Date: Wed, 19 Jul 2006 09:18:41 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-security@FreeBSD.ORG Subject: Re: Port scan from Apache? Message-ID: <200607190718.k6J7IfcU036093@lurza.secnetix.de> In-Reply-To: <44BD4A9D.3090704@rinux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Clemens Renner <claim@rinux.net> wrote: > thank you for your sympathy and your thorough comments. :) I had that > specific feeling when I read the mail for the first time. I'll try > reducing the keepalive time to get rid of further complaints. Which means reducing the efficiency of your service for _all_ users just because _one_ firewall admin has no clue. I wouldn't do that. Try to ask that admin for a packet trace that you can view in tcpdump or ethereal, so you can verify yourself what might be the cause of it. If he cannot do that, then ask him (politely) to stop bothering you, unless he can *prove* that the packet in question was a malicious scan. I bet he can't. I also agree with the poster in this thread who wondered that a single packet can hardly be called a "port scan". It really is probably a FIN(ACK) packet from a dangling connection. I've often seen that from port 53 on name servers, but it can happen for other kinds of services, too. It all sounds as if someone without any networking clue installed a black-box firewall, watches the logs and goes to panic mode each time it outputs something, no matter what, and not taking into account that there can be false positives (especially if the source port is a WKP, like 80 [HTTP] in this case). "All the world is attacking me!" Just my 2 cents. :-) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Python tricks" is a tough one, cuz the language is so clean. E.g., C makes an art of confusing pointers with arrays and strings, which leads to lotsa neat pointer tricks; APL mistakes everything for an array, leading to neat one-liners; and Perl confuses everything period, making each line a joyous adventure <wink>. -- Tim Peters
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607190718.k6J7IfcU036093>