security issue.

Marwan Sultan Admin at kifco.net
Fri Nov 28 17:28:28 PST 2003 

Hey all,

 Sorry This email has been sent to freebsd LIST by mistake,
 it suppoze to go for the ISP :)
 anyhow thanks Dragoncrest for the hint and details it was usefull.
 the ISP now has a BCC of this email.
 

  Marwan

On Fri, 28 Nov 2003 20:11:23 -0500, Dragoncrest wrote
> It may be best to do two things.  1st would be to disable 
> pings to and from the server at the router by putting in an ACL on 
> the router.  The second thing you'll want to do is block access to 
> that machine via the router from any suspect IP's or IP blocks that 
> you suspect might be attacking your machine.  They already know it's 
> there, so they're going to begin or continue to try to attack it now,
>  so you'll want to block them from being able to access it now. Once 
> you've done that, keep an eye on your machine for a while for any 
> other possible attacks.  Once they stop and nothing shows up for 
> about 2 weeks it should be safe to remove the ACL's from the router, 
> but continue to monitor it for a while longer just to be sure and 
> add them back if nessisary.
> 
> At 11:36 PM 11/28/03 +0300, Marwan Sultan wrote:
> >Hello Tech.
> >
> >   For the past few days, i had troubles connecting to my KIFCO server
> >   Kifco.net
> >   And at night around ( 23:30 GMT ) and the following hours i cannot
> >   connect at all, it connect for 1 second then everything lags,
> >   I can see slow connections and lagged ones.
> >
> >   After all when im able to connect to the machine, I checked the dmesg 
log
> >   I found the follow :
> >
> >Limiting closed port RST response from 268 to 200 packets per second
> >Limiting closed port RST response from 302 to 200 packets per second
> >Limiting closed port RST response from 296 to 200 packets per second
> >Limiting closed port RST response from 213 to 200 packets per second
> >Limiting closed port RST response from 272 to 200 packets per second
> >
> >  Which consider a PORTSCAN and an ATTACK.
> >
> >  Also as I know from my friend on IRC DALnet network that dragons.dal.net
> >  is hosted in maxim, and just in this second its disconnected.
> >  Maybe because of an IRC server you have this attack?
> >  I had two IRC servers on DALnet in Past, and im familier with this 
trouble.
> >  anyhow, IRC is not my part of concern or who owns it.
> >  Kifco is my concern.
> >  Can you disable all PINGS from router to my server?
> >  Please can you update me and check this issue?
> >
> >  Your updating for me, is really appreciate it
> >
> >  Thank you.
> >
> >--
> >Marwan Sultan
> >Network Administrator
> >
> >_______________________________________________
> >freebsd-questions at freebsd.org mailing list
> >http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >To unsubscribe, send any mail to "freebsd-questions-
unsubscribe at freebsd.org"


--
Marwan Sultan
Network Administrator

More information about the freebsd-questions mailing list