Date: Mon, 28 May 2001 13:36:04 +0100 From: Lee Smallbone <lee@kechara.net> To: "Michael Tang Helmeste" <freebsd-security@freebsd.org> Subject: Re[2]: Kernel message Message-ID: <19566.010528@kechara.net> References: <GLECJJEOFFBMALIKCDHIEEKGCAAA.glassfish@glassfish.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Tuesday, 29 May 2001, you wrote:
MTH> If you get this a lot and it annoys you, I'd recommend something like
MTH> portsentry (I used to get portscanned a lot and I installed this).
MTH> You can get it here: www.psionic.com/abacus
MTH> It can block them via tcpwrappers, or even add a route for them using
MTH> 'route' to make it so that they can't contact you anymore (by specifying the
MTH> route to their IP as through a dummy IP on your network). It also logs it in
MTH> syslog, and you can use the log reporting tool on the same page above, to
MTH> monitor for those types of things
MTH> I found it very useful. :)
Be careful with programs that block on receipt of probes. It is
extremely easy to spoof IPs that your system might need to live
(ISP's DNS servers, for example.)
--Lee.
MTH> -----Original Message-----
MTH> From: owner-freebsd-security@FreeBSD.ORG
MTH> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Pentchev
MTH> Sent: Monday, May 28, 2001 7:37 PM
MTH> To: Retal
MTH> Cc: freebsd-security@freebsd.org
MTH> Subject: Re: Kernel message
MTH> On Tue, May 29, 2001 at 02:02:03AM +0200, Retal wrote:
>> I got this message while i was changing icmpbandlim from 200 to 30:
>> May 29 01:42:14 freebsd /kernel: Limiting closed port RST response from 78
MTH> to 30
>> packets per second
>>
>> i got this message like 10000 times..
>> What is that means..
MTH> Somebody was portscanning you - running a simple program that connects
MTH> to every port from 1 to, say, 32768, on your machine, to see which ports
MTH> are 'open' - what services (daemons, servers) you are running on your
MTH> machine. The kernel had to sent a lot of 'connection refused' ('closed'
MTH> port, not open) messages, and it had a max value of 30 of those per second.
MTH> It is informing you that in one given second, it was supposed to send out
MTH> 78 of those, but it only sent 30.
MTH> So.. somebody was portscanning you. If you are running any programs
MTH> that have known security issues, you had better stop them. Look at
MTH> the output of sockstat -4 to see which ports you have open (if your
MTH> FreeBSD is 4.3 or later, you can use sockstat -4l to see listening
MTH> sockets only), then look at the FreeBSD website to find a list of
MTH> security advisories to see if any of the programs you are running
MTH> are vulnerable in the versions on your machine.
MTH> G'luck,
MTH> Peter
MTH> --
MTH> I am the meaning of this sentence.
MTH> To Unsubscribe: send mail to majordomo@FreeBSD.org
MTH> with "unsubscribe freebsd-security" in the body of the message
MTH> To Unsubscribe: send mail to majordomo@FreeBSD.org
MTH> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19566.010528>