Finding the correct log file.

[vitek]

I have a problem with finding the correct log file. I often get some worrying messages in the daily security report.

freenas.local kernel log messages:
+++ /tmp/security.NHrMfOiH 2012-02-16 03:01:01.000000000 +0100
+Limiting closed port RST response from 282 to 200 packets/sec
+Limiting open port RST response from 768 to 200 packets/sec
+Limiting open port RST response from 320 to 200 packets/sec

Not everyday but more than half of them.

I want to figure out if this is due to portscanning or what is causing this. Im pretty new to the whole freebsd structure and really dont know where to look. I found some logs at /var/log/ but couldnt see anything in them about this problem.

Grateful for all help i can get.

 

[ProtoSD]

It does look like could be due to portscanning. From the "blackhole" manpage:

Normal behavior when a TCP SYN segment is received on a port where
there is no socket accepting connections, is for the system to return a
RST segment, and drop the connection. The connecting system will see
this as a ``Connection refused''. By setting the TCP blackhole MIB to a
numeric value of one, the incoming SYN segment is merely dropped, and no
RST is sent, making the system appear as a blackhole. By setting the MIB
value to two, any segment arriving on a closed port is dropped without
returning a RST. This provides some degree of protection against stealth
port scans.

http://www.mebsd.com/freebsd-security-hardening/protecting-freebsd-with-sysctl-101.html

It sounds like setting these sysctl variables (/conf/base/etc/sysctl.conf & /etc/sysctl.conf) and restarting sysctl is supposed to be a defense, but they may already be the default.

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

Is your system directly connected to the Internet without a firewall??

You might want to take a look with the "tcpdump" program and see if you can find a clue to the cause. I think /var/log/message is the logfile that these message are logged to, but I'm not sure if it will provide any more details.

Here's a link to the tcpdump manpage: http://www.freebsd.org/cgi/man.cgi?query=tcpdump&sektion=1

 

[vitek]

Thx for the tip. I added the variables now they werent there by default.
The system is behind an pfsense firewall.
I will look into tcpdump and try figuring out but im not very familiar with it.
The /var/log/message did not have any useful information atleast.
If anyone else have any suggestion that can help me get to the bottom with this i would gladly take them.
Cheers!