Strange Security Run Output

I get the daily emails with security run output but lately have been seeing something strange normally the notifications read...
"Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

zinkbox login failures:

zinkbox refused connections:

-- End of security output --

Now they are sending output such as...

"Checking for passwordless accounts:

zinkbox ipfw denied packets:
+++ /tmp/security.CsulsSdP 2012-01-31 02:01:54.000000000 -0500
+65535 9 470 deny ip from any to any

zinkbox kernel log messages:
+++ /tmp/security.D52KzMrx 2012-01-31 02:01:55.000000000 -0500
+CPU: Intel(R) Xeon(R) CPU X5365 @ 3.00GHz (2992.51-MHz K8-class CPU)
+SMP: AP CPU #1 Launched!
+SMP: AP CPU #3 Launched!
+Limiting closed port RST response from 202 to 200 packets/sec Limiting
+closed port RST response from 217 to 200 packets/sec"

I'm not sure what these closed port messages are about are they something to be worried about?



0 Comments   [ + ] Show comments

Answers (6)

Posted by: ms01ak 10 years ago
10th Degree Black Belt
I talked to Kace support on these exact errors messages and this was their response.

It is normal for the RST port limit to be hit while the kbox is being backed up (ie during nightly maintenance) since the webserver is down and not servicing requests.

Basically the server is down for maintenaince (Ours was our nightly backup) but agents are trying to check into the server.
Posted by: KevinG 10 years ago
Red Belt
All normal messages in the output.

Checking setuid files and devices, check to make sure permissions are correct to prevent unwanted access

Look like you had a resent reboot. The RST message means that the K1000 Appliance is getting more than 200 packets/sec on closed ports.
200 is a threshold built into BSD. You’ll see it on the console of just about every K1000 appliance when you restart the appliance as the agents frantically try to connect.
Posted by: jmarotto 10 years ago
Fourth Degree Green Belt
We have encountered these as well, mostly when a corporate security appliance was running port scans, looking for vulnerabilities on connected devices. The challenge was BSD eventually starts using large amounts of swap file space with the limiting response actions and, on the VM where the K1000 resides, it would fill the available swap space and stop other processes from completing, causing a hung state.

Rebooting the VM took care of the hung state and excluding the appliance from the security scan cleared up the rest. security run output logs have been clean since then.
Posted by: cmeisinger 10 years ago
Orange Senior Belt
O.k that makes sense and I guess is why I will see the same closed port messages when I restart our KBox during the day. Lately it's been losing connection and just generally slow so I was concerned seeing these messgaes when normally there aren't any.
Posted by: cmeisinger 10 years ago
Orange Senior Belt
Yes I have had to reboot several times lately the box seems to get locked up and at times I am unable to even access it thru the web. We use the virtual appliance and I have my suspicions that we may not have enough memory applied to this device. We will be migrating to a new virtual environment in the next couple weeks and I plan to try to dedicate more resources to this device especially since we are starting to track assets and software metering.
Posted by: cmeisinger 10 years ago
Orange Senior Belt
I added an exception for the VM files in our security endpoint yesterday and last night the output was back to normal with no closed port messages.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ