From owner-freebsd-questions@FreeBSD.ORG Mon Oct 1 14:50:42 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7A7716A418 for ; Mon, 1 Oct 2007 14:50:42 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id A3D6913C467 for ; Mon, 1 Oct 2007 14:50:42 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so772836anc for ; Mon, 01 Oct 2007 07:50:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=tXOEGrvBn241FS8QHYNsZdjRi3DjK13ZduJYrrL/x8s=; b=P3p67/AKcALMS/N99g7eLmbhDUZJc5yIuL7RR1D0kEduF4/2pkfBQOIAI3Ln9cL6dQqWc/rFFsyS0zvutwJkikOHPht8ZTS9qMsEg9pC1OBJ2kh2OIqNIAC2SnketnczbIEpyK9Vijh5+NHenWF6NXLYpCd80OOtHUHzqOzEk84= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pQWjIQ9Q2b2dKO+4j0aKk6OOxOOOceh5CYhwdLz9F7S3KKOkKnOH9n1aOObLIn3c00x93T5F5erHtw9iebjezzIJ7+1rHzLjM9qXHVClLWjO9Z16/XTcBEIGHPmqlUn+OEis66iwUuhaYT8wk+O2k5d01JxBN0sFBCdfwu6Ixps= Received: by 10.115.111.1 with SMTP id o1mr4013800wam.1191250241329; Mon, 01 Oct 2007 07:50:41 -0700 (PDT) Received: by 10.141.3.20 with HTTP; Mon, 1 Oct 2007 07:50:41 -0700 (PDT) Message-ID: Date: Mon, 1 Oct 2007 07:50:41 -0700 From: "Kurt Buff" To: "Ian Smith" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20071001005441.1E47F16A4CD@hub.freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: Security report question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2007 14:50:43 -0000 On 9/30/07, Ian Smith wrote: > On Sun, 30 Sep 2007 09:41:00 -0700 Kurt Buff wrote: > > On 9/30/07, Chuck Swiger wrote: > > > Kurt Buff wrote: > > > [ ... ] > > > > +Limiting closed port RST response from 283 to 200 packets/sec > > > > > > > > I don't know what this means, though I suspect it could mean that I'm > > > > being port scanned. Is this a reasonable guess? > > > > > > Yes. It could also be something beating really hard on a single closed port, too. > > > > > > -- > > > -Chuck > > > > Thanks. This, coupled with some invalid SSH login attempts from a > > known user, has made me quite suspicious. I think, though, that this > > is all that I can call it at this point - suspcious. > > > > Anything further I could turn up to monitor/log what's going on? > > It may help in spotting unwanted stuff getting past your firewall, > to either add to /etc/rc.conf: > log_in_vain="1" > > or (coming to the same thing) add to /etc/sysctl.conf: > net.inet.tcp.log_in_vain=1 > net.inet.udp.log_in_vain=1 > > You can set the latter two sysctls immediately, of course. > > Cheers, Ian Looks like it's time to learn how to set up PF. This machine is internal to our enterprise, but in its own subnet separate from the server and the end-user subnets, between our firewall and our main router. The only ports open on it are SSH and SMTP, so I hadn't had the inclination, amongst all my other tasks, to set up that up. Handbook, here I come. Thanks for the help. Kurt