Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 1 Oct 2007 13:25:05 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Kurt Buff <kurt.buff@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Security report question
Message-ID:  <Pine.BSF.3.96.1071001131221.13846B-100000@gaia.nimnet.asn.au>
In-Reply-To: <20071001005441.1E47F16A4CD@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 30 Sep 2007 09:41:00 -0700 Kurt Buff <kurt.buff@gmail.com> wrote:
 > On 9/30/07, Chuck Swiger <cswiger@mac.com> wrote:
 > > Kurt Buff wrote:
 > > [ ... ]
 > > > +Limiting closed port RST response from 283 to 200 packets/sec
 > > >
 > > > I don't know what this means, though I suspect it could mean that I'm
 > > > being port scanned. Is this a reasonable guess?
 > >
 > > Yes.  It could also be something beating really hard on a single closed port, too.
 > >
 > > --
 > > -Chuck
 > 
 > Thanks. This, coupled with some invalid SSH login attempts from a
 > known user, has made me quite suspicious. I think, though, that this
 > is all that I can call it at this point - suspcious.
 > 
 > Anything further I could turn up to monitor/log what's going on?

It may help in spotting unwanted stuff getting past your firewall,
to either add to /etc/rc.conf:
 log_in_vain="1"

or (coming to the same thing) add to /etc/sysctl.conf:
 net.inet.tcp.log_in_vain=1
 net.inet.udp.log_in_vain=1

You can set the latter two sysctls immediately, of course.

Cheers, Ian




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1071001131221.13846B-100000>