Source of closed port RST responses
Jon Radel
jon at radel.com
Sun Dec 20 20:16:51 UTC 2009
DAve wrote:
> I am routinely seeing these entries in one of my servers logs.
>
> Limiting closed port RST response from 373 to 200 packets/sec
>
> The server sits behind a PIX firewall, so I am suspicious of what is
> trying to connect to a closed port. I don't see in any other logs what
> port is being hit, or what IP is causing these log entries.
>
> Any way to tell what the source IP of these is?
>
> Thanks,
>
> DAve
Easiest way, probably without any "observer effect," would be to mirror
the switch port your server is plugged into and use a computer running
wireshark, or equivalent, to look at the mirrored traffic.
Unless, of course, your switch doesn't support port mirroring, you don't
have a spare computer running wireshark, etc., etc. It's obviously hard
to tell what resources you have available to you.
You can also install wireshark from ports on your server, but depending
on disk space, how "pristine" you want your server to remain, and
internal security rules (wireshark, particularly some of the protocol
decoders, is not without its own issues), there are some downsides to this.
Also remember that source IPs can be forged, so look at the MAC address
information as well if things appear to be really odd.
--
--Jon Radel
jon at radel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20091220/ee70af14/smime.bin
More information about the freebsd-questions
mailing list