On Tue, Dec 30, 2003 at 07:13:48PM +0300, Marwan Sultan wrote: > > Hello Subscribers.. > > Happy new year for all, > > My /var/log/messages and /var/log/dmesg.today > Is full of the following lines: > > Limiting open port RST response from 332 to 200 packets per second > Limiting open port RST response from 212 to 200 packets per second > Limiting open port RST response from 204 to 200 packets per second > > /kernel: Limiting open port RST response from 335 to 200 packets per second > /kernel: Limiting open port RST response from 250 to 200 packets per second > /kernel: Limiting open port RST response from 248 to 200 packets per second > > Which means someone scanning my ports. (correct me if im wrong)
That's a good working hypothesis. Someone is sending you a lot of packets to port numbers where nothing is actually listening at such a rate that your kernel is limiting the rate at which it will respond. It could also be due to the MSBLASTER worm, which is still very prevalent on the net: I see probes to port 135 on my machine about every 30s. Which isn't fast enough to trigger the rate limiting you're seeing, but if you were on a network with a lot of infected machines isn't out of the question. > My question is: > How to prevent this? I asumed that I should put the IP in deny list. Best thing to do is implement a firewall where you default to dropping any incoming packet not to the set of specifically allowed services you require. Note: you want to 'drop' or 'deny' the packet, rather than 'reject' it. 'Drop' just chucks the packet in the bit-bucket and nothing more. 'Reject' sends back an ICMP message saying "I can't hear you". Another (much easier, but less secure) thing to so is use the following sysctls: net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 See blackhole(4) for details. > But where is the IP? Try running tcpdump(1) or ethereal(1) (ports: net/ethereal) to capture network traffic. > I cannot find any IP in my logs that it shows who is doing the scan. > or trying to hack..or whatever, Yes -- you will need to use the logging facilities of ipfw(8) or ipf(8) to record that sort of thing. Or you might look at a NIDS like snort (ports: security/snort , http://www.snort.org/) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature