From owner-freebsd-security Tue May 29 1:45:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from brinstar.nerim.net (brinstar.nerim.net [62.4.16.71]) by hub.freebsd.org (Postfix) with ESMTP id 6924537B422 for ; Tue, 29 May 2001 01:45:27 -0700 (PDT) (envelope-from chojin@nerim.net) Received: from chojin (chojin.adsl.nerim.net [62.4.22.98]) by brinstar.nerim.net (8.11.2/Raphit-20001115) with SMTP id f4T8jPt47342 for ; Tue, 29 May 2001 10:45:26 +0200 (CEST) (envelope-from chojin@nerim.net) Message-ID: <007201c0e81b$ca9b24a0$0245a8c0@chojin> From: "Chojin" To: References: Subject: Re: Kernel message Date: Tue, 29 May 2001 10:46:01 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Could you give me a good portsentry configuration and a good KILLROUTE line (I use ipf) to block port scanning and other) ? Thanks ----- Original Message ----- From: "Michael Tang Helmeste" To: Sent: Tuesday, May 29, 2001 1:46 AM Subject: RE: Kernel message > If you get this a lot and it annoys you, I'd recommend something like > portsentry (I used to get portscanned a lot and I installed this). > You can get it here: www.psionic.com/abacus > It can block them via tcpwrappers, or even add a route for them using > 'route' to make it so that they can't contact you anymore (by specifying the > route to their IP as through a dummy IP on your network). It also logs it in > syslog, and you can use the log reporting tool on the same page above, to > monitor for those types of things > I found it very useful. :) > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Pentchev > Sent: Monday, May 28, 2001 7:37 PM > To: Retal > Cc: freebsd-security@freebsd.org > Subject: Re: Kernel message > > > On Tue, May 29, 2001 at 02:02:03AM +0200, Retal wrote: > > I got this message while i was changing icmpbandlim from 200 to 30: > > May 29 01:42:14 freebsd /kernel: Limiting closed port RST response from 78 > to 30 > > packets per second > > > > i got this message like 10000 times.. > > What is that means.. > > Somebody was portscanning you - running a simple program that connects > to every port from 1 to, say, 32768, on your machine, to see which ports > are 'open' - what services (daemons, servers) you are running on your > machine. The kernel had to sent a lot of 'connection refused' ('closed' > port, not open) messages, and it had a max value of 30 of those per second. > It is informing you that in one given second, it was supposed to send out > 78 of those, but it only sent 30. > > So.. somebody was portscanning you. If you are running any programs > that have known security issues, you had better stop them. Look at > the output of sockstat -4 to see which ports you have open (if your > FreeBSD is 4.3 or later, you can use sockstat -4l to see listening > sockets only), then look at the FreeBSD website to find a list of > security advisories to see if any of the programs you are running > are vulnerable in the versions on your machine. > > G'luck, > Peter > > -- > I am the meaning of this sentence. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message