Skip to content
PortsDB

Port reference

Port 113 (TCP) – Ident / Auth

Identification protocol that reports the username owning a given TCP connection.

tcpWell-knownCommonly attacked

Default state

Largely disabled today but historically queried by IRC, mail, and FTP servers; identd still appears on legacy Unix.

Common attacks

  • Username disclosure of the account owning a connection
  • Reconnaissance probing, classically by IRC servers on connect
  • Spoofed ident responses to evade or mislead access controls

Hardening

  • Disable identd unless a specific service strictly requires it
  • Return a fixed token or random ID instead of real usernames
  • Block or REJECT inbound TCP port 113 at the firewall
  • Prefer REJECT over DROP so clients fail fast instead of hanging

nmap snippet

nmap -p113 --script auth-owners <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 113?

Port 113 is the default for the Ident protocol (RFC 1413), also known as Auth. When you make an outbound TCP connection, the remote server can query port 113 on your host to ask which local username owns that connection. It was widely used by IRC, SMTP, and FTP servers to log or verify the identity behind incoming sessions. Modern systems rarely run identd, but it persists on legacy Unix.

Why it matters for security

Ident is information disclosure by design. Answering truthfully reveals the username running each connection, helping an attacker map accounts to services and target them. Conversely, the response is trivially spoofable by whoever controls the queried host, so it provides no trustworthy authentication — only a leak risk. Running a real identd on an exposed host gives away account data for nothing.

How it's attacked

The classic interaction is an IRC server probing port 113 when a client connects, which attackers observe to learn usernames. More directly, scanners use ident to enumerate the accounts behind running services for follow-on attacks. Because responses can be forged, an attacker controlling a host can also feed misleading identities to systems that naively trust ident for access decisions.

Hardening checklist

Disable identd unless a service strictly requires it; if one does, configure it to return a fixed token or random ID rather than real usernames. REJECT inbound TCP port 113 at the firewall rather than DROP, so IRC and mail servers that probe it get an instant refusal instead of stalling on a timeout. The nmap snippet above reports the owning user that ident discloses on hosts you are authorized to test.

Related ports

Port 194Port 79Port 25Port 21

Frequently asked questions

What is the Ident protocol on port 113?
Ident (RFC 1413), also called Auth, lets a remote server ask which local username owns an outgoing TCP connection. IRC, mail, and FTP servers historically queried it on connect.
Should I block port 113?
Usually yes — disable identd or REJECT the port. Use REJECT rather than DROP so IRC and mail servers that probe it get an immediate answer instead of waiting for a timeout.