Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 30 Dec 2003 21:27:36 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Marwan Sultan <Admin@kifco.net>
Cc:        FreeBSD questions List <freebsd-questions@freebsd.org>
Subject:   Re: Prevent Port scaning
Message-ID:  <20031230212736.GB92799@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <20031230160934.M41350@kifco.net>
References:  <20031230160934.M41350@kifco.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--EuxKj2iCbKjpUGkD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 30, 2003 at 07:13:48PM +0300, Marwan Sultan wrote:
>=20
> Hello Subscribers..
>=20
>  Happy new year for all,
>=20
>  My /var/log/messages  and /var/log/dmesg.today
>  Is full of the following lines:
>=20
> Limiting open port RST response from 332 to 200 packets per second
> Limiting open port RST response from 212 to 200 packets per second
> Limiting open port RST response from 204 to 200 packets per second
>=20
> /kernel: Limiting open port RST response from 335 to 200 packets per seco=
nd
> /kernel: Limiting open port RST response from 250 to 200 packets per seco=
nd
> /kernel: Limiting open port RST response from 248 to 200 packets per seco=
nd
>=20
> Which means someone scanning my ports. (correct me if im wrong)

That's a good working hypothesis.  Someone is sending you a lot of
packets to port numbers where nothing is actually listening at such a
rate that your kernel is limiting the rate at which it will respond.

It could also be due to the MSBLASTER worm, which is still very
prevalent on the net: I see probes to port 135 on my machine about
every 30s.  Which isn't fast enough to trigger the rate limiting
you're seeing, but if you were on a network with a lot of infected
machines isn't out of the question.
=20
> My question is:
> How to prevent this? I asumed that I should put the IP in deny list.

Best thing to do is implement a firewall where you default to dropping
any incoming packet not to the set of specifically allowed services
you require.  Note: you want to 'drop' or 'deny' the packet, rather
than 'reject' it.  'Drop' just chucks the packet in the bit-bucket and
nothing more.  'Reject' sends back an ICMP message saying "I can't
hear you".

Another (much easier, but less secure) thing to so is use the
following sysctls:

    net.inet.tcp.blackhole=3D2
    net.inet.udp.blackhole=3D1

See blackhole(4) for details.

> But where is the IP?

Try running tcpdump(1) or ethereal(1) (ports: net/ethereal) to capture
network traffic. =20

> I cannot find any IP in my logs that it shows who is doing the scan.
> or trying to hack..or whatever,

Yes -- you will need to use the logging facilities of ipfw(8) or
ipf(8) to record that sort of thing.  Or you might look at a NIDS like
snort (ports: security/snort , http://www.snort.org/)

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--EuxKj2iCbKjpUGkD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQE/8e3IdtESqEQa7a0RAgkCAJ4vb9Itrv8iZCcqnlOHw6Mk8IlocACfb54L
u/UONuC+SHqFdmTfb7NGmXw=
=DryB
-----END PGP SIGNATURE-----

--EuxKj2iCbKjpUGkD--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20031230212736.GB92799>