know via e-mail at [email protected].