From owner-freebsd-questions@FreeBSD.ORG Tue Dec 30 13:27:49 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 569AC16A4D3 for ; Tue, 30 Dec 2003 13:27:49 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 985A143D41 for ; Tue, 30 Dec 2003 13:27:41 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) hBULRbwd093259 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Dec 2003 21:27:37 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id hBULRaK5093258; Tue, 30 Dec 2003 21:27:36 GMT (envelope-from matthew) Date: Tue, 30 Dec 2003 21:27:36 +0000 From: Matthew Seaman To: Marwan Sultan Message-ID: <20031230212736.GB92799@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Marwan Sultan , FreeBSD questions List References: <20031230160934.M41350@kifco.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EuxKj2iCbKjpUGkD" Content-Disposition: inline In-Reply-To: <20031230160934.M41350@kifco.net> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.61 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on happy-idiot-talk.infracaninophile.co.uk cc: FreeBSD questions List Subject: Re: Prevent Port scaning X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2003 21:27:49 -0000 --EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 30, 2003 at 07:13:48PM +0300, Marwan Sultan wrote: >=20 > Hello Subscribers.. >=20 > Happy new year for all, >=20 > My /var/log/messages and /var/log/dmesg.today > Is full of the following lines: >=20 > Limiting open port RST response from 332 to 200 packets per second > Limiting open port RST response from 212 to 200 packets per second > Limiting open port RST response from 204 to 200 packets per second >=20 > /kernel: Limiting open port RST response from 335 to 200 packets per seco= nd > /kernel: Limiting open port RST response from 250 to 200 packets per seco= nd > /kernel: Limiting open port RST response from 248 to 200 packets per seco= nd >=20 > Which means someone scanning my ports. (correct me if im wrong) That's a good working hypothesis. Someone is sending you a lot of packets to port numbers where nothing is actually listening at such a rate that your kernel is limiting the rate at which it will respond. It could also be due to the MSBLASTER worm, which is still very prevalent on the net: I see probes to port 135 on my machine about every 30s. Which isn't fast enough to trigger the rate limiting you're seeing, but if you were on a network with a lot of infected machines isn't out of the question. =20 > My question is: > How to prevent this? I asumed that I should put the IP in deny list. Best thing to do is implement a firewall where you default to dropping any incoming packet not to the set of specifically allowed services you require. Note: you want to 'drop' or 'deny' the packet, rather than 'reject' it. 'Drop' just chucks the packet in the bit-bucket and nothing more. 'Reject' sends back an ICMP message saying "I can't hear you". Another (much easier, but less secure) thing to so is use the following sysctls: net.inet.tcp.blackhole=3D2 net.inet.udp.blackhole=3D1 See blackhole(4) for details. > But where is the IP? Try running tcpdump(1) or ethereal(1) (ports: net/ethereal) to capture network traffic. =20 > I cannot find any IP in my logs that it shows who is doing the scan. > or trying to hack..or whatever, Yes -- you will need to use the logging facilities of ipfw(8) or ipf(8) to record that sort of thing. Or you might look at a NIDS like snort (ports: security/snort , http://www.snort.org/) Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --EuxKj2iCbKjpUGkD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQE/8e3IdtESqEQa7a0RAgkCAJ4vb9Itrv8iZCcqnlOHw6Mk8IlocACfb54L u/UONuC+SHqFdmTfb7NGmXw= =DryB -----END PGP SIGNATURE----- --EuxKj2iCbKjpUGkD--