Re: Port scan from Apache?



Hello.

The version of a user (behind their firewall) visiting your site, and
badly configured stateful firewall timeout can be checked: just look at
the logs of your Apache.
But if it turns out that none of their users had touched your website at
that time, then I think one more reason is quite possible.
Think of a TCP packet with a source address of a complaining firewall
and SYN-flag set, but sent to you, Clemens, from some other guy (just
spoofed src-addr). Sure, your webserver tries to establish connection
with the source address, which didn't want to establish a connection.
This version can also be checked - just try to ask them for details
about packets, that come from you. If they are SYN+ACK, then this
version becomes more probable. If they have RST, this is also possible.
This can be done simply: for example, someone was scanning your ports,
Clemens. And he was doing it from some spoofed source addresses and his
real one (you wouldn't want to check them all, would you? - that's why
multiple source addresses are used). And another example - someone was
just playing :-) with HPing, for example ;-)
If this is annoying, it is possible to try to trace the route of the
packets, that come to you (if they really do) and to their firewall.


BTW, isn't it impossible for Apache (if it's running from non-root) to
make connections from his port 80?



Clemens Renner ?????:
Hi Mike,

thank you for your sympathy and your thorough comments. :) I had that specific feeling when I read the mail for the first time. I'll try reducing the keepalive time to get rid of further complaints.

The question is: Why do the "port scans" still come in on their machine? Should I advise them to restart their "we-take-care-don't-you-worry" hardware?

Regards
Clemens
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"






--
Best regards,
Danil V. Gerun.


_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: AS4.2/WM5/OUTLOOK2K3 suddenly not syncing, please help
    ... there is a connection EXIST between the device because I ... connection on port 26675 but on the PPC the port number keeps ... Outlook, countless times of reinstalling Activesync, removing Windows ... Firewall set to NO). ...
    (microsoft.public.pocketpc.activesync)
  • RE: FTP Window of opportunity?
    ... target on the line when in reality it was just a firewall lying to them. ... The connection connects and then immediately ... Subject: FTP Window of opportunity? ... the FTP port shows up. ...
    (Pen-Test)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)