Date: Wed, 19 Jul 2006 16:54:37 +0200 From: Clemens Renner <claim@rinux.net> To: freebsd-security@FreeBSD.ORG Subject: Re: Port scan from Apache? Message-ID: <44BE47AD.4010302@rinux.net> In-Reply-To: <200607190718.k6J7IfcU036093@lurza.secnetix.de> References: <200607190718.k6J7IfcU036093@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme wrote: > > I'll try > > reducing the keepalive time to get rid of further complaints. > > Which means reducing the efficiency of your service for > _all_ users just because _one_ firewall admin has no clue. > I wouldn't do that. In theory, you are right and it does sound like a bad trade-off. However, when I checked my Apache configuration, I found KeepAliveTimeout already set to a very low 15 seconds -- which has worked fine in the past -- so I don't want to tinker with it. The Timeout directive however, was set to 300 seconds and after consulting httpd's documentation, I decided to go down to 120 seconds there. Regarding the advice from several people that the complaining admin should provide more details on the alleged "port scan": I will ask him to do that the next time he contacts me. For the moment, however, he has kept quiet already after I hinted at the possibility of someone using the web mailer from their network. I think so far I did everything I could to investigate the issue without any specifics, so I also guess it's his turn now to come forward with more substantial allegations. > It all sounds as if someone without any networking clue > installed a black-box firewall, watches the logs and goes > to panic mode each time it outputs something, no matter > what, and not taking into account that there can be false > positives (especially if the source port is a WKP, like > 80 [HTTP] in this case). "All the world is attacking me!" Exactly my POV. On a side note: Since one of my users is actually working for them and using my web mailer while he's at work, the puzzle pieces fit quite nicely to support the false positive theory. And by the way: Thanks to everyone contributing ideas and invaluable advice on this matter. Clemens
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BE47AD.4010302>