Re: Slow telnet/pop3 connection

On Sun, 27 Apr 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <dnt914952tep1vf6kvqvs0oq4qs50vrg9g@xxxxxxx>, Mark Olbert wrote:

Some additional info after cruising thru wireshark...

I'm seeing a sequence of ident (port 113) packets coming from the
telnet server box. The client (a Windows Vista box) isn't sending
anything back.

That's not the default behavior for a windoze box - there is a firewall
running on it trying to 'stealth' the system.

Here's the rough timeline:

First ident packet arrives at the start of the connection attempt
(after some preliminary stuff)

That's almost certainly the 'log_on_*' setting in the /etc/xinetd.d/telnet
configuration file.

A second ident packet arrives after no response by the client for 3
seconds

A third ident packet arrives after no response by the client for 6
seconds

A fourth ident packet arrives after no response by the client for 12
seconds

Standard retransmission delays.

Finally, after another 9 seconds the server "gives up" and initiates a
telnet session (at least, there are a lot of packets marked
"telnet data" by wireshark at that point).

Sounds about right. It could be worse, because there is a configuration
in xinetd to block the connection if an ident/auth query isn't returned
with something resembling a valid user identification. Obviously, this
isn't the setting used here.

When I run wireshark against an attempt to the old telnet server there
are no ident packets shown. The sequence jumps immediately into what
wireshark marks as "telnet data".

Compare the two /etc/xinetd.d/telnet files.

Do you have any thoughts as to why one version of telnet is using
ident and the other isn't?

This being 'Linux-from-scratch' I would take it as an option in the
compile. I believe this is the xinetd daemon, rather than the telnet
server.

Old guy
.

Relevant Pages

  • Re: [Fedora] Re: iptables: drop or reject?
    ... things may stall until the connection times out rather than giving up ... was the ident daemon and later on the port itself. ... The problem isn't not running it; the problem is just dropping packets sent ...
    (Fedora)
  • Re: blocking ports 1:1024
    ... input chain policy will after all accept all packets - and you're not ... >originated and are destined for the lo ports? ... delays related to the "ident" protocol. ... Wolf a.k.a. Juha Laiho ...
    (comp.os.linux.networking)
  • Re: Clever firewall rules
    ... > the big argument I hear is that if you drop packets instead rejecting ... then some systems will pause (timeout) on identd lookups. ... There are legitimate reasons for using ident. ...
    (Focus-Linux)
  • Re: iptables firewall making smtp/pop3 slow in response
    ... Most likely the delay is due to packets being sent to port 113 (ident) ... If the server is your mail ...
    (comp.os.linux.networking)
  • Re: FTP and Telnet security questions
    ... :I know that ftp and telnet are not secure, ... If you are assuming that the intruder is in a position to ... the packets and use those to hijack the connection. ...
    (comp.security.misc)