Strange Security Run Output
I get the daily emails with security run output but lately have been seeing something strange normally the notifications read...
"Checking setuid files and devices:
Checking for uids of 0:
root 0
toor 0
Checking for passwordless accounts:
zinkbox login failures:
zinkbox refused connections:
-- End of security output --
"
Now they are sending output such as...
"Checking for passwordless accounts:
zinkbox ipfw denied packets:
+++ /tmp/security.CsulsSdP 2012-01-31 02:01:54.000000000 -0500
+65535 9 470 deny ip from any to any
zinkbox kernel log messages:
+++ /tmp/security.D52KzMrx 2012-01-31 02:01:55.000000000 -0500
+CPU: Intel(R) Xeon(R) CPU X5365 @ 3.00GHz (2992.51-MHz K8-class CPU)
+SMP: AP CPU #1 Launched!
+SMP: AP CPU #3 Launched!
+Limiting closed port RST response from 202 to 200 packets/sec Limiting
+closed port RST response from 217 to 200 packets/sec"
I'm not sure what these closed port messages are about are they something to be worried about?
Thanks,
Chris
"Checking setuid files and devices:
Checking for uids of 0:
root 0
toor 0
Checking for passwordless accounts:
zinkbox login failures:
zinkbox refused connections:
-- End of security output --
"
Now they are sending output such as...
"Checking for passwordless accounts:
zinkbox ipfw denied packets:
+++ /tmp/security.CsulsSdP 2012-01-31 02:01:54.000000000 -0500
+65535 9 470 deny ip from any to any
zinkbox kernel log messages:
+++ /tmp/security.D52KzMrx 2012-01-31 02:01:55.000000000 -0500
+CPU: Intel(R) Xeon(R) CPU X5365 @ 3.00GHz (2992.51-MHz K8-class CPU)
+SMP: AP CPU #1 Launched!
+SMP: AP CPU #3 Launched!
+Limiting closed port RST response from 202 to 200 packets/sec Limiting
+closed port RST response from 217 to 200 packets/sec"
I'm not sure what these closed port messages are about are they something to be worried about?
Thanks,
Chris
0 Comments
[ + ] Show comments
Answers (6)
Please log in to answer
Posted by:
ms01ak
12 years ago
I talked to Kace support on these exact errors messages and this was their response.
It is normal for the RST port limit to be hit while the kbox is being backed up (ie during nightly maintenance) since the webserver is down and not servicing requests.
Basically the server is down for maintenaince (Ours was our nightly backup) but agents are trying to check into the server.
It is normal for the RST port limit to be hit while the kbox is being backed up (ie during nightly maintenance) since the webserver is down and not servicing requests.
Basically the server is down for maintenaince (Ours was our nightly backup) but agents are trying to check into the server.
Posted by:
KevinG
12 years ago
All normal messages in the output.
Checking setuid files and devices, check to make sure permissions are correct to prevent unwanted access
Look like you had a resent reboot. The RST message means that the K1000 Appliance is getting more than 200 packets/sec on closed ports.
200 is a threshold built into BSD. You’ll see it on the console of just about every K1000 appliance when you restart the appliance as the agents frantically try to connect.
Checking setuid files and devices, check to make sure permissions are correct to prevent unwanted access
Look like you had a resent reboot. The RST message means that the K1000 Appliance is getting more than 200 packets/sec on closed ports.
200 is a threshold built into BSD. You’ll see it on the console of just about every K1000 appliance when you restart the appliance as the agents frantically try to connect.
Posted by:
jmarotto
12 years ago
We have encountered these as well, mostly when a corporate security appliance was running port scans, looking for vulnerabilities on connected devices. The challenge was BSD eventually starts using large amounts of swap file space with the limiting response actions and, on the VM where the K1000 resides, it would fill the available swap space and stop other processes from completing, causing a hung state.
Rebooting the VM took care of the hung state and excluding the appliance from the security scan cleared up the rest. security run output logs have been clean since then.
Rebooting the VM took care of the hung state and excluding the appliance from the security scan cleared up the rest. security run output logs have been clean since then.
Posted by:
cmeisinger
12 years ago
O.k that makes sense and I guess is why I will see the same closed port messages when I restart our KBox during the day. Lately it's been losing connection and just generally slow so I was concerned seeing these messgaes when normally there aren't any.
Posted by:
cmeisinger
12 years ago
Yes I have had to reboot several times lately the box seems to get locked up and at times I am unable to even access it thru the web. We use the virtual appliance and I have my suspicions that we may not have enough memory applied to this device. We will be migrating to a new virtual environment in the next couple weeks and I plan to try to dedicate more resources to this device especially since we are starting to track assets and software metering.
Posted by:
cmeisinger
12 years ago
I added an exception for the VM files in our security endpoint yesterday and last night the output was back to normal with no closed port messages.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.