RE: Port scan from Apache?

-----Original Message-----
From: owner-freebsd-security@xxxxxxxxxxx
[mailto:owner-freebsd-security@xxxxxxxxxxx] On Behalf Of comm@xxxxxx
Sent: Friday, July 21, 2006 12:43 AM
To: Clemens Renner
Cc: freebsd-security@xxxxxxxxxxx
Subject: Re: Port scan from Apache?


Clemens Renner wrote:
Hi everyone,

today I got an e-mail from a company claiming that my
server is doing
port scans on their firewall machine. I found that hard to
believe so
I started checking the box.

Let me put my 2/c (CAD) into this, as a user of netscreens, the CTO of a
Managed network security service.

The person who sent you the 'alert' might be wrong.

We see "port scans" from web servers (incrementing source ports > 1024,
destination port 80) and it is usually just noise, internet traffic, and
the failure of his netscreen to properly close the connection.

Can you correlate the netscreen logs with times his users have accessed
your web site?

Do you have complaints from just this one person? Send him a note
telling him this is just normal internet traffic and that he should try
to understand the three way TCP handshake, and what stateful firewalls
do when they close their side of the TCP connection before you do.

If it happens A LOT, to lots of different networks, then, well, it is
possible you have a worm, do a tcpdump on the traffic and look for it.

Another possibility, is that your web site spawns many different http
threads for each user connection
(do you have a zillion thumbnail gifs? Each one could spawn a different
tcp connection)

Do you have an unusually high keep-alive?
It YOUR firewall closing (timing out) the tcp connection?

Mostly, if this was just one complaint, grep your web server logs for
his user connecting, tell him this is just normal tcp traffic and go
about your business from then on.

If he gets rude, blacklist him and/or send him a $50 lawyer letter and
tell him to either drop dead or call his local FBI (or RCMP) office.

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Serial Tcp device (Tcp client mode)
    ... > server which can open a tcp connection to a server on a ... > specified port and transfer data back and forth between serial ... The device should close the tcp connection after 30 ... The serial port baud rates should also ...
    (comp.arch.embedded)
  • Re: network programming: how does s.accept() work?
    ... host at a specific port, but the server changes the port when it ... creates a new socket with accept, how does data sent by the client ... A TCP connection is identified by a four-tuple: ...
    (comp.lang.python)
  • Re: How to identify client connection (TCP Socket)
    ... the same client may connect to the server ... My app has several threads each has connection to server. ... v> how to tell server which port will open client. ... Why do you have to think about how TCP connection is initiated? ...
    (microsoft.public.win32.programmer.networks)
  • Re: question about x11 forwarding in ssh
    ... > But my question was geared toward what is happening on the ssh client ... using whatever protocol the X server supports. ... which is the usual port on which a X server will listen for ... then that's what's used rather than a TCP connection (take a look at ...
    (SSH)
  • Re: TCP connection to MAC address
    ... you have no way of communicating with it on the network. ... > would like to write a small utility where I can simply enter the MAC ... > Basically it looks like creating a TCP connection on port 1, ... > port 80 to do an HTTP POST and set the IP address. ...
    (microsoft.public.dotnet.languages.csharp)