Security report question
Kurt Buff
kurt.buff at gmail.com
Mon Oct 1 07:50:43 PDT 2007
On 9/30/07, Ian Smith <smithi at nimnet.asn.au> wrote:
> On Sun, 30 Sep 2007 09:41:00 -0700 Kurt Buff <kurt.buff at gmail.com> wrote:
> > On 9/30/07, Chuck Swiger <cswiger at mac.com> wrote:
> > > Kurt Buff wrote:
> > > [ ... ]
> > > > +Limiting closed port RST response from 283 to 200 packets/sec
> > > >
> > > > I don't know what this means, though I suspect it could mean that I'm
> > > > being port scanned. Is this a reasonable guess?
> > >
> > > Yes. It could also be something beating really hard on a single closed port, too.
> > >
> > > --
> > > -Chuck
> >
> > Thanks. This, coupled with some invalid SSH login attempts from a
> > known user, has made me quite suspicious. I think, though, that this
> > is all that I can call it at this point - suspcious.
> >
> > Anything further I could turn up to monitor/log what's going on?
>
> It may help in spotting unwanted stuff getting past your firewall,
> to either add to /etc/rc.conf:
> log_in_vain="1"
>
> or (coming to the same thing) add to /etc/sysctl.conf:
> net.inet.tcp.log_in_vain=1
> net.inet.udp.log_in_vain=1
>
> You can set the latter two sysctls immediately, of course.
>
> Cheers, Ian
Looks like it's time to learn how to set up PF. This machine is
internal to our enterprise, but in its own subnet separate from the
server and the end-user subnets, between our firewall and our main
router. The only ports open on it are SSH and SMTP, so I hadn't had
the inclination, amongst all my other tasks, to set up that up.
Handbook, here I come.
Thanks for the help.
Kurt
More information about the freebsd-questions
mailing list