Stopping Posting Access through port 119

Russ Allbery rra at stanford.edu
Tue Sep 21 09:53:51 UTC 1999


Pradiman K Pandita <pkpandita at hss.hns.com> writes:

> 	How can we deny access to port 119 to the outside world apart
> 	from blocking it on the firewall.Are there any configuration
> 	changes  in any of the conf files or what.I don't want the
> 	outside world to do a telnet on port 119 of my news server
> 	and post or for that matter even read the news items.How can
> 	I achieve that.Can anybody help.

It is an unfortunate side effect of the semantics of Berkeley sockets that
it's necessary to accept a connection in order to determine who is
connecting.  INN will therefore always answer on port 119.  It sends back
an NNTP rejection code rather than just dropping the connection to provide
clearer semantics for remote connections.

I personally think the chances of a successful exploit of the tiny bit of
INN code involved in determining that someone doesn't have access and
dropping the connection immediately, particularly given that no data is
read from the network, to be fairly small.  But it's always possible,
particularly in the presence of a misconfigured incoming.conf.

If you're in control of all of the machines that your server is feeding,
you can run INN on a port other than 119.  That may or may not be
sufficient for what you want.  Beyond that, firewalling is probably the
best approach; note that many Unix varients have "built-in" simple
firewalling that allows you to block off ports on the local machine
without having to run or configure a separate firewall.

-- 
Russ Allbery (rra at stanford.edu)         <URL:http://www.eyrie.org/~eagle/>


More information about the inn-workers mailing list