From owner-freebsd-questions@FreeBSD.ORG Sun Dec 20 22:21:20 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C43141065670 for ; Sun, 20 Dec 2009 22:21:20 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from smtp1.tls.net (smtp1.tls.net [65.124.104.104]) by mx1.freebsd.org (Postfix) with ESMTP id 8095A8FC16 for ; Sun, 20 Dec 2009 22:21:20 +0000 (UTC) Received: (qmail 57300 invoked from network); 20 Dec 2009 22:21:19 -0000 Received: by simscan 1.2.3 ppid: 57283, pid: 57296, t: 3.6414s scanners: attach: 1.2.3 spam: 3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on smtp1.tls.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=7.0 tests=ALL_TRUSTED,TVD_RCVD_IP autolearn=disabled version=3.2.1 Received: from 208-70-41-247.bb.hrtc.net (HELO ?192.168.1.46?) (ldg@tls.net@208.70.41.247) by ssl-smtp1.tls.net with ESMTPA; 20 Dec 2009 22:21:15 -0000 Message-ID: <4B2EA349.3050604@pixelhammer.com> Date: Sun, 20 Dec 2009 17:20:57 -0500 From: DAve User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: 'User Questions' References: <4B2E7CEA.1020502@pixelhammer.com> <4B2E8628.6060100@radel.com> In-Reply-To: <4B2E8628.6060100@radel.com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Source of closed port RST responses X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Dec 2009 22:21:20 -0000 Jon Radel wrote: > DAve wrote: >> I am routinely seeing these entries in one of my servers logs. >> >> Limiting closed port RST response from 373 to 200 packets/sec >> >> The server sits behind a PIX firewall, so I am suspicious of what is >> trying to connect to a closed port. I don't see in any other logs what >> port is being hit, or what IP is causing these log entries. >> >> Any way to tell what the source IP of these is? >> >> Thanks, >> >> DAve > > Easiest way, probably without any "observer effect," would be to mirror > the switch port your server is plugged into and use a computer running > wireshark, or equivalent, to look at the mirrored traffic. > > Unless, of course, your switch doesn't support port mirroring, you don't > have a spare computer running wireshark, etc., etc. It's obviously hard > to tell what resources you have available to you. > > You can also install wireshark from ports on your server, but depending > on disk space, how "pristine" you want your server to remain, and > internal security rules (wireshark, particularly some of the protocol > decoders, is not without its own issues), there are some downsides to this. > > Also remember that source IPs can be forged, so look at the MAC address > information as well if things appear to be really odd. > I've asked my network guys if they were doing any scans inside the network, they say they are not. I had looked extensively online for any help and came up empty handed. I might be able to run wireshark on the server, though it is a mailgateway and quite busy, I do not want to disrupt traffic if possible. I will be installing pf this week, I just need to write up my rule sets for these servers. I had been working on the webservers first. Is there a rule I can use to log connection attempts to closed ports? Thanks, -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org