From owner-freebsd-security Mon May 28 16:47: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 736FF37B424 for ; Mon, 28 May 2001 16:47:02 -0700 (PDT) (envelope-from glassfish@glassfish.net) Received: from frogbox.glassfish.net ([64.230.27.35]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010528234701.WNDY27183.tomts5-srv.bellnexxia.net@frogbox.glassfish.net> for ; Mon, 28 May 2001 19:47:01 -0400 Received: (qmail 7152 invoked from network); 28 May 2001 23:47:00 -0000 Received: from unknown (HELO MAINWS) (192.0.0.20) by 192.0.0.4 with SMTP; 28 May 2001 23:47:00 -0000 From: "Michael Tang Helmeste" To: Subject: RE: Kernel message Date: Mon, 28 May 2001 19:46:18 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 In-Reply-To: <20010529023722.C30478@ringworld.oblivion.bg> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you get this a lot and it annoys you, I'd recommend something like portsentry (I used to get portscanned a lot and I installed this). You can get it here: www.psionic.com/abacus It can block them via tcpwrappers, or even add a route for them using 'route' to make it so that they can't contact you anymore (by specifying the route to their IP as through a dummy IP on your network). It also logs it in syslog, and you can use the log reporting tool on the same page above, to monitor for those types of things I found it very useful. :) -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Pentchev Sent: Monday, May 28, 2001 7:37 PM To: Retal Cc: freebsd-security@freebsd.org Subject: Re: Kernel message On Tue, May 29, 2001 at 02:02:03AM +0200, Retal wrote: > I got this message while i was changing icmpbandlim from 200 to 30: > May 29 01:42:14 freebsd /kernel: Limiting closed port RST response from 78 to 30 > packets per second > > i got this message like 10000 times.. > What is that means.. Somebody was portscanning you - running a simple program that connects to every port from 1 to, say, 32768, on your machine, to see which ports are 'open' - what services (daemons, servers) you are running on your machine. The kernel had to sent a lot of 'connection refused' ('closed' port, not open) messages, and it had a max value of 30 of those per second. It is informing you that in one given second, it was supposed to send out 78 of those, but it only sent 30. So.. somebody was portscanning you. If you are running any programs that have known security issues, you had better stop them. Look at the output of sockstat -4 to see which ports you have open (if your FreeBSD is 4.3 or later, you can use sockstat -4l to see listening sockets only), then look at the FreeBSD website to find a list of security advisories to see if any of the programs you are running are vulnerable in the versions on your machine. G'luck, Peter -- I am the meaning of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message