From owner-freebsd-security Mon May 28 17:32:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.svr.pol.co.uk (mail1.svr.pol.co.uk [195.92.193.18]) by hub.freebsd.org (Postfix) with ESMTP id 3215C37B43E for ; Mon, 28 May 2001 17:32:16 -0700 (PDT) (envelope-from lee@kechara.net) Received: from [195.92.198.123] (helo=mail17.svr.pol.co.uk) by mail1.svr.pol.co.uk with esmtp (Exim 3.13 #0) id 154XQl-0001I0-00 for freebsd-security@freebsd.org; Tue, 29 May 2001 01:32:15 +0100 Received: from modem-47.aerin.dialup.pol.co.uk ([62.136.98.175] helo=mail.btinternet.com) by mail17.svr.pol.co.uk with smtp (Exim 3.13 #0) id 154XQk-0005R3-00 for freebsd-security@freebsd.org; Tue, 29 May 2001 01:32:14 +0100 Date: Mon, 28 May 2001 13:36:04 +0100 From: Lee Smallbone X-Mailer: The Bat! (v1.18 Christmas Edition) S/N 3FDB2AD8 Reply-To: Lee Smallbone Organization: Kechara Internet X-Priority: 3 (Normal) Message-ID: <19566.010528@kechara.net> To: "Michael Tang Helmeste" Subject: Re[2]: Kernel message References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tuesday, 29 May 2001, you wrote: MTH> If you get this a lot and it annoys you, I'd recommend something like MTH> portsentry (I used to get portscanned a lot and I installed this). MTH> You can get it here: www.psionic.com/abacus MTH> It can block them via tcpwrappers, or even add a route for them using MTH> 'route' to make it so that they can't contact you anymore (by specifying the MTH> route to their IP as through a dummy IP on your network). It also logs it in MTH> syslog, and you can use the log reporting tool on the same page above, to MTH> monitor for those types of things MTH> I found it very useful. :) Be careful with programs that block on receipt of probes. It is extremely easy to spoof IPs that your system might need to live (ISP's DNS servers, for example.) --Lee. MTH> -----Original Message----- MTH> From: owner-freebsd-security@FreeBSD.ORG MTH> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Pentchev MTH> Sent: Monday, May 28, 2001 7:37 PM MTH> To: Retal MTH> Cc: freebsd-security@freebsd.org MTH> Subject: Re: Kernel message MTH> On Tue, May 29, 2001 at 02:02:03AM +0200, Retal wrote: >> I got this message while i was changing icmpbandlim from 200 to 30: >> May 29 01:42:14 freebsd /kernel: Limiting closed port RST response from 78 MTH> to 30 >> packets per second >> >> i got this message like 10000 times.. >> What is that means.. MTH> Somebody was portscanning you - running a simple program that connects MTH> to every port from 1 to, say, 32768, on your machine, to see which ports MTH> are 'open' - what services (daemons, servers) you are running on your MTH> machine. The kernel had to sent a lot of 'connection refused' ('closed' MTH> port, not open) messages, and it had a max value of 30 of those per second. MTH> It is informing you that in one given second, it was supposed to send out MTH> 78 of those, but it only sent 30. MTH> So.. somebody was portscanning you. If you are running any programs MTH> that have known security issues, you had better stop them. Look at MTH> the output of sockstat -4 to see which ports you have open (if your MTH> FreeBSD is 4.3 or later, you can use sockstat -4l to see listening MTH> sockets only), then look at the FreeBSD website to find a list of MTH> security advisories to see if any of the programs you are running MTH> are vulnerable in the versions on your machine. MTH> G'luck, MTH> Peter MTH> -- MTH> I am the meaning of this sentence. MTH> To Unsubscribe: send mail to majordomo@FreeBSD.org MTH> with "unsubscribe freebsd-security" in the body of the message MTH> To Unsubscribe: send mail to majordomo@FreeBSD.org MTH> with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message