Date: Sun, 20 Dec 2009 17:20:57 -0500 From: DAve <dave.list@pixelhammer.com> To: 'User Questions' <freebsd-questions@freebsd.org> Subject: Re: Source of closed port RST responses Message-ID: <4B2EA349.3050604@pixelhammer.com> In-Reply-To: <4B2E8628.6060100@radel.com> References: <4B2E7CEA.1020502@pixelhammer.com> <4B2E8628.6060100@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jon Radel wrote: > DAve wrote: >> I am routinely seeing these entries in one of my servers logs. >> >> Limiting closed port RST response from 373 to 200 packets/sec >> >> The server sits behind a PIX firewall, so I am suspicious of what is >> trying to connect to a closed port. I don't see in any other logs what >> port is being hit, or what IP is causing these log entries. >> >> Any way to tell what the source IP of these is? >> >> Thanks, >> >> DAve > > Easiest way, probably without any "observer effect," would be to mirror > the switch port your server is plugged into and use a computer running > wireshark, or equivalent, to look at the mirrored traffic. > > Unless, of course, your switch doesn't support port mirroring, you don't > have a spare computer running wireshark, etc., etc. It's obviously hard > to tell what resources you have available to you. > > You can also install wireshark from ports on your server, but depending > on disk space, how "pristine" you want your server to remain, and > internal security rules (wireshark, particularly some of the protocol > decoders, is not without its own issues), there are some downsides to this. > > Also remember that source IPs can be forged, so look at the MAC address > information as well if things appear to be really odd. > I've asked my network guys if they were doing any scans inside the network, they say they are not. I had looked extensively online for any help and came up empty handed. I might be able to run wireshark on the server, though it is a mailgateway and quite busy, I do not want to disrupt traffic if possible. I will be installing pf this week, I just need to write up my rule sets for these servers. I had been working on the webservers first. Is there a rule I can use to log connection attempts to closed ports? Thanks, -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B2EA349.3050604>