From owner-freebsd-questions@FreeBSD.ORG  Mon Oct  1 03:25:20 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 30A0816A420
	for <freebsd-questions@freebsd.org>;
	Mon,  1 Oct 2007 03:25:20 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id D054B13C45D
	for <freebsd-questions@freebsd.org>;
	Mon,  1 Oct 2007 03:25:18 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id NAA04215;
	Mon, 1 Oct 2007 13:25:06 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Mon, 1 Oct 2007 13:25:05 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Kurt Buff <kurt.buff@gmail.com>
In-Reply-To: <20071001005441.1E47F16A4CD@hub.freebsd.org>
Message-ID: <Pine.BSF.3.96.1071001131221.13846B-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-questions@freebsd.org
Subject: Re: Security report question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Oct 2007 03:25:20 -0000

On Sun, 30 Sep 2007 09:41:00 -0700 Kurt Buff <kurt.buff@gmail.com> wrote:
 > On 9/30/07, Chuck Swiger <cswiger@mac.com> wrote:
 > > Kurt Buff wrote:
 > > [ ... ]
 > > > +Limiting closed port RST response from 283 to 200 packets/sec
 > > >
 > > > I don't know what this means, though I suspect it could mean that I'm
 > > > being port scanned. Is this a reasonable guess?
 > >
 > > Yes.  It could also be something beating really hard on a single closed port, too.
 > >
 > > --
 > > -Chuck
 > 
 > Thanks. This, coupled with some invalid SSH login attempts from a
 > known user, has made me quite suspicious. I think, though, that this
 > is all that I can call it at this point - suspcious.
 > 
 > Anything further I could turn up to monitor/log what's going on?

It may help in spotting unwanted stuff getting past your firewall,
to either add to /etc/rc.conf:
 log_in_vain="1"

or (coming to the same thing) add to /etc/sysctl.conf:
 net.inet.tcp.log_in_vain=1
 net.inet.udp.log_in_vain=1

You can set the latter two sysctls immediately, of course.

Cheers, Ian