Re: Port scan from Apache?

Clemens Renner <claim@rinux.net> wrote:
 > thank you for your sympathy and your thorough comments. :) I had that 
 > specific feeling when I read the mail for the first time. I'll try 
 > reducing the keepalive time to get rid of further complaints.

Which means reducing the efficiency of your service for
_all_ users just because _one_ firewall admin has no clue.
I wouldn't do that.

Try to ask that admin for a packet trace that you can view
in tcpdump or ethereal, so you can verify yourself what
might be the cause of it.  If he cannot do that, then ask
him (politely) to stop bothering you, unless he can *prove*
that the packet in question was a malicious scan.  I bet he
can't.

I also agree with the poster in this thread who wondered
that a single packet can hardly be called a "port scan".
It really is probably a FIN(ACK) packet from a dangling
connection.  I've often seen that from port 53 on name
servers, but it can happen for other kinds of services,
too.

It all sounds as if someone without any networking clue
installed a black-box firewall, watches the logs and goes
to panic mode each time it outputs something, no matter
what, and not taking into account that there can be false
positives (especially if the source port is a WKP, like
80 [HTTP] in this case).  "All the world is attacking me!"

Just my 2 cents.  :-)

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"Python tricks" is a tough one, cuz the language is so clean. E.g.,
C makes an art of confusing pointers with arrays and strings, which
leads to lotsa neat pointer tricks; APL mistakes everything for an
array, leading to neat one-liners; and Perl confuses everything
period, making each line a joyous adventure <wink>.
        -- Tim Peters
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"