FreeNAS limiting closed port responses

Status
Not open for further replies.

Fish

Contributor
Joined
Jun 4, 2015
Messages
108
For the past few weeks after I got email reporting setup again, I'm getting a lot of these messages in my security runs:
Code:
 Limiting closed port RST response from 565 to 200 packets/sec


Is this an indication that someone is trying to flood/break into my NAS? I've got a number of public-facing jails but my NAS is behind a business-grade firewall that has custom ports forwarded to each jail. Do I need to start implementing Fail2Ban?
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,680
Perhaps you should start logging on your firewall to see what is happening, and then use the firewall to block those things.
 

Fish

Contributor
Joined
Jun 4, 2015
Messages
108
Perhaps you should start logging on your firewall to see what is happening, and then use the firewall to block those things.
I'll see if I can do that. It might require me to spin up a logging server.

Is there any way to see in the FreeNAS logs, what ports are being hit?
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,680
No. It's a NAS appliance, not a firewall. You could probably MAKE it log it by configuring logging onto your pool and then adding an appropriate ipfw rule.
 

diskdiddler

Wizard
Joined
Jul 9, 2014
Messages
2,377
Is there any way to identify the source IP that is at least causing this? I just got these emails today. (No Plex on my machine)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
Is there any way to identify the source IP that is at least causing this? I just got these emails today. (No Plex on my machine)
You could probably just use tcpdump with appropriately turned knobs and dials to output the source of TCP reset packets to a file. Still best to handle this at the perimeter before it hits the NAS.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,680
Still best to handle this at the perimeter before it hits the NAS.

I would have to politely disagree with that, because it is much more likely that the connection attempts are coming from the local network. But tcpdump or ipfw can do the work.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
I would have to politely disagree with that, because it is much more likely that the connection attempts are coming from the local network. But tcpdump or ipfw can do the work.
I politely disagree with my 2AM self as well. Half the time I don't know what he was on when posting.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,680
I politely disagree with my 2AM self as well. Half the time I don't know what he was on when posting.

It's perfectly understandable. I wield the power of Caffeine. I make my coffee with caffeinated water.
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
I make my coffee with caffeinated water.
Water? Pfft. Real men just tuck the grounds in their lip, like tobacco. Straight to the bloodstream... screw the digestive tract! :)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
Water? Pfft. Real men just tuck the grounds in their lip, like tobacco. Straight to the bloodstream... screw the digestive tract! :)
In prisons in the former USSR inmates make a narcotically-strong tea drink called chefir'. You can look it up if you need some inspiration for the 'my caffeinated drink is stronger than your caffeinated drink' competition.
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
In prisons in the former USSR inmates make a narcotically-strong tea drink called chefir'. You can look it up if you need some inspiration for the 'my caffeinated drink is stronger than your caffeinated drink' competition.
I draw the line at "my caffeinated drink causes noticeable changes on my ECG..."
 
Status
Not open for further replies.
Top