From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 06:39:19 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D39316A50D for ; Wed, 19 Jul 2006 06:39:19 +0000 (UTC) (envelope-from danil@sochiwater.ru) Received: from h2.prohosting.com.ua (h2.prohosting.com.ua [217.16.18.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F6E243D5A for ; Wed, 19 Jul 2006 06:39:17 +0000 (GMT) (envelope-from danil@sochiwater.ru) Received: from [194.84.94.12] (helo=smtp.sochiwater.ru) by h2.prohosting.com.ua with esmtpa (Exim 4.62 (FreeBSD)) (envelope-from ) id 1G35iC-0005oZ-86 for freebsd-security@freebsd.org; Wed, 19 Jul 2006 10:39:12 +0400 Message-ID: <44BDCD73.9030508@sochiwater.ru> Date: Wed, 19 Jul 2006 10:13:07 +0400 From: "Danil V. Gerun" Organization: =?windows-1252?Q?=3F=3F=3F_=3F=2E_=3F=3F=3F=3F_=22=3F?= =?windows-1252?Q?=3F=3F=3F=3F=3F=3F=3F=3F=22_/_Water_Supply_and_?= =?windows-1252?Q?Water_Treatment_Municipal_Unitary_Undertaking_?= =?windows-1252?Q?of_city_Sochi?= User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <44BD0846.6060405@rinux.net> <44BD2CEF.4050504@bit0.com> <44BD4A9D.3090704@rinux.net> In-Reply-To: <44BD4A9D.3090704@rinux.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Dr.Web on nebulus.sochiwater.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - h2.prohosting.com.ua X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - sochiwater.ru X-Source: X-Source-Args: X-Source-Dir: Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: danil@sochiwater.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 06:39:19 -0000 Hello. The version of a user (behind their firewall) visiting your site, and badly configured stateful firewall timeout can be checked: just look at the logs of your Apache. But if it turns out that none of their users had touched your website at that time, then I think one more reason is quite possible. Think of a TCP packet with a source address of a complaining firewall and SYN-flag set, but sent to you, Clemens, from some other guy (just spoofed src-addr). Sure, your webserver tries to establish connection with the source address, which didn't want to establish a connection. This version can also be checked - just try to ask them for details about packets, that come from you. If they are SYN+ACK, then this version becomes more probable. If they have RST, this is also possible. This can be done simply: for example, someone was scanning your ports, Clemens. And he was doing it from some spoofed source addresses and his real one (you wouldn't want to check them all, would you? - that's why multiple source addresses are used). And another example - someone was just playing :-) with HPing, for example ;-) If this is annoying, it is possible to try to trace the route of the packets, that come to you (if they really do) and to their firewall. BTW, isn't it impossible for Apache (if it's running from non-root) to make connections from his port 80? Clemens Renner ?????: > Hi Mike, > > thank you for your sympathy and your thorough comments. :) I had that > specific feeling when I read the mail for the first time. I'll try > reducing the keepalive time to get rid of further complaints. > > The question is: Why do the "port scans" still come in on their > machine? Should I advise them to restart their > "we-take-care-don't-you-worry" hardware? > > Regards > Clemens > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -- Best regards, Danil V. Gerun.