[lug] Identd error...

D. Stimits stimits at idcomm.com
Mon Aug 27 18:00:07 MDT 2001 

It does sound like the source of the request is on your local machine.
Add a firewall rule to log all input chain activity on all interfaces
for tcp port 113. You might also check if you identd is actually running
right. Assuming RH, run:
/etc/rc.d/init.d/identd status

Also try to telnet to port 113 on localhost, type in some nonsense, see
if it accepts and drops you after typing in nonsense (it should).

D. Stimits, stimits at idcomm.com

Justin wrote:
> 
> Hrmm, well I'll see if anything shows up in a logger. The weird thing
> is these errors are showing up in intervals of 1-5 minutes always on
> the 00 second:
> 
> Aug 27 15:18:00 deviant identd[28359]: request_thread: read(10, ...,
> 1023) failed: Connection reset by peer
> Aug 27 15:19:00 deviant identd[28361]: request_thread: read(10, ...,
> 1023) failed: Connection reset by peer
> Aug 27 15:22:00 deviant identd[28377]: request_thread: read(10, ...,
> 1023) failed: Connection reset by peer
> Aug 27 15:24:31 deviant PAM_pwdb[26395]: (sshd) session closed for user
> monicle
> Aug 27 15:25:00 deviant identd[28384]: request_thread: read(10, ...,
> 1023) failed: Connection reset by peer
> Aug 27 15:27:00 deviant identd[28393]: request_thread: read(10, ...,
> 1023) failed: Connection reset by peer
> 
> I don't think this would be somesort of malicious activity.
> 
> Justin
> 
> > Justin wrote:
> > >
> > > I have been getting tons of these errors in my log but I have no
> idea
> > > what they are from. Anyone have any idea?
> > >
> > > Aug 26 04:09:00 deviant identd[18103]: request_thread: read(9, ...,
> > > 1023) failed: Connection reset by peer
> > >
> >
> > I haven't heard of any exploits against identd. I suppose it is
> possible
> > that someone is using a spoof of your ID for DoS against someone, and
> > that other party being hit is trying to auth the source. You might
> want
> > to turn on ipchains logging of port 113 to see if the hits are all
> from
> > one machine (or just a few).
> >
> > D. Stimits, stimits at idcomm.com
> >
> > > TIA.
> > >
> > > Justin
> > >
> > > -----
> > > glow at jackmoves.com
> > > www.jackmoves.com
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> >
> 
> -----
> glow at jackmoves.com
> www.jackmoves.com
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list