Port scan from Apache?

Danil V. Gerun danil at sochiwater.ru
Wed Jul 19 06:39:19 UTC 2006 

Hello.

The version of a user (behind their firewall) visiting your site, and
badly configured stateful firewall timeout can be checked: just look at
the logs of your Apache.
But if it turns out that none of their users had touched your website at
that time, then I think one more reason is quite possible.
Think of a TCP packet with a source address of a complaining firewall
and SYN-flag set, but sent to you, Clemens, from some other guy (just
spoofed src-addr). Sure, your webserver tries to establish connection
with the source address, which didn't want to establish a connection.
This version can also be checked - just try to ask them for details
about packets, that come from you. If they are SYN+ACK, then this
version becomes more probable. If they have RST, this is also possible.
This can be done simply: for example, someone was scanning your ports,
Clemens. And he was doing it from some spoofed source addresses and his
real one (you wouldn't want to check them all, would you? - that's why
multiple source addresses are used). And another example - someone was
just playing :-) with HPing, for example ;-)
If this is annoying, it is possible to try to trace the route of the
packets, that come to you (if they really do) and to their firewall.


BTW, isn't it impossible for Apache (if it's running from non-root) to
make connections from his port 80?



Clemens Renner ?????:
> Hi Mike,
>
> thank you for your sympathy and your thorough comments. :) I had that 
> specific feeling when I read the mail for the first time. I'll try 
> reducing the keepalive time to get rid of further complaints.
>
> The question is: Why do the "port scans" still come in on their 
> machine? Should I advise them to restart their 
> "we-take-care-don't-you-worry" hardware?
>
> Regards
> Clemens
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to 
> "freebsd-security-unsubscribe at freebsd.org"
>





-- 
Best regards,
Danil V. Gerun.

More information about the freebsd-security mailing list