Re: Limiting closed port RST response
On Wed, 2 May 2012, Arthur Chance wrote: > On 05/01/12 20:01, Ian Smith wrote: > > In freebsd-questions Digest, Vol 413, Issue 4, Message: 7 > > On Tue, 01 May 2012 12:59:36 +0100 Arthur Chance > > wrote: > > > > > Every once in a while the nightly periodic security checks tell me > > I've > > > got a kernel message > > > > > > Limiting closed port RST response from N to 200 packets/sec > > > > > > where N> 200. The problem is that it doesn't say which port was > > > involved. Is there any way to find that out so I can try tracking down > > > the problem? AFAICT tcpdump doesn't have a way saying "closed ports on > > > this machine" as a filter. > > > > % sysctl -ad | grep vain > > net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports > > net.inet.udp.log_in_vain: Log all incoming UDP packets > > Thanks, that's what I need. There's another option you may want to consider, especially once you work out who or what's originating these. From an /etc/sysctl.conf: #% 9/8/6 net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 #% 7/10/8 # can't use this and respond to traceroutes # net.inet.udp.blackhole: Do not send port unreachables for refused connects # net.inet.udp.blackhole=1 # net.inet.tcp.blackhole: Do not send RST when dropping refused connections #% 14/4/10 was 1, still see some resets sent (see /sys/netinet/tcp_input.c) net.inet.tcp.blackhole=2 > > With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance, > > likely aggregated into 'last message repeated N times' at those rates. I > > add ipfw rules for heavy hitters on particular ports&/or from > > particular hosts to cut both the noise and (albeit slight) load. > > This is on an internal LAN behind a firewall, so there isn't (I hope!) > anything external causing it. There's a motley bunch of hardware and software > sharing the LAN and I'd like to identify the source of the problem just for > my peace of mind. Good idea. There are a few reasons you may see inbound TCP connections you're not expecting, including general background noise from bots scanning everyone for everything, late responses from genuine outbound connection attempts, and bots hitting other sites using your forged IP address, so you get a bunch of SYN ACK packets out of the blue, most often from port 80 to some random (or particular) port. If using udp.log_in_vain=1 too, you'll see such as late responses from DNS servers (even from localhost) and assorted bot scans, and at times unsolicited responses from DNS servers from someone/s again forging your IP address in requests, possible on a large scale. These may look like attacks on your system, but you're just one of many forged addresses, the attack being on (what you see as) the source system, big in 2010. Happy hunting, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Limiting closed port RST response
In freebsd-questions Digest, Vol 413, Issue 4, Message: 7 On Tue, 01 May 2012 12:59:36 +0100 Arthur Chance wrote: > Every once in a while the nightly periodic security checks tell me I've > got a kernel message > > Limiting closed port RST response from N to 200 packets/sec > > where N > 200. The problem is that it doesn't say which port was > involved. Is there any way to find that out so I can try tracking down > the problem? AFAICT tcpdump doesn't have a way saying "closed ports on > this machine" as a filter. % sysctl -ad | grep vain net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports net.inet.udp.log_in_vain: Log all incoming UDP packets With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance, likely aggregated into 'last message repeated N times' at those rates. I add ipfw rules for heavy hitters on particular ports &/or from particular hosts to cut both the noise and (albeit slight) load. If you'd rather not have these (hardly uncommon) messages spamming /var/log/messages, use something along these lines in /etc/syslog.conf: *.notice;authpriv.none;kern.!=info;mail.crit;news.err;ntp.err;local0.none;ftp.none /var/log/messages kern.=info /var/log/kerninfo.log # touch /var/log/kerninfo.log # service syslogd restart cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Limiting closed port RST response
Every once in a while the nightly periodic security checks tell me I've got a kernel message Limiting closed port RST response from N to 200 packets/sec where N > 200. The problem is that it doesn't say which port was involved. Is there any way to find that out so I can try tracking down the problem? AFAICT tcpdump doesn't have a way saying "closed ports on this machine" as a filter. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Limiting closed port RST response
Matthew Ryan wrote: [ ... ] I'm getting a lot of these in my security output. Limiting closed port RST response from 220 to 200 packets per second They are always on ports between 200- 300. Could this be a DOS atttack? Where do I find a more detailed log? Typically, this indicates that someone is port-scanning you. If they do it very often, and it noticably affects your network performance, sure, call it a DoS, but that is probably not the intention. If you want to see what ports they're hitting, do a: sysctl net.inet.tcp.log_in_vain=1 -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Limiting closed port RST response
On Fri, Jun 20, 2003 at 09:55:19AM +0100, Matthew Ryan wrote: > Could this be a DOS atttack? It could be, but more likely it's someone trying to determine what ports are open with a tool such as nmap. > Where do I find a more detailed log? Configure a firewall such as ipf and make sure you opt to log blocked packets. > I'm running FreeBSD 4.8 Release - the box is basically just a gateway > router running natd and dhcpd. ipf and ipnat run nicely together to provide a combination of nat and filtering - although if you already have nat running it's probably best just to configure a basic ipf firewall that allows just the traffic you want. Have a look here for more info on ipf: http://munk.nu/ipf/ My old rulesets for ipf are here: http://munk.nu/ipf/mboxen/ Regards, Jez ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Limiting closed port RST response
Hi there, I'm getting a lot of these in my security output. Limiting closed port RST response from 220 to 200 packets per second They are always on ports between 200- 300. Could this be a DOS atttack? Where do I find a more detailed log? I'm running FreeBSD 4.8 Release - the box is basically just a gateway router running natd and dhcpd. Any ideas. Thanks Matthew Ryan [EMAIL PROTECTED] PS Please say if this question should be on a different list :-) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: limiting closed port rst response from ...
thanks. On Mon, 21 Oct 2002, Roman Neuhauser wrote: > # [EMAIL PROTECTED] / 2002-10-21 09:38:52 -0500: > > hi all > > > > i saw this messages in /var/log/messages over the weekend repeated several > > times > > > > oct 21 09:35:15 hostname /kernel: limiting closed port rst response from > > 384 to 200 packets per second > > > > also listed in the log were several attempts to connect to the machine via > > anonymous ftp > > > > can anyone tell me what the limiting closed port... message means? > > * AFAICT * > > that means that your box is trying to circumvent a possible DoS > attack. this message is of the same kind as those > > previous message repeated N times > > lines in /var/log/messages. > > -- > If you cc me or take the list(s) out completely I'll most likely > ignore your message. > Redmond Militante Northwestern University, Evanston, IL. USA [EMAIL PROTECTED] 847-467-7617 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
