From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 14:54:44 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 694BF16A4DD for ; Wed, 19 Jul 2006 14:54:44 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C45E43D73 for ; Wed, 19 Jul 2006 14:54:39 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id E344E3530DD for ; Wed, 19 Jul 2006 16:54:37 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id al03t2p73lty for ; Wed, 19 Jul 2006 16:54:36 +0200 (CEST) Received: from [10.0.0.3] (i53878D99.versanet.de [83.135.141.153]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id CA1C8353061 for ; Wed, 19 Jul 2006 16:54:36 +0200 (CEST) Message-ID: <44BE47AD.4010302@rinux.net> Date: Wed, 19 Jul 2006 16:54:37 +0200 From: Clemens Renner User-Agent: Thunderbird 1.5.0.4 (X11/20060609) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG References: <200607190718.k6J7IfcU036093@lurza.secnetix.de> In-Reply-To: <200607190718.k6J7IfcU036093@lurza.secnetix.de> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 14:54:44 -0000 Oliver Fromme wrote: > > I'll try > > reducing the keepalive time to get rid of further complaints. > > Which means reducing the efficiency of your service for > _all_ users just because _one_ firewall admin has no clue. > I wouldn't do that. In theory, you are right and it does sound like a bad trade-off. However, when I checked my Apache configuration, I found KeepAliveTimeout already set to a very low 15 seconds -- which has worked fine in the past -- so I don't want to tinker with it. The Timeout directive however, was set to 300 seconds and after consulting httpd's documentation, I decided to go down to 120 seconds there. Regarding the advice from several people that the complaining admin should provide more details on the alleged "port scan": I will ask him to do that the next time he contacts me. For the moment, however, he has kept quiet already after I hinted at the possibility of someone using the web mailer from their network. I think so far I did everything I could to investigate the issue without any specifics, so I also guess it's his turn now to come forward with more substantial allegations. > It all sounds as if someone without any networking clue > installed a black-box firewall, watches the logs and goes > to panic mode each time it outputs something, no matter > what, and not taking into account that there can be false > positives (especially if the source port is a WKP, like > 80 [HTTP] in this case). "All the world is attacking me!" Exactly my POV. On a side note: Since one of my users is actually working for them and using my web mailer while he's at work, the puzzle pieces fit quite nicely to support the false positive theory. And by the way: Thanks to everyone contributing ideas and invaluable advice on this matter. Clemens