Re: Security report question
On 9/30/07, Ian Smith [EMAIL PROTECTED] wrote: On Sun, 30 Sep 2007 09:41:00 -0700 Kurt Buff [EMAIL PROTECTED] wrote: On 9/30/07, Chuck Swiger [EMAIL PROTECTED] wrote: Kurt Buff wrote: [ ... ] +Limiting closed port RST response from 283 to 200 packets/sec I don't know what this means, though I suspect it could mean that I'm being port scanned. Is this a reasonable guess? Yes. It could also be something beating really hard on a single closed port, too. -- -Chuck Thanks. This, coupled with some invalid SSH login attempts from a known user, has made me quite suspicious. I think, though, that this is all that I can call it at this point - suspcious. Anything further I could turn up to monitor/log what's going on? It may help in spotting unwanted stuff getting past your firewall, to either add to /etc/rc.conf: log_in_vain=1 or (coming to the same thing) add to /etc/sysctl.conf: net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 You can set the latter two sysctls immediately, of course. Cheers, Ian Looks like it's time to learn how to set up PF. This machine is internal to our enterprise, but in its own subnet separate from the server and the end-user subnets, between our firewall and our main router. The only ports open on it are SSH and SMTP, so I hadn't had the inclination, amongst all my other tasks, to set up that up. Handbook, here I come. Thanks for the help. Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security report question
Kurt Buff wrote: [ ... ] +Limiting closed port RST response from 283 to 200 packets/sec I don't know what this means, though I suspect it could mean that I'm being port scanned. Is this a reasonable guess? Yes. It could also be something beating really hard on a single closed port, too. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security report question
On 9/30/07, Chuck Swiger [EMAIL PROTECTED] wrote: Kurt Buff wrote: [ ... ] +Limiting closed port RST response from 283 to 200 packets/sec I don't know what this means, though I suspect it could mean that I'm being port scanned. Is this a reasonable guess? Yes. It could also be something beating really hard on a single closed port, too. -- -Chuck Thanks. This, coupled with some invalid SSH login attempts from a known user, has made me quite suspicious. I think, though, that this is all that I can call it at this point - suspcious. Anything further I could turn up to monitor/log what's going on? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security report question
On Sun, 30 Sep 2007 09:41:00 -0700 Kurt Buff [EMAIL PROTECTED] wrote: On 9/30/07, Chuck Swiger [EMAIL PROTECTED] wrote: Kurt Buff wrote: [ ... ] +Limiting closed port RST response from 283 to 200 packets/sec I don't know what this means, though I suspect it could mean that I'm being port scanned. Is this a reasonable guess? Yes. It could also be something beating really hard on a single closed port, too. -- -Chuck Thanks. This, coupled with some invalid SSH login attempts from a known user, has made me quite suspicious. I think, though, that this is all that I can call it at this point - suspcious. Anything further I could turn up to monitor/log what's going on? It may help in spotting unwanted stuff getting past your firewall, to either add to /etc/rc.conf: log_in_vain=1 or (coming to the same thing) add to /etc/sysctl.conf: net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 You can set the latter two sysctls immediately, of course. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Security report question
I've noted in a security mail from one of my machines the following log entries: +++ /tmp/security.yEepp7hR Sat Sep 29 03:02:07 2007 +Limiting closed port RST response from 253 to 200 packets/sec +Limiting closed port RST response from 233 to 200 packets/sec +Limiting closed port RST response from 262 to 200 packets/sec +Limiting closed port RST response from 283 to 200 packets/sec I don't know what this means, though I suspect it could mean that I'm being port scanned. Is this a reasonable guess? Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
