Source of closed port RST responses
DAve
dave.list at pixelhammer.com
Sun Dec 20 22:21:20 UTC 2009
Jon Radel wrote:
> DAve wrote:
>> I am routinely seeing these entries in one of my servers logs.
>>
>> Limiting closed port RST response from 373 to 200 packets/sec
>>
>> The server sits behind a PIX firewall, so I am suspicious of what is
>> trying to connect to a closed port. I don't see in any other logs what
>> port is being hit, or what IP is causing these log entries.
>>
>> Any way to tell what the source IP of these is?
>>
>> Thanks,
>>
>> DAve
>
> Easiest way, probably without any "observer effect," would be to mirror
> the switch port your server is plugged into and use a computer running
> wireshark, or equivalent, to look at the mirrored traffic.
>
> Unless, of course, your switch doesn't support port mirroring, you don't
> have a spare computer running wireshark, etc., etc. It's obviously hard
> to tell what resources you have available to you.
>
> You can also install wireshark from ports on your server, but depending
> on disk space, how "pristine" you want your server to remain, and
> internal security rules (wireshark, particularly some of the protocol
> decoders, is not without its own issues), there are some downsides to this.
>
> Also remember that source IPs can be forged, so look at the MAC address
> information as well if things appear to be really odd.
>
I've asked my network guys if they were doing any scans inside the
network, they say they are not. I had looked extensively online for any
help and came up empty handed. I might be able to run wireshark on the
server, though it is a mailgateway and quite busy, I do not want to
disrupt traffic if possible.
I will be installing pf this week, I just need to write up my rule sets
for these servers. I had been working on the webservers first. Is there
a rule I can use to log connection attempts to closed ports?
Thanks,
--
"Posterity, you will know how much it cost the present generation to
preserve your freedom. I hope you will make good use of it. If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Adams
http://appleseedinfo.org
More information about the freebsd-questions
mailing list