From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 07:18:50 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1480116A4DD for ; Wed, 19 Jul 2006 07:18:50 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A3B943D55 for ; Wed, 19 Jul 2006 07:18:48 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (jktuxo@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k6J7IfNN036094 for ; Wed, 19 Jul 2006 09:18:47 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k6J7IfcU036093; Wed, 19 Jul 2006 09:18:41 +0200 (CEST) (envelope-from olli) Date: Wed, 19 Jul 2006 09:18:41 +0200 (CEST) Message-Id: <200607190718.k6J7IfcU036093@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG In-Reply-To: <44BD4A9D.3090704@rinux.net> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 19 Jul 2006 09:18:47 +0200 (CEST) X-Mailman-Approved-At: Wed, 19 Jul 2006 11:58:39 +0000 Cc: Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 07:18:50 -0000 Clemens Renner wrote: > thank you for your sympathy and your thorough comments. :) I had that > specific feeling when I read the mail for the first time. I'll try > reducing the keepalive time to get rid of further complaints. Which means reducing the efficiency of your service for _all_ users just because _one_ firewall admin has no clue. I wouldn't do that. Try to ask that admin for a packet trace that you can view in tcpdump or ethereal, so you can verify yourself what might be the cause of it. If he cannot do that, then ask him (politely) to stop bothering you, unless he can *prove* that the packet in question was a malicious scan. I bet he can't. I also agree with the poster in this thread who wondered that a single packet can hardly be called a "port scan". It really is probably a FIN(ACK) packet from a dangling connection. I've often seen that from port 53 on name servers, but it can happen for other kinds of services, too. It all sounds as if someone without any networking clue installed a black-box firewall, watches the logs and goes to panic mode each time it outputs something, no matter what, and not taking into account that there can be false positives (especially if the source port is a WKP, like 80 [HTTP] in this case). "All the world is attacking me!" Just my 2 cents. :-) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Python tricks" is a tough one, cuz the language is so clean. E.g., C makes an art of confusing pointers with arrays and strings, which leads to lotsa neat pointer tricks; APL mistakes everything for an array, leading to neat one-liners; and Perl confuses everything period, making each line a joyous adventure . -- Tim Peters