Re: Source of closed port RST responses
DAve wrote: I will be installing pf this week, I just need to write up my rule sets for these servers. I had been working on the webservers first. Is there a rule I can use to log connection attempts to closed ports? pf doesn't really know anything about whether there is a listener at a particular port or not. However, you can log suspicious traffic using a 'capture everything' rule, which should log and then block or drop all traffic that matches it. You then override that with more specific rules to allow the traffic to the services you want to publish on the net. [pf is a 'last matching rule wins' type firewall, so you write the rules in order from most generic to most specific.] Something like this: ext_if=em0 # alter to match your hardware set skip on lo0 set loginterface $ext_if set state-policy if-bound scrub in block log all pass in on $ext_if proto tcp from any to $ext_if port http flags S/SA keep state [...] (You'll need more pass rules than that -- especially to allow your host to do things like query the DNS, allow SSH in and out, connect to remote web/ftp sites, etc.) Remember to run pflogd to have the logged packets saved to disk. Be aware that the log output in /var/log/pflog is actually in pcap format, so you'll need to use tcpdump -r /var/log/pflog to turn it into something human readable. /var/log/pflog can get recycled fairly rapidly depending on network conditions. Or you can just run tcpdump -i pflog0 to get a live view of rejected packets. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Source of closed port RST responses
I am routinely seeing these entries in one of my servers logs. Limiting closed port RST response from 373 to 200 packets/sec The server sits behind a PIX firewall, so I am suspicious of what is trying to connect to a closed port. I don't see in any other logs what port is being hit, or what IP is causing these log entries. Any way to tell what the source IP of these is? Thanks, DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Adams http://appleseedinfo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Source of closed port RST responses
DAve wrote: I am routinely seeing these entries in one of my servers logs. Limiting closed port RST response from 373 to 200 packets/sec The server sits behind a PIX firewall, so I am suspicious of what is trying to connect to a closed port. I don't see in any other logs what port is being hit, or what IP is causing these log entries. Any way to tell what the source IP of these is? Thanks, DAve Easiest way, probably without any observer effect, would be to mirror the switch port your server is plugged into and use a computer running wireshark, or equivalent, to look at the mirrored traffic. Unless, of course, your switch doesn't support port mirroring, you don't have a spare computer running wireshark, etc., etc. It's obviously hard to tell what resources you have available to you. You can also install wireshark from ports on your server, but depending on disk space, how pristine you want your server to remain, and internal security rules (wireshark, particularly some of the protocol decoders, is not without its own issues), there are some downsides to this. Also remember that source IPs can be forged, so look at the MAC address information as well if things appear to be really odd. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: Source of closed port RST responses
Jon Radel wrote: DAve wrote: I am routinely seeing these entries in one of my servers logs. Limiting closed port RST response from 373 to 200 packets/sec The server sits behind a PIX firewall, so I am suspicious of what is trying to connect to a closed port. I don't see in any other logs what port is being hit, or what IP is causing these log entries. Any way to tell what the source IP of these is? Thanks, DAve Easiest way, probably without any observer effect, would be to mirror the switch port your server is plugged into and use a computer running wireshark, or equivalent, to look at the mirrored traffic. Unless, of course, your switch doesn't support port mirroring, you don't have a spare computer running wireshark, etc., etc. It's obviously hard to tell what resources you have available to you. You can also install wireshark from ports on your server, but depending on disk space, how pristine you want your server to remain, and internal security rules (wireshark, particularly some of the protocol decoders, is not without its own issues), there are some downsides to this. Also remember that source IPs can be forged, so look at the MAC address information as well if things appear to be really odd. I've asked my network guys if they were doing any scans inside the network, they say they are not. I had looked extensively online for any help and came up empty handed. I might be able to run wireshark on the server, though it is a mailgateway and quite busy, I do not want to disrupt traffic if possible. I will be installing pf this week, I just need to write up my rule sets for these servers. I had been working on the webservers first. Is there a rule I can use to log connection attempts to closed ports? Thanks, -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Adams http://appleseedinfo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Source of closed port RST responses
On Sun, Dec 20, 2009 at 2:37 PM, DAve dave.l...@pixelhammer.com wrote: I am routinely seeing these entries in one of my servers logs. Limiting closed port RST response from 373 to 200 packets/sec The server sits behind a PIX firewall, so I am suspicious of what is trying to connect to a closed port. I don't see in any other logs what port is being hit, or what IP is causing these log entries. Any way to tell what the source IP of these is? Try using tcpdump. You can redirect the decoded output to a log file as well. Make sure to replace em0 in my example with the appropriate interface name. If the server is very busy, try just running it for a short period of time to make sure that it does not interrupt operations, then leave it running for whatever time period you want to monitor if all goes well. tcpdump -np -i em0 'tcp[13] 4 != 0' The 'tcp[13] 4 !=0' will cause the filter to only capture packets with the tcp flag RST set. man tcpdump or google for more examples of filters. Good Luck. ---Dave Horn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org