From nobody Sun Sep 01 00:05:11 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WxBwg1hW4z5TWnr for ; Sun, 01 Sep 2024 00:05:23 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WxBwd61ynz45hg for ; Sun, 1 Sep 2024 00:05:21 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Authentication-Results: mx1.freebsd.org; none Received: from chombo.houseloki.net (65-100-43-2.dia.static.qwest.net [65.100.43.2]) by echo.brtsvcs.net (Postfix) with ESMTPS id 6C40438D43; Sun, 01 Sep 2024 00:05:12 +0000 (UTC) Received: from [10.26.25.100] (ivy.pas.ds.pilgrimaccounting.com [10.26.25.100]) by chombo.houseloki.net (Postfix) with ESMTPSA id A8C044F564; Sat, 31 Aug 2024 17:05:11 -0700 (PDT) Message-ID: <52218a81-0bb2-41bd-f66c-138d57c43359@bluerosetech.com> Date: Sat, 31 Aug 2024 17:05:11 -0700 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: How to diagnose "Limiting closed port RST response from 213 to 205 packets/sec" ? To: Pete French , FreeBSD Stable Mailing List References: <27a993d5-c456-4add-8893-3e86af747ab1@twisted.org.uk> Content-Language: en-US From: list_freebsd@bluerosetech.com In-Reply-To: <27a993d5-c456-4add-8893-3e86af747ab1@twisted.org.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:36236, ipnet:2607:f740:c::/48, country:US] X-Rspamd-Queue-Id: 4WxBwd61ynz45hg On 2024-08-31 7:32, Pete French wrote: > So I am running some servers with 14.1-STABLE, pretty standard - Apache > + mysql setup, and I am seeing a lot of the above messages. I have > always seen these form time to time, but recently I have had compmnaits > from a customer about the webservers being unavailable, and the times > they give correspond to bursts of these errors. > > I dont see any other errors, and am wondering how to get more info about > this message. Knowing if its IPv4 or IPv6 would be nice. Knowing the > port that is closed would be ideal. I have a feeling that the closed > port is the one which Apaxche is suppsoed to be listenin gon (I cant > think of nay other ports which would get hammered), but that should > never be closed. > > Any advice ? Mass portscanners like shodan usually are the cause of this. If you want to stop them from hitting your servers, you need an upstream packet filter that blocks an IP after it tries too many closed ports.