oddball syslog entries ....
Kurt Buff
kurt.buff at gmail.com
Wed Oct 8 04:11:28 UTC 2014
edited the message for clarity...
On Tue, Oct 7, 2014 at 8:15 PM, William A. Mahaffey III <wam at hiwaay.net> wrote:
> On 10/07/14 22:01, Kurt Buff wrote:
>> On Tue, Oct 7, 2014 at 8:01 PM, William A. Mahaffey III <wam at hiwaay.net>
>> wrote:
>>>
>>>
>>> Over the last couple of days I am seeing some odd (to me) entries in my
>>> messages file:
>>>
>>>
<snipppety>
>>> Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from
>>> 295
>>> to 200 packets/sec
>>> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from
>>> 324
>>> to 200 packets/sec
>>>
>>> The stuff from Oct 2 is irrelevant, included for completeness/context.
>>> The
>>> lines about 'Limiting closed port ....' are puzzling to me. Where are
>>> they
>>> coming from ? Problem or chatter ? Enquiring minds wanna know ;-) ....
>>> TIA
>>> for any clues ....
>>>
>>
>> AFAICT, someone is banging on your machine.
>>
>> What's your network environment look like? Are you directly connected
>> to the Internet, on a corporate network, or is this a home machine
>> behind a router/firewall?
>>
>> Kurt
>>
<snippety>
> SOHO, behind a 2-bit firewall device. I used to have a IPCop box, but it
> croaked a while back. I have a fair amount of firewalling active on this
> box, derived from the stock ipfw file, w/ a few mods for NFS, & that's it. I
> am seeing nothing on other boxen on my LAN, FWIW .... Suggested course of
> action ?
I'd approach this with tcpdump, and wireshark.
Assuming you have only one NIC (em0) on this machine, I'd set up
something like this as root in a separate terminal/ssh session:
tcpdump -npi em0 -C 1 -w /root/dumps/banger.pcap -W 100
This sets up a ring buffer where you'll get a maximum of 100 files of
1,000,000 bytes each.
Then, when you note those odd messages again, you'll be able to stop
the capture and correlate the time stamps of the messages and the
tcpdump capture files. Examining the capture files with wireshark
should make offending address(es) and/or port(s) stand out like a sore
thumb.
Kurt
More information about the freebsd-questions
mailing list