I get the daily emails with security run output but lately have been seeing something strange normally the notifications read...
"Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

zinkbox login failures:

zinkbox refused connections:

-- End of security output --
"

Now they are sending output such as...

"Checking for passwordless accounts:

zinkbox ipfw denied packets:
+++ /tmp/security.CsulsSdP 2012-01-31 02:01:54.000000000 -0500
+65535 9 470 deny ip from any to any

zinkbox kernel log messages:
+++ /tmp/security.D52KzMrx 2012-01-31 02:01:55.000000000 -0500
+CPU: Intel(R) Xeon(R) CPU X5365 @ 3.00GHz (2992.51-MHz K8-class CPU)
+SMP: AP CPU #1 Launched!
+SMP: AP CPU #3 Launched!
+Limiting closed port RST response from 202 to 200 packets/sec Limiting
+closed port RST response from 217 to 200 packets/sec"

I'm not sure what these closed port messages are about are they something to be worried about?

Thanks,

Chris
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Community Chosen Answer

3
I talked to Kace support on these exact errors messages and this was their response.


It is normal for the RST port limit to be hit while the kbox is being backed up (ie during nightly maintenance) since the webserver is down and not servicing requests.

Basically the server is down for maintenaince (Ours was our nightly backup) but agents are trying to check into the server.
Answered 01/31/2012 by: ms01ak
Tenth Degree Black Belt

Please log in to comment
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
O.k that makes sense and I guess is why I will see the same closed port messages when I restart our KBox during the day. Lately it's been losing connection and just generally slow so I was concerned seeing these messgaes when normally there aren't any.
Answered 01/31/2012 by: cmeisinger
Orange Senior Belt

Please log in to comment
1
All normal messages in the output.

Checking setuid files and devices, check to make sure permissions are correct to prevent unwanted access

Look like you had a resent reboot. The RST message means that the K1000 Appliance is getting more than 200 packets/sec on closed ports.
200 is a threshold built into BSD. You’ll see it on the console of just about every K1000 appliance when you restart the appliance as the agents frantically try to connect.
Answered 01/31/2012 by: KevinG
Purple Belt

Please log in to comment
0
Yes I have had to reboot several times lately the box seems to get locked up and at times I am unable to even access it thru the web. We use the virtual appliance and I have my suspicions that we may not have enough memory applied to this device. We will be migrating to a new virtual environment in the next couple weeks and I plan to try to dedicate more resources to this device especially since we are starting to track assets and software metering.
Answered 01/31/2012 by: cmeisinger
Orange Senior Belt

Please log in to comment
1
We have encountered these as well, mostly when a corporate security appliance was running port scans, looking for vulnerabilities on connected devices. The challenge was BSD eventually starts using large amounts of swap file space with the limiting response actions and, on the VM where the K1000 resides, it would fill the available swap space and stop other processes from completing, causing a hung state.

Rebooting the VM took care of the hung state and excluding the appliance from the security scan cleared up the rest. security run output logs have been clean since then.
Answered 01/31/2012 by: jmarotto
Second Degree Green Belt

Please log in to comment
0
I added an exception for the VM files in our security endpoint yesterday and last night the output was back to normal with no closed port messages.
Answered 02/01/2012 by: cmeisinger
Orange Senior Belt

Please log in to comment
Answer this question or Comment on this question for clarity