Date: Wed, 19 Jul 2006 10:13:07 +0400 From: "Danil V. Gerun" <danil@sochiwater.ru> To: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? Message-ID: <44BDCD73.9030508@sochiwater.ru> In-Reply-To: <44BD4A9D.3090704@rinux.net> References: <44BD0846.6060405@rinux.net> <44BD2CEF.4050504@bit0.com> <44BD4A9D.3090704@rinux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello. The version of a user (behind their firewall) visiting your site, and badly configured stateful firewall timeout can be checked: just look at the logs of your Apache. But if it turns out that none of their users had touched your website at that time, then I think one more reason is quite possible. Think of a TCP packet with a source address of a complaining firewall and SYN-flag set, but sent to you, Clemens, from some other guy (just spoofed src-addr). Sure, your webserver tries to establish connection with the source address, which didn't want to establish a connection. This version can also be checked - just try to ask them for details about packets, that come from you. If they are SYN+ACK, then this version becomes more probable. If they have RST, this is also possible. This can be done simply: for example, someone was scanning your ports, Clemens. And he was doing it from some spoofed source addresses and his real one (you wouldn't want to check them all, would you? - that's why multiple source addresses are used). And another example - someone was just playing :-) with HPing, for example ;-) If this is annoying, it is possible to try to trace the route of the packets, that come to you (if they really do) and to their firewall. BTW, isn't it impossible for Apache (if it's running from non-root) to make connections from his port 80? Clemens Renner ?????: > Hi Mike, > > thank you for your sympathy and your thorough comments. :) I had that > specific feeling when I read the mail for the first time. I'll try > reducing the keepalive time to get rid of further complaints. > > The question is: Why do the "port scans" still come in on their > machine? Should I advise them to restart their > "we-take-care-don't-you-worry" hardware? > > Regards > Clemens > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -- Best regards, Danil V. Gerun.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BDCD73.9030508>