LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-21-2017, 10:40 AM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Rep: Reputation: 55
Is there a way to specify which ports apache can reply on?


Is there a way to specify which ports apache can reply on?

A client connects via a random port to apache on port 80
Apache replies to the client on a random port to the client's port 80

Is there a way to specify which random ports apache uses to reply back to the client?
 
Old 02-21-2017, 01:14 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
I'm not sure that is correct.

Clients connect to port 80 (default if using http or default 443 for https or any defined port you specified) on the web server and "establish" the connection. Any traffic between client and server is going to use that established connection. The port the client used to establish that connection is random from the client side. There is no separate connection opened back to the client. If this were to occur you'd have to open up the client's firewall to allow such connections.

You can see this with commands such as netstat or lsof.

In general you really don't want to have non-random ports for both sides of most internet connections because if it is well known and predictable it can be used as an attack vector. A few years back there was a well known exploit of DNS called the Kamisnky attack that was based on this very lack of randomness.
 
Old 02-21-2017, 01:18 PM   #3
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by MensaWater View Post
I'm not sure that is correct.
I'm 99.9% sure that's correct. And this packet seems to confirm that:

Code:
     src       = 11.22.22.32 (IP of server)
     dst       = 22.22.22.202 (IP of client)
     \options   \
###[ TCP ]###
        sport     = http
        dport     = ndmp
I'm wrong sometimes, so this may be the 0.1% but I'm pretty sure in this case.
 
Old 02-21-2017, 01:29 PM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
You're looking at src and dst lines as if they're two different connections. They aren't. They are 2 halves of a single connection.

Again I'd suggest you look at it with netstat or lsof where you'll see both sides of the single connection on the same line.
 
Old 02-21-2017, 01:32 PM   #5
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by MensaWater View Post
You're looking at src and dst lines as if they're two different connections. They aren't. They are 2 halves of a single connection.

Again I'd suggest you look at it with netstat or lsof where you'll see both sides of the single connection on the same line.
It is the server replying back to the client's port 80 from a random port on the server, in this case ndmp AKA port 10000.
 
Old 02-21-2017, 02:16 PM   #6
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
sport = source port
dport = destination port

YOU show:
src = 11.22.22.32 (IP of server) AND sport = http
dst = 22.22.22.202 (IP of client) AND dport = ndmp

Your /etc/services appears to have standard entries showing you http is port 80 (server source port) and ndmp is 10000 (client destination port) as you say.

However, "source" and "destination" aren't always really where the it originated and terminated - just 2 sides of the connection. Even if it was really source and destination what you yourself wrote (cut and pasted in the above) makes it clear it is only port 80 on the server and not the client.

I am by no means a network engineer but this is fairly basic stuff we're talking about.

For it to be the way you say there should be another src and dst combination with port 80 (http) showing for IP 22.22.22.202 but you don't show that.
 
Old 02-21-2017, 02:25 PM   #7
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by MensaWater View Post
sport = source port
dport = destination port

YOU show:
src = 11.22.22.32 (IP of server) AND sport = http
dst = 22.22.22.202 (IP of client) AND dport = ndmp

Your /etc/services appears to have standard entries showing you http is port 80 (server source port) and ndmp is 10000 (client destination port) as you say.

However, "source" and "destination" aren't always really where the it originated and terminated - just 2 sides of the connection. Even if it was really source and destination what you yourself wrote (cut and pasted in the above) makes it clear it is only port 80 on the server and not the client.

I am by no means a network engineer but this is fairly basic stuff we're talking about.

For it to be the way you say there should be another src and dst combination with port 80 (http) showing for IP 22.22.22.202 but you don't show that.
Yes, I'm not interested in that connection though, only the return connection.
 
Old 02-21-2017, 03:11 PM   #8
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
Where are you seeing a SEPARATE "return connection"?

You seemed to be listing information in support of the original premise that I suggested wasn't accurate and now that I've shown what you list doesn't in fact support that premise you say you aren't interested in what you list and instead continue to posit something you haven't listed.

Are you Ashton Kutcher by any chance?
 
Old 02-21-2017, 03:17 PM   #9
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by MensaWater View Post
Where are you seeing a SEPARATE "return connection"?

You seemed to be listing information in support of the original premise that I suggested wasn't accurate and now that I've shown what you list doesn't in fact support that premise you say you aren't interested in what you list and instead continue to posit something you haven't listed.

Are you Ashton Kutcher by any chance?
I'm Matthew Brodrick ;-)

This is for a port scan detector and it was going off when apache would respond to the client.

I added this line though, so its working now:
Code:
if pkt[TCP].dport==int(PORT):
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache Stuck In Sending Reply nomolos General 0 04-02-2012 05:36 PM
[Apache] localhost does not reply Telemako Linux - Networking 2 02-18-2007 08:36 PM
Possible? Ping reply from four ports at the same time. jfernando Linux - Networking 2 06-09-2006 09:40 AM
Apache 1.3.33 (debian built) and Apache SSL does not respond to the proper ports lqorg_user Linux - Networking 0 11-06-2005 04:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration