Re: Prevent Port scaning

2003-12-30 Thread Matthew Seaman 
On Tue, Dec 30, 2003 at 07:13:48PM +0300, Marwan Sultan wrote:
> 
> Hello Subscribers..
> 
>  Happy new year for all,
> 
>  My /var/log/messages  and /var/log/dmesg.today
>  Is full of the following lines:
> 
> Limiting open port RST response from 332 to 200 packets per second
> Limiting open port RST response from 212 to 200 packets per second
> Limiting open port RST response from 204 to 200 packets per second
> 
> /kernel: Limiting open port RST response from 335 to 200 packets per second
> /kernel: Limiting open port RST response from 250 to 200 packets per second
> /kernel: Limiting open port RST response from 248 to 200 packets per second
> 
> Which means someone scanning my ports. (correct me if im wrong)

That's a good working hypothesis.  Someone is sending you a lot of
packets to port numbers where nothing is actually listening at such a
rate that your kernel is limiting the rate at which it will respond.

It could also be due to the MSBLASTER worm, which is still very
prevalent on the net: I see probes to port 135 on my machine about
every 30s.  Which isn't fast enough to trigger the rate limiting
you're seeing, but if you were on a network with a lot of infected
machines isn't out of the question.
 
> My question is:
> How to prevent this? I asumed that I should put the IP in deny list.

Best thing to do is implement a firewall where you default to dropping
any incoming packet not to the set of specifically allowed services
you require.  Note: you want to 'drop' or 'deny' the packet, rather
than 'reject' it.  'Drop' just chucks the packet in the bit-bucket and
nothing more.  'Reject' sends back an ICMP message saying "I can't
hear you".

Another (much easier, but less secure) thing to so is use the
following sysctls:

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

See blackhole(4) for details.

> But where is the IP?

Try running tcpdump(1) or ethereal(1) (ports: net/ethereal) to capture
network traffic.  

> I cannot find any IP in my logs that it shows who is doing the scan.
> or trying to hack..or whatever,

Yes -- you will need to use the logging facilities of ipfw(8) or
ipf(8) to record that sort of thing.  Or you might look at a NIDS like
snort (ports: security/snort , http://www.snort.org/)

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgp0.pgp
Description: PGP signature

Prevent Port scaning

2003-12-30 Thread Marwan Sultan 

Hello Subscribers..

 Happy new year for all,

 My /var/log/messages  and /var/log/dmesg.today
 Is full of the following lines:

Limiting open port RST response from 332 to 200 packets per second
Limiting open port RST response from 212 to 200 packets per second
Limiting open port RST response from 204 to 200 packets per second

/kernel: Limiting open port RST response from 335 to 200 packets per second
/kernel: Limiting open port RST response from 250 to 200 packets per second
/kernel: Limiting open port RST response from 248 to 200 packets per second

Which means someone scanning my ports. (correct me if im wrong)

My question is:
How to prevent this? I asumed that I should put the IP in deny list.
But where is the IP?
I cannot find any IP in my logs that it shows who is doing the scan.
or trying to hack..or whatever,
Anyone can advise please?
Since once in past i post my server real IP on this list,
and this scanning didnot stop.

--
Marwan Sultan

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"