Date: Tue, 7 Oct 2014 21:11:27 -0700 From: Kurt Buff <kurt.buff@gmail.com> To: "William A. Mahaffey III" <wam@hiwaay.net> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: oddball syslog entries .... Message-ID: <CADy1Ce4pSdgzH2z%2B=Oq4DgrRhawTf_YQCi-Q5GKwAmAoJb2x-Q@mail.gmail.com> In-Reply-To: <5434AC3A.40707@hiwaay.net> References: <5434A8F7.1090507@hiwaay.net> <CADy1Ce5OJ94MBZPk4F-R3CRn8veYLmLP3Zqp07QC0bDCg49oag@mail.gmail.com> <5434AC3A.40707@hiwaay.net>
next in thread | previous in thread | raw e-mail | index | archive | help
edited the message for clarity... On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III <wam@hiwaay.net> wrote: > On 10/07/14 22:01, Kurt Buff wrote: >> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III <wam@hiwaay.net> >> wrote: >>> >>> >>> Over the last couple of days I am seeing some odd (to me) entries in my >>> messages file: >>> >>> <snipppety> >>> Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from >>> 295 >>> to 200 packets/sec >>> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from >>> 324 >>> to 200 packets/sec >>> >>> The stuff from Oct 2 is irrelevant, included for completeness/context. >>> The >>> lines about 'Limiting closed port ....' are puzzling to me. Where are >>> they >>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) .... >>> TIA >>> for any clues .... >>> >> >> AFAICT, someone is banging on your machine. >> >> What's your network environment look like? Are you directly connected >> to the Internet, on a corporate network, or is this a home machine >> behind a router/firewall? >> >> Kurt >> <snippety> > SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it > croaked a while back. I have a fair amount of firewalling active on this > box, derived from the stock ipfw file, w/ a few mods for NFS, & that's it. I > am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of > action ? I'd approach this with tcpdump, and wireshark. Assuming you have only one NIC (em0) on this machine, I'd set up something like this as root in a separate terminal/ssh session: tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100 This sets up a ring buffer where you'll get a maximum of 100 files of 1,000,000 bytes each. Then, when you note those odd messages again, you'll be able to stop the capture and correlate the time stamps of the messages and the tcpdump capture files. Examining the capture files with wireshark should make offending address(es) and/or port(s) stand out like a sore thumb. Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce4pSdgzH2z%2B=Oq4DgrRhawTf_YQCi-Q5GKwAmAoJb2x-Q>