Date: Tue, 21 Jun 2005 23:08:15 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: "Troy G." <troyg@digitek-solutions.com> Cc: freebsd-questions@freebsd.org Subject: Re: Possible Attack? Message-ID: <20050622040815.GA49171@dan.emsphone.com> In-Reply-To: <42B8D72C.1080609@digitek-solutions.com> References: <42B8D72C.1080609@digitek-solutions.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jun 21), Troy G. said: > I was going through a few servers tonight and came across this in > /var/log/messages. This particular server functions mainly as our > primary webserver. Its running FreeBSD 4.8-RELEASE. I decided to > take a closer look to see what was generating these entries by > loading up trafshow. I noticed quite a bit of icmp requests coming > in. I created an access-list on the cisco and filtered icmp to this > host and the messages kept logging. It's obvious I didn't see any > icmp anymore on the server but is this system under a heavy load? I > dont see the load being that high according to top. Any suggestions? > > Jun 21 21:50:55 mx1 /kernel: Limiting closed port RST response from 230 to 200 packets per second > Jun 21 21:51:23 mx1 /kernel: Limiting closed port RST response from 222 to 200 packets per second > Jun 21 21:53:02 mx1 /kernel: Limiting closed port RST response from 230 to 200 packets per second These don't have anything to do with incoming ICMP packets. They are notices that something is trying to access ports that nothing is listening on, and the kernel is rate-limiting the number of "ICMP port unreachable" messages it's sending. You don't want to filter ICMP, since that will break PMTUD ( http://pmtud.rfc822.org ) and annoys people trying to traceroute to your webserver. If you don't currently have any other ACLs at your router, you're most likely seeing the usual background internet traffic (portscans from compromised machines mainly). It's best to block all incoming TCP or UDP traffic except for the ones you want people to see (80/tcp if it's just a webserver). Depending on what version of IOS you're running, you may have the IOS Firewall feature set, which is easy to configure from the web interface. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050622040815.GA49171>