I am trying to figure out if I have some sort of port scan blocking configured on my web server. This may be a long post - sorry.
I have a CentOS 5/Apache web server sitting behind a firewall with TCP port 80 NAT'd from the firewall to the server. My company has an account with
SecurityMetrics that includes quarterly scans against the network. The scans fail randomly. The single failing item reports:
"There is a high probability that some type of firewall or scan-detection software is blocking us from accurately scanning your server. Please configure any firewall or software that would interfere with our scans to allow all traffic from SecurityMetrics."
According to a SecurityMetrics support technician, port 80 is initially visible, then disappears at some point. Since all of the other Internet services (provided by different servers) do not have problems, I'm left to wonder if there is a problem with the web server.
So, on to questions:
1) What, if anything, would be running or configured on a stock RHEL/CentOS server that would detect an intrusion attempt? This server is behind a firewall, so the ONLY port that the outside world can touch is TCP/80.
2) I can image a scenario where a scan causes some kind of crash or denial of service. What could I look at to see if the server is being overwhelmed?
Thanks!