Jon Radel wrote: > DAve wrote: >> I am routinely seeing these entries in one of my servers logs. >> >> Limiting closed port RST response from 373 to 200 packets/sec >> >> The server sits behind a PIX firewall, so I am suspicious of what is >> trying to connect to a closed port. I don't see in any other logs what >> port is being hit, or what IP is causing these log entries. >> >> Any way to tell what the source IP of these is? >> >> Thanks, >> >> DAve > > Easiest way, probably without any "observer effect," would be to mirror > the switch port your server is plugged into and use a computer running > wireshark, or equivalent, to look at the mirrored traffic. > > Unless, of course, your switch doesn't support port mirroring, you don't > have a spare computer running wireshark, etc., etc. It's obviously hard > to tell what resources you have available to you. > > You can also install wireshark from ports on your server, but depending > on disk space, how "pristine" you want your server to remain, and > internal security rules (wireshark, particularly some of the protocol > decoders, is not without its own issues), there are some downsides to this. > > Also remember that source IPs can be forged, so look at the MAC address > information as well if things appear to be really odd. >
I've asked my network guys if they were doing any scans inside the network, they say they are not. I had looked extensively online for any help and came up empty handed. I might be able to run wireshark on the server, though it is a mailgateway and quite busy, I do not want to disrupt traffic if possible. I will be installing pf this week, I just need to write up my rule sets for these servers. I had been working on the webservers first. Is there a rule I can use to log connection attempts to closed ports? Thanks, -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
