#7165: Port Scan
-------------------------+---------------------------
Reporter: moghilemear | Owner:
Type: defect | Status: closed
Priority: normal | Milestone:
Component: core | Version: 4.2.1
Severity: normal | Resolution: thirdparty
Keywords: | Architecture:
Platform: |
-------------------------+---------------------------
Changes (by dkocher):
* status: new => closed
* resolution: => thirdparty
Old description:
> First I apologize in advance, since I am not a networking expert. This
> issue has been reported by my webhost. It *appears* from the logs that
> every time I attempt to download (via drag & drop) from the host to my
> laptop using Cyberduck, that a port scan is performed. I researched Port
> Scan, and found that it is either a standard technique or indicative of
> an "attack". Either way, the webhost is disallowing this currently and
> blocking the IP.
>
> I have don more research and another webhost has commented that many PC's
> are infected with port scanning software, and that the practice of
> blocking IP's is "overkill" and may not be warranted for a commercial
> server.
>
> Having said that, is Cyberduck Port Scanning in "open new connection" or
> "use browser connection" modes, or at all? If so, is this standard
> practice or is it considered now "bad practice"? (If so then this may be
> a "bug".) If Cyberduck is not performing a "port scan" then some other
> software is detecting a download action (it appears from the logs, and I
> will look into this myself).
>
> Either way, the host has currently define "port scan" as "bad" and auto-
> blocks the IP, which essentially prevents Cyberduck from functioning. So
> this is either a "overzealous webhost", "clever 3rd party malware which I
> cannot detect", or a "bug.
>
> Actual Log of Event:
> lfd.log:Apr 15 18:24:39 jdz3 lfd[25954]: *Port Scan* detected from
> 70.184.167.204 (US/United States/wsip-70-184-167-204.hr.hr.cox.net). 11
> hits in the last 227 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
New description:
First I apologize in advance, since I am not a networking expert. This
issue has been reported by my webhost. It *appears* from the logs that
every time I attempt to download (via drag & drop) from the host to my
laptop using Cyberduck, that a port scan is performed. I researched Port
Scan, and found that it is either a standard technique or indicative of an
"attack". Either way, the webhost is disallowing this currently and
blocking the IP.
I have don more research and another webhost has commented that many PC's
are infected with port scanning software, and that the practice of
blocking IP's is "overkill" and may not be warranted for a commercial
server.
Having said that, is Cyberduck Port Scanning in "open new connection" or
"use browser connection" modes, or at all? If so, is this standard
practice or is it considered now "bad practice"? (If so then this may be a
"bug".) If Cyberduck is not performing a "port scan" then some other
software is detecting a download action (it appears from the logs, and I
will look into this myself).
Either way, the host has currently define "port scan" as "bad" and auto-
blocks the IP, which essentially prevents Cyberduck from functioning. So
this is either a "overzealous webhost", "clever 3rd party malware which I
cannot detect", or a "bug.
Actual Log of Event:
{{{
lfd.log:Apr 15 18:24:39 jdz3 lfd[25954]: *Port Scan* detected from
70.184.167.204 (US/United States/wsip-70-184-167-204.hr.hr.cox.net). 11
hits in the last 227 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
}}}
--
Comment:
No port scanning is done on opening a connection or browsing a remote
server.
--
Ticket URL: <http://trac.cyberduck.ch/ticket/7165#comment:1>
Cyberduck <http://cyberduck.ch>
Open source FTP, SFTP, WebDAV, Cloud Files, Google Docs & Amazon S3 Browser for Mac & Windows.