Security report question
Ian Smith
smithi at nimnet.asn.au
Sun Sep 30 20:25:20 PDT 2007
On Sun, 30 Sep 2007 09:41:00 -0700 Kurt Buff <kurt.buff at gmail.com> wrote:
> On 9/30/07, Chuck Swiger <cswiger at mac.com> wrote:
> > Kurt Buff wrote:
> > [ ... ]
> > > +Limiting closed port RST response from 283 to 200 packets/sec
> > >
> > > I don't know what this means, though I suspect it could mean that I'm
> > > being port scanned. Is this a reasonable guess?
> >
> > Yes. It could also be something beating really hard on a single closed port, too.
> >
> > --
> > -Chuck
>
> Thanks. This, coupled with some invalid SSH login attempts from a
> known user, has made me quite suspicious. I think, though, that this
> is all that I can call it at this point - suspcious.
>
> Anything further I could turn up to monitor/log what's going on?
It may help in spotting unwanted stuff getting past your firewall,
to either add to /etc/rc.conf:
log_in_vain="1"
or (coming to the same thing) add to /etc/sysctl.conf:
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
You can set the latter two sysctls immediately, of course.
Cheers, Ian
More information about the freebsd-questions
mailing list