Port scan from Apache?

[Clemens Renner]

Oliver Fromme wrote:

>  > I'll try 
>  > reducing the keepalive time to get rid of further complaints.
> 
> Which means reducing the efficiency of your service for
> _all_ users just because _one_ firewall admin has no clue.
> I wouldn't do that.

In theory, you are right and it does sound like a bad trade-off.
However, when I checked my Apache configuration, I found
KeepAliveTimeout already set to a very low 15 seconds -- which has
worked fine in the past -- so I don't want to tinker with it. The
Timeout directive however, was set to 300 seconds and after consulting
httpd's documentation, I decided to go down to 120 seconds there.

Regarding the advice from several people that the complaining admin
should provide more details on the alleged "port scan": I will ask him
to do that the next time he contacts me. For the moment, however, he has
kept quiet already after I hinted at the possibility of someone using
the web mailer from their network. I think so far I did everything I
could to investigate the issue without any specifics, so I also guess
it's his turn now to come forward with more substantial allegations.

> It all sounds as if someone without any networking clue
> installed a black-box firewall, watches the logs and goes
> to panic mode each time it outputs something, no matter
> what, and not taking into account that there can be false
> positives (especially if the source port is a WKP, like
> 80 [HTTP] in this case).  "All the world is attacking me!"

Exactly my POV. On a side note: Since one of my users is actually
working for them and using my web mailer while he's at work, the puzzle
pieces fit quite nicely to support the false positive theory.

And by the way: Thanks to everyone contributing ideas and invaluable
advice on this matter.

Clemens