Microsoft ISA Firewall Returns Port Scan Warnings From Linux BIND DNS Servers.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Microsoft ISA Firewall Returns Port Scan Warnings From Linux BIND DNS Servers.
I setup two RedHat Linux 9 DNS Servers with their default BIND 9.2.1-16. One is the master 64.234.123.2 and the other is the slave 64.234.123.3 (these are not the actual addresses). Everything works well except that my Microsoft ISA 2000 Firewall returns the warning below under Even Viewer, Application:
Event ID 15105
ISA Server detected an all port scan attack from Internet Protocol (IP) address 64.234.123.2. For more information about this event, see ISA Server Help.
The Linux DNS servers are stand-alone with no firewalling and they are not behind the ISA firewall. My ISA firewall is 64.234.123.4. These warning happen about every one to two hours. Why? Does BIND actually perform a port scan before zone transfers? Is this part of it's mechanism; port scans? Has anybody else experienced this? Please let me know.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Probably the ISA server is doing some kind of DNS lookups from your servers, and since the ISA server is making the request from a different high port (over 1023) every time, it gets responses back to many different ports. If, for example, you had a bunch of new connections open nearly simultaneously and the ISA server did reverse DNS lookup on all of them, then it would *appear* that your DNS server was making a "port scan" of a bunch of high ports on the ISA server (really just responding to requests).
That's the only thing I can think of. If that's the cause, then ISA server is even worse than I thought.
I think you detected my problem precisely. I looked at the resolv entries for the outside NIC on my ISA firewall and it points to the two DNS server addresses that the port scan warnings are complaining about.
I replaced two servers about weeks ago from Windows DNS to Linux BIND and then started getting these warnings in ISA.
What do you suggest I do?
Are there any entries I can make in ISA to ignore these port scans coming exclusively from these two addresses?
Should I just ignore these warnings?
Your professional advise is very appreciated. I admire that you are CISSP certified.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well probably the most complete solution would be to disable reverse DNS lookups on the ISA server. They are just waste time. If you really need to get the domain name associated with an IP, you can do it off-line (i.e. with a lookup tool not on the ISA server). That would eliminate the portscan issue, and probably boost the performance on your ISA server a little.
Other than that, you would have to find a way to exempt the DNS servers from ISAs port scan warnings, but you're on your own there. I've seen exactly one ISA server implementation and it looked every bit as scary as I had imagined.
By the way, your admiration is noted, but don't get carried away. It just means I took the time to be tested on things that a lot of other people know (but don't care to spend the time to certify).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.