FreeNAS limiting closed port responses

[Fish]

For the past few weeks after I got email reporting setup again, I'm getting a lot of these messages in my security runs:

Code:

 Limiting closed port RST response from 565 to 200 packets/sec

Is this an indication that someone is trying to flood/break into my NAS? I've got a number of public-facing jails but my NAS is behind a business-grade firewall that has custom ports forwarded to each jail. Do I need to start implementing Fail2Ban?

 

[jgreco]

Perhaps you should start logging on your firewall to see what is happening, and then use the firewall to block those things.

 

[Fish]

Perhaps you should start logging on your firewall to see what is happening, and then use the firewall to block those things.

I'll see if I can do that. It might require me to spin up a logging server.

Is there any way to see in the FreeNAS logs, what ports are being hit?

 

[jgreco]

No. It's a NAS appliance, not a firewall. You could probably MAKE it log it by configuring logging onto your pool and then adding an appropriate ipfw rule.

 

[diskdiddler]

Is there any way to identify the source IP that is at least causing this? I just got these emails today. (No Plex on my machine)

 

[anodos]

Is there any way to identify the source IP that is at least causing this? I just got these emails today. (No Plex on my machine)

You could probably just use tcpdump with appropriately turned knobs and dials to output the source of TCP reset packets to a file. Still best to handle this at the perimeter before it hits the NAS.

 

[jgreco]

Still best to handle this at the perimeter before it hits the NAS.

I would have to politely disagree with that, because it is much more likely that the connection attempts are coming from the local network. But tcpdump or ipfw can do the work.

 

[anodos]

I would have to politely disagree with that, because it is much more likely that the connection attempts are coming from the local network. But tcpdump or ipfw can do the work.

I politely disagree with my 2AM self as well. Half the time I don't know what he was on when posting.

 

[jgreco]

I politely disagree with my 2AM self as well. Half the time I don't know what he was on when posting.

It's perfectly understandable. I wield the power of Caffeine. I make my coffee with caffeinated water.

 

[tvsjr]

I make my coffee with caffeinated water.

Water? Pfft. Real men just tuck the grounds in their lip, like tobacco. Straight to the bloodstream... screw the digestive tract! :)

 

[anodos]

Water? Pfft. Real men just tuck the grounds in their lip, like tobacco. Straight to the bloodstream... screw the digestive tract! :)

In prisons in the former USSR inmates make a narcotically-strong tea drink called chefir'. You can look it up if you need some inspiration for the 'my caffeinated drink is stronger than your caffeinated drink' competition.

 

[tvsjr]

In prisons in the former USSR inmates make a narcotically-strong tea drink called chefir'. You can look it up if you need some inspiration for the 'my caffeinated drink is stronger than your caffeinated drink' competition.

I draw the line at "my caffeinated drink causes noticeable changes on my ECG..."