Re: security issue.
On Fri, Nov 28, 2003 at 08:11:23PM -0500, Dragoncrest wrote: > >Limiting closed port RST response from 272 to 200 packets per second > > Can you disable all PINGS from router to my server? > It may be best to do two things. 1st would be to disable pings to > and from the server at the router by putting in an ACL on the router. No. The problem is clearly TCP related, not ICMP. Disabling pings won't help and it can make future network troubleshooting more difficult. The clue is that is said "port" and "RST". TCP reset packets are sent in response to TCP connectins, not in response to ICMP packets. > The second thing you'll want to do is block access to that machine via > the router from any suspect IP's or IP blocks that you suspect might > be attacking your machine. They already know it's there, so they're > going to begin or continue to try to attack it now, so you'll want to > block them from being able to access it now. Once you've done that, > keep an eye on your machine for a while for any other possible > attacks. Once they stop and nothing shows up for about 2 weeks it > should be safe to remove the ACL's from the router, but continue to > monitor it for a while longer just to be sure and add them back if > nessisary. This is a much better idea. Though the rate of 272 packets per second is not terribly high - you could probably just put the ACL on the server itself (via IPFW or IPF) if the hardware and bandwidth aren't horribly undersized. -T -- "The secret to creativity is knowing how to hide your sources." - Albert Einstein ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: security issue.
Hey all, Sorry This email has been sent to freebsd LIST by mistake, it suppoze to go for the ISP :) anyhow thanks Dragoncrest for the hint and details it was usefull. the ISP now has a BCC of this email. Marwan On Fri, 28 Nov 2003 20:11:23 -0500, Dragoncrest wrote > It may be best to do two things. 1st would be to disable > pings to and from the server at the router by putting in an ACL on > the router. The second thing you'll want to do is block access to > that machine via the router from any suspect IP's or IP blocks that > you suspect might be attacking your machine. They already know it's > there, so they're going to begin or continue to try to attack it now, > so you'll want to block them from being able to access it now. Once > you've done that, keep an eye on your machine for a while for any > other possible attacks. Once they stop and nothing shows up for > about 2 weeks it should be safe to remove the ACL's from the router, > but continue to monitor it for a while longer just to be sure and > add them back if nessisary. > > At 11:36 PM 11/28/03 +0300, Marwan Sultan wrote: > >Hello Tech. > > > > For the past few days, i had troubles connecting to my KIFCO server > > Kifco.net > > And at night around ( 23:30 GMT ) and the following hours i cannot > > connect at all, it connect for 1 second then everything lags, > > I can see slow connections and lagged ones. > > > > After all when im able to connect to the machine, I checked the dmesg log > > I found the follow : > > > >Limiting closed port RST response from 268 to 200 packets per second > >Limiting closed port RST response from 302 to 200 packets per second > >Limiting closed port RST response from 296 to 200 packets per second > >Limiting closed port RST response from 213 to 200 packets per second > >Limiting closed port RST response from 272 to 200 packets per second > > > > Which consider a PORTSCAN and an ATTACK. > > > > Also as I know from my friend on IRC DALnet network that dragons.dal.net > > is hosted in maxim, and just in this second its disconnected. > > Maybe because of an IRC server you have this attack? > > I had two IRC servers on DALnet in Past, and im familier with this trouble. > > anyhow, IRC is not my part of concern or who owns it. > > Kifco is my concern. > > Can you disable all PINGS from router to my server? > > Please can you update me and check this issue? > > > > Your updating for me, is really appreciate it > > > > Thank you. > > > >-- > >Marwan Sultan > >Network Administrator > > > >___ > >[EMAIL PROTECTED] mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" -- Marwan Sultan Network Administrator ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: security issue.
It may be best to do two things. 1st would be to disable pings to and from the server at the router by putting in an ACL on the router. The second thing you'll want to do is block access to that machine via the router from any suspect IP's or IP blocks that you suspect might be attacking your machine. They already know it's there, so they're going to begin or continue to try to attack it now, so you'll want to block them from being able to access it now. Once you've done that, keep an eye on your machine for a while for any other possible attacks. Once they stop and nothing shows up for about 2 weeks it should be safe to remove the ACL's from the router, but continue to monitor it for a while longer just to be sure and add them back if nessisary. At 11:36 PM 11/28/03 +0300, Marwan Sultan wrote: Hello Tech. For the past few days, i had troubles connecting to my KIFCO server Kifco.net And at night around ( 23:30 GMT ) and the following hours i cannot connect at all, it connect for 1 second then everything lags, I can see slow connections and lagged ones. After all when im able to connect to the machine, I checked the dmesg log I found the follow : Limiting closed port RST response from 268 to 200 packets per second Limiting closed port RST response from 302 to 200 packets per second Limiting closed port RST response from 296 to 200 packets per second Limiting closed port RST response from 213 to 200 packets per second Limiting closed port RST response from 272 to 200 packets per second Which consider a PORTSCAN and an ATTACK. Also as I know from my friend on IRC DALnet network that dragons.dal.net is hosted in maxim, and just in this second its disconnected. Maybe because of an IRC server you have this attack? I had two IRC servers on DALnet in Past, and im familier with this trouble. anyhow, IRC is not my part of concern or who owns it. Kifco is my concern. Can you disable all PINGS from router to my server? Please can you update me and check this issue? Your updating for me, is really appreciate it Thank you. -- Marwan Sultan Network Administrator ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
