From owner-freebsd-questions@FreeBSD.ORG Fri Nov 28 17:28:28 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85F7F16A4CE for ; Fri, 28 Nov 2003 17:28:28 -0800 (PST) Received: from kifco.net (host4.kifco.net [216.65.57.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D69343FBD for ; Fri, 28 Nov 2003 17:28:27 -0800 (PST) (envelope-from Admin@kifco.net) Received: from kifco.net (deadline@localhost [127.0.0.1]) by kifco.net (8.12.8p1/8.12.8) with ESMTP id hASLYNQ4000522; Fri, 28 Nov 2003 21:34:23 GMT (envelope-from Admin@kifco.net) From: "Marwan Sultan" To: Dragoncrest , "FreeBSD questions List" Date: Sat, 29 Nov 2003 00:34:23 +0300 Message-Id: <20031128212848.M49932@kifco.net> In-Reply-To: <5.2.0.9.2.20031128200802.0210dc40@pop.voyager.net> References: <20031128202947.M29020@kifco.net> <5.2.0.9.2.20031128200802.0210dc40@pop.voyager.net> X-Mailer: Open WebMail X-OriginatingIP: 213.189.81.4 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: Re: security issue. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2003 01:28:28 -0000 Hey all, Sorry This email has been sent to freebsd LIST by mistake, it suppoze to go for the ISP :) anyhow thanks Dragoncrest for the hint and details it was usefull. the ISP now has a BCC of this email. Marwan On Fri, 28 Nov 2003 20:11:23 -0500, Dragoncrest wrote > It may be best to do two things. 1st would be to disable > pings to and from the server at the router by putting in an ACL on > the router. The second thing you'll want to do is block access to > that machine via the router from any suspect IP's or IP blocks that > you suspect might be attacking your machine. They already know it's > there, so they're going to begin or continue to try to attack it now, > so you'll want to block them from being able to access it now. Once > you've done that, keep an eye on your machine for a while for any > other possible attacks. Once they stop and nothing shows up for > about 2 weeks it should be safe to remove the ACL's from the router, > but continue to monitor it for a while longer just to be sure and > add them back if nessisary. > > At 11:36 PM 11/28/03 +0300, Marwan Sultan wrote: > >Hello Tech. > > > > For the past few days, i had troubles connecting to my KIFCO server > > Kifco.net > > And at night around ( 23:30 GMT ) and the following hours i cannot > > connect at all, it connect for 1 second then everything lags, > > I can see slow connections and lagged ones. > > > > After all when im able to connect to the machine, I checked the dmesg log > > I found the follow : > > > >Limiting closed port RST response from 268 to 200 packets per second > >Limiting closed port RST response from 302 to 200 packets per second > >Limiting closed port RST response from 296 to 200 packets per second > >Limiting closed port RST response from 213 to 200 packets per second > >Limiting closed port RST response from 272 to 200 packets per second > > > > Which consider a PORTSCAN and an ATTACK. > > > > Also as I know from my friend on IRC DALnet network that dragons.dal.net > > is hosted in maxim, and just in this second its disconnected. > > Maybe because of an IRC server you have this attack? > > I had two IRC servers on DALnet in Past, and im familier with this trouble. > > anyhow, IRC is not my part of concern or who owns it. > > Kifco is my concern. > > Can you disable all PINGS from router to my server? > > Please can you update me and check this issue? > > > > Your updating for me, is really appreciate it > > > > Thank you. > > > >-- > >Marwan Sultan > >Network Administrator > > > >_______________________________________________ > >freebsd-questions@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >To unsubscribe, send any mail to "freebsd-questions- unsubscribe@freebsd.org" -- Marwan Sultan Network Administrator