Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 20 Dec 2009 15:16:40 -0500
From:      Jon Radel <jon@radel.com>
To:        DAve <dave.list@pixelhammer.com>
Cc:        'User Questions' <freebsd-questions@freebsd.org>
Subject:   Re: Source of closed port RST responses
Message-ID:  <4B2E8628.6060100@radel.com>
In-Reply-To: <4B2E7CEA.1020502@pixelhammer.com>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
DAve wrote:
> I am routinely seeing these entries in one of my servers logs.
> 
> Limiting closed port RST response from 373 to 200 packets/sec
> 
> The server sits behind a PIX firewall, so I am suspicious of what is
> trying to connect to a closed port. I don't see in any other logs what
> port is being hit, or what IP is causing these log entries.
> 
> Any way to tell what the source IP of these is?
> 
> Thanks,
> 
> DAve

Easiest way, probably without any "observer effect," would be to mirror 
the switch port your server is plugged into and use a computer running 
wireshark, or equivalent, to look at the mirrored traffic.

Unless, of course, your switch doesn't support port mirroring, you don't 
have a spare computer running wireshark, etc., etc.  It's obviously hard 
to tell what resources you have available to you.

You can also install wireshark from ports on your server, but depending 
on disk space, how "pristine" you want your server to remain, and 
internal security rules (wireshark, particularly some of the protocol 
decoders, is not without its own issues), there are some downsides to this.

Also remember that source IPs can be forged, so look at the MAC address 
information as well if things appear to be really odd.

-- 

--Jon Radel
jon@radel.com

[-- Attachment #2 --]
0	*H
010	+0	*H
	100\^
Xq0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090225041326Z
100225041326Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*H
	
jon@radel.com0"0
	*H
0
O箩js;:|+\&W4fMcjDX&̡4g;}we62xrqF?6K#zjdf~pC.l5ծ>f%!T`O\BIe Gv$l\9BbkOBHnKl-q;
MlL (ٕ ,OJ%gCqb!?hض2y*0(0U0
jon@radel.com0U00
	*H
SWWƳN&⼮i#E[%Ҟ';uT}|m}^yըO-ʧ}BYp#tcSu
Bj8+G$bC4g/qi
77Stڄկ<`SNfT00\^
Xq0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090225041326Z
100225041326Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*H
	
jon@radel.com0"0
	*H
0
O箩js;:|+\&W4fMcjDX&̡4g;}we62xrqF?6K#zjdf~pC.l5ծ>f%!T`O\BIe Gv$l\9BbkOBHnKl-q;
MlL (ٕ ,OJ%gCqb!?hض2y*0(0U0
jon@radel.com0U00
	*H
SWWƳN&⼮i#E[%Ҟ';uT}|m}^yըO-ʧ}BYp#tcSu
Bj8+G$bC4g/qi
77Stڄկ<`SNfT0?0
0
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
	*H
0Ħ<UsUNʙZhup[v:aQP
0cZ,p+Z?qV˯<6$*+w=+>@dקe*TH<a@dr`00U00CU<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 010UPrivateLabel2-1380
	*H
HP.
fgCL!6-6/P p<ab:~t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$F]_eO1d0`0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA^
Xq0	+0	*H
	1	*H
0	*H
	1
091220201640Z0#	*H
	1@m׬rQKt0R	*H
	1E0C0
*H
0*H
0
*H
@0+0
*H
(0	+71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA^
Xq0*H
	1xv0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA^
Xq0
	*H
9<u4%;E`n|)tP<wy+1ȸc7Mm̰[#Ꝿ㙌-J0b|~1܄X><?>H&(U.f
\S܆99ŸWZT<3iAXJ$>YzSUI(F|ބt?؍ցGdum{دmxSSX%e
k؝Tb_)O렂"
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B2E8628.6060100>