Re: Limiting closed port RST response
On Wed, 2 May 2012, Arthur Chance wrote: On 05/01/12 20:01, Ian Smith wrote: In freebsd-questions Digest, Vol 413, Issue 4, Message: 7 On Tue, 01 May 2012 12:59:36 +0100 Arthur Chancefree...@qeng-ho.org wrote: Every once in a while the nightly periodic security checks tell me I've got a kernel message Limiting closed port RST response from N to 200 packets/sec where N 200. The problem is that it doesn't say which port was involved. Is there any way to find that out so I can try tracking down the problem? AFAICT tcpdump doesn't have a way saying closed ports on this machine as a filter. % sysctl -ad | grep vain net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports net.inet.udp.log_in_vain: Log all incoming UDP packets Thanks, that's what I need. There's another option you may want to consider, especially once you work out who or what's originating these. From an /etc/sysctl.conf: #% 9/8/6 net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 #% 7/10/8 # can't use this and respond to traceroutes # net.inet.udp.blackhole: Do not send port unreachables for refused connects # net.inet.udp.blackhole=1 # net.inet.tcp.blackhole: Do not send RST when dropping refused connections #% 14/4/10 was 1, still see some resets sent (see /sys/netinet/tcp_input.c) net.inet.tcp.blackhole=2 With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance, likely aggregated into 'last message repeated N times' at those rates. I add ipfw rules for heavy hitters on particular ports/or from particular hosts to cut both the noise and (albeit slight) load. This is on an internal LAN behind a firewall, so there isn't (I hope!) anything external causing it. There's a motley bunch of hardware and software sharing the LAN and I'd like to identify the source of the problem just for my peace of mind. Good idea. There are a few reasons you may see inbound TCP connections you're not expecting, including general background noise from bots scanning everyone for everything, late responses from genuine outbound connection attempts, and bots hitting other sites using your forged IP address, so you get a bunch of SYN ACK packets out of the blue, most often from port 80 to some random (or particular) port. If using udp.log_in_vain=1 too, you'll see such as late responses from DNS servers (even from localhost) and assorted bot scans, and at times unsolicited responses from DNS servers from someone/s again forging your IP address in requests, possible on a large scale. These may look like attacks on your system, but you're just one of many forged addresses, the attack being on (what you see as) the source system, big in 2010. Happy hunting, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Limiting closed port RST response
Every once in a while the nightly periodic security checks tell me I've got a kernel message Limiting closed port RST response from N to 200 packets/sec where N 200. The problem is that it doesn't say which port was involved. Is there any way to find that out so I can try tracking down the problem? AFAICT tcpdump doesn't have a way saying closed ports on this machine as a filter. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Limiting closed port RST response
In freebsd-questions Digest, Vol 413, Issue 4, Message: 7 On Tue, 01 May 2012 12:59:36 +0100 Arthur Chance free...@qeng-ho.org wrote: Every once in a while the nightly periodic security checks tell me I've got a kernel message Limiting closed port RST response from N to 200 packets/sec where N 200. The problem is that it doesn't say which port was involved. Is there any way to find that out so I can try tracking down the problem? AFAICT tcpdump doesn't have a way saying closed ports on this machine as a filter. % sysctl -ad | grep vain net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports net.inet.udp.log_in_vain: Log all incoming UDP packets With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance, likely aggregated into 'last message repeated N times' at those rates. I add ipfw rules for heavy hitters on particular ports /or from particular hosts to cut both the noise and (albeit slight) load. If you'd rather not have these (hardly uncommon) messages spamming /var/log/messages, use something along these lines in /etc/syslog.conf: *.notice;authpriv.none;kern.!=info;mail.crit;news.err;ntp.err;local0.none;ftp.none /var/log/messages kern.=info /var/log/kerninfo.log # touch /var/log/kerninfo.log # service syslogd restart cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Limiting closed port RST
Hello, I've started an Apache bechmark with ab today and a lot of such messages from kernel appeared in /var/log/messages: Sep 25 16:16:34 dev01 kernel: Limiting closed port RST response from 270 to 200 packets/sec Sep 25 16:19:10 dev01 kernel: Limiting closed port RST response from 475 to 200 packets/sec Sep 25 16:19:15 dev01 kernel: Limiting closed port RST response from 220 to 200 packets/sec Sep 25 16:19:19 dev01 kernel: Limiting closed port RST response from 243 to 200 packets/sec What do they mean? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Limiting closed port RST
Vlad GURDIGA wrote: Hello, I've started an Apache bechmark with ab today and a lot of such messages from kernel appeared in /var/log/messages: Sep 25 16:16:34 dev01 kernel: Limiting closed port RST response from 270 to 200 packets/sec Sep 25 16:19:10 dev01 kernel: Limiting closed port RST response from 475 to 200 packets/sec Sep 25 16:19:15 dev01 kernel: Limiting closed port RST response from 220 to 200 packets/sec Sep 25 16:19:19 dev01 kernel: Limiting closed port RST response from 243 to 200 packets/sec What do they mean? This normally means someone is repeatedly attempting to connect to a closed port, i.e. you are getting port-scanned! Normally the kernel limits this response so the connection is not overwhelmed by the replies Maybe your benchmark attempts to also connect to a port other than 80? (i.e. 443 and you are not running https) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Limiting closed port
On 01/09/2005, at 7:20 PM, Dark Star wrote: Hello all, Im on FreeBSD 4.8-R my logs since over 4 months always complaining from th follow: /kernel: Limiting closed port RST response from 243 to 200 packets per second /kernel: Limiting closed port RST response from 222 to 200 packets per second /kernel: Limiting closed port RST response from 238 to 200 packets per second I think its sometype of scan or attack. A scan.. If someone tries to connect to a port that has no service attached to it, by default the server will send a RST (reset) packet back (for TCP).. Someone is trying to scan you very quickly, so generating a lot of RST packets (probably scanning a very large range of ports) and the kernel is reducing the amount it will send per second.. This isn't really a problem, you can also set it so that connections to closed ports will not generate a RST response, but you would no longer be compliant with the RFCs regarding TCP connections.. If you aren't running a firewall you should probably be running one anyway since it seems your system is exposed to the outside world.. Personally I wouldn't be worried about the above log, unless you are running services which allow connections from the outside and which are possibly not very secure (public ftp, old versions of named, etc).. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Limiting closed port
Hello all, Im on FreeBSD 4.8-R my logs since over 4 months always complaining from th follow: /kernel: Limiting closed port RST response from 243 to 200 packets per second /kernel: Limiting closed port RST response from 222 to 200 packets per second /kernel: Limiting closed port RST response from 238 to 200 packets per second I think its sometype of scan or attack. My server has a range of ips, I'm not sure what is this? how to protect it? IPFW will prevent this? how do i know, this attack to what IP excatly? Maybe some will advice just to ignore it as i saw around, but i cannot anymore, specially that the Hard Drive got down and corrupted, and this is a new HD. any advices? Thank you. Marwan _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Limiting closed port
Dark Star wrote: /kernel: Limiting closed port RST response from 243 to 200 packets per second /kernel: Limiting closed port RST response from 222 to 200 packets per second /kernel: Limiting closed port RST response from 238 to 200 packets per second I think its sometype of scan or attack. It's almost certainly a portscan. Per se, that's not an attack, but if someone follows up trying to exploit open services, it would be. My server has a range of ips, I'm not sure what is this? how to protect it? IPFW will prevent this? Yes, IPFW, PF, or another firewall can prevent this traffic. how do i know, this attack to what IP excatly? Run tcpdump -n. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Limiting closed port RST response
Hi there, I'm getting a lot of these in my security output. Limiting closed port RST response from 220 to 200 packets per second They are always on ports between 200- 300. Could this be a DOS atttack? Where do I find a more detailed log? I'm running FreeBSD 4.8 Release - the box is basically just a gateway router running natd and dhcpd. Any ideas. Thanks Matthew Ryan [EMAIL PROTECTED] PS Please say if this question should be on a different list :-) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Limiting closed port RST response
On Fri, Jun 20, 2003 at 09:55:19AM +0100, Matthew Ryan wrote: Could this be a DOS atttack? It could be, but more likely it's someone trying to determine what ports are open with a tool such as nmap. Where do I find a more detailed log? Configure a firewall such as ipf and make sure you opt to log blocked packets. I'm running FreeBSD 4.8 Release - the box is basically just a gateway router running natd and dhcpd. ipf and ipnat run nicely together to provide a combination of nat and filtering - although if you already have nat running it's probably best just to configure a basic ipf firewall that allows just the traffic you want. Have a look here for more info on ipf: http://munk.nu/ipf/ My old rulesets for ipf are here: http://munk.nu/ipf/mboxen/ Regards, Jez ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Limiting closed port RST response
Matthew Ryan wrote: [ ... ] I'm getting a lot of these in my security output. Limiting closed port RST response from 220 to 200 packets per second They are always on ports between 200- 300. Could this be a DOS atttack? Where do I find a more detailed log? Typically, this indicates that someone is port-scanning you. If they do it very often, and it noticably affects your network performance, sure, call it a DoS, but that is probably not the intention. If you want to see what ports they're hitting, do a: sysctl net.inet.tcp.log_in_vain=1 -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
