security issue.

Dragoncrest dragoncrest at voyager.net
Fri Nov 28 17:01:27 PST 2003


         It may be best to do two things.  1st would be to disable pings to 
and from the server at the router by putting in an ACL on the router.  The 
second thing you'll want to do is block access to that machine via the 
router from any suspect IP's or IP blocks that you suspect might be 
attacking your machine.  They already know it's there, so they're going to 
begin or continue to try to attack it now, so you'll want to block them 
from being able to access it now. Once you've done that, keep an eye on 
your machine for a while for any other possible attacks.  Once they stop 
and nothing shows up for about 2 weeks it should be safe to remove the 
ACL's from the router, but continue to monitor it for a while longer just 
to be sure and add them back if nessisary.

At 11:36 PM 11/28/03 +0300, Marwan Sultan wrote:
>Hello Tech.
>
>   For the past few days, i had troubles connecting to my KIFCO server
>   Kifco.net
>   And at night around ( 23:30 GMT ) and the following hours i cannot
>   connect at all, it connect for 1 second then everything lags,
>   I can see slow connections and lagged ones.
>
>   After all when im able to connect to the machine, I checked the dmesg log
>   I found the follow :
>
>Limiting closed port RST response from 268 to 200 packets per second
>Limiting closed port RST response from 302 to 200 packets per second
>Limiting closed port RST response from 296 to 200 packets per second
>Limiting closed port RST response from 213 to 200 packets per second
>Limiting closed port RST response from 272 to 200 packets per second
>
>  Which consider a PORTSCAN and an ATTACK.
>
>  Also as I know from my friend on IRC DALnet network that dragons.dal.net
>  is hosted in maxim, and just in this second its disconnected.
>  Maybe because of an IRC server you have this attack?
>  I had two IRC servers on DALnet in Past, and im familier with this trouble.
>  anyhow, IRC is not my part of concern or who owns it.
>  Kifco is my concern.
>  Can you disable all PINGS from router to my server?
>  Please can you update me and check this issue?
>
>  Your updating for me, is really appreciate it
>
>  Thank you.
>
>--
>Marwan Sultan
>Network Administrator
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"




More information about the freebsd-questions mailing list