[Date Prev][Date Next]
RE: [ldap] Internet scans on port 389
Port 389 for LDAP should not be opened to the internet from a company firewall. Period! If you need to get ldap to a remote facility use VPN, and you will not have the issue with people scanning your LDAP server. Also if you put a host sensor on your ldap server, something like Cisco Security Agent, it will stop the scans and the directed attacks at you LDAP server that network based IDS' will not detect.
- First two things in a role out is security then design -
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of bruce
Sent: Monday, February 23, 2004 10:28 AM
To: 'Kurt D. Zeilenga'; 'Tony Earnshaw'
Cc: 'Openldap list'
Subject: RE: [ldap] Internet scans on port 389
why would this not be appropriate to this list....
some may only be subscribed to this list..
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kurt D.
Sent: Monday, February 23, 2004 9:58 AM
To: Tony Earnshaw
Cc: Openldap list
Subject: Re: [ldap] Internet scans on port 389
This topic is more appropriate discussed on the general LDAP
list <firstname.lastname@example.org> (which this message was cross posted to).
Please respond only to that list.
At 10:56 PM 2/22/2004, Tony Earnshaw wrote:
>Although the following has nothing to do directly with the vendor
>software used, it does have a bearing on how that software is
>It's worth mentioning that port 389 has reached the top 10 Internet
>ports being scanned (SANS ISC, http://isc.sans.org/). Why this should be
>is not reported.
>It might be as well to pay extra attention to your firewalling of this
>port, if your LDAP transactions involve sensitive information, and even
>to consider exclusively using TLS for transactions using this port.
>mail: billy - at - billy.demon.nl
>You are currently subscribed to email@example.com as: [Kurt@openldap.org]
>To unsubscribe send email to firstname.lastname@example.org with the word
UNSUBSCRIBE as the SUBJECT of the message.