From owner-freebsd-questions@FreeBSD.ORG Wed Oct 8 04:11:28 2014 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7D99BFC6 for ; Wed, 8 Oct 2014 04:11:28 +0000 (UTC) Received: from mail-vc0-x236.google.com (mail-vc0-x236.google.com [IPv6:2607:f8b0:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3E210F57 for ; Wed, 8 Oct 2014 04:11:28 +0000 (UTC) Received: by mail-vc0-f182.google.com with SMTP id la4so6068863vcb.13 for ; Tue, 07 Oct 2014 21:11:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7Opxr/viu6S2U6d4nqVzAft1q/R5h2VATyNP/RoqOcs=; b=OsYGkD6WvuAC+ucMO8XjQgqMZSI3rxvcS6fkcC3YGQcVfj02IaBl//3+W91jgjBDAV eR9x9JTTvXkDqBto5jsUT/UJiK1ZZGrbOqyEpaXgwZuPoAXEVaMpe5bi51XwijusqR0T 20IqYTEUbIBaSHzGFegCbkENK8Ep95oBMTC5fdxx7R95tbbRvoDk2lRqXeGreEsUk6gh x/4HfeUUPVq0P0FpO8o69jKFEHr8HzIUqKIFK19+ryqw1ZjIygrqVY0ZvxBpl86WagE7 luiyBLtdeiGadGcOJ5it6CwzWFgUPNgrXsQ9BD5xAWnH49CiOkANfKIhaP/2y3LaqfFn rULQ== MIME-Version: 1.0 X-Received: by 10.52.253.39 with SMTP id zx7mr6313685vdc.2.1412741487276; Tue, 07 Oct 2014 21:11:27 -0700 (PDT) Received: by 10.220.248.202 with HTTP; Tue, 7 Oct 2014 21:11:27 -0700 (PDT) In-Reply-To: <5434AC3A.40707@hiwaay.net> References: <5434A8F7.1090507@hiwaay.net> <5434AC3A.40707@hiwaay.net> Date: Tue, 7 Oct 2014 21:11:27 -0700 Message-ID: Subject: Re: oddball syslog entries .... From: Kurt Buff To: "William A. Mahaffey III" Content-Type: text/plain; charset=UTF-8 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2014 04:11:28 -0000 edited the message for clarity... On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III wrote: > On 10/07/14 22:01, Kurt Buff wrote: >> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III >> wrote: >>> >>> >>> Over the last couple of days I am seeing some odd (to me) entries in my >>> messages file: >>> >>> >>> Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from >>> 295 >>> to 200 packets/sec >>> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from >>> 324 >>> to 200 packets/sec >>> >>> The stuff from Oct 2 is irrelevant, included for completeness/context. >>> The >>> lines about 'Limiting closed port ....' are puzzling to me. Where are >>> they >>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) .... >>> TIA >>> for any clues .... >>> >> >> AFAICT, someone is banging on your machine. >> >> What's your network environment look like? Are you directly connected >> to the Internet, on a corporate network, or is this a home machine >> behind a router/firewall? >> >> Kurt >> > SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it > croaked a while back. I have a fair amount of firewalling active on this > box, derived from the stock ipfw file, w/ a few mods for NFS, & that's it. I > am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of > action ? I'd approach this with tcpdump, and wireshark. Assuming you have only one NIC (em0) on this machine, I'd set up something like this as root in a separate terminal/ssh session: tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100 This sets up a ring buffer where you'll get a maximum of 100 files of 1,000,000 bytes each. Then, when you note those odd messages again, you'll be able to stop the capture and correlate the time stamps of the messages and the tcpdump capture files. Examining the capture files with wireshark should make offending address(es) and/or port(s) stand out like a sore thumb. Kurt