From owner-freebsd-security@FreeBSD.ORG  Sat Apr 17 20:10:21 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A09E516A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 17 Apr 2004 20:10:21 -0700 (PDT)
Received: from mx7.roble.com (mx7.roble.com [206.40.34.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7DD8843D39
	for <freebsd-security@freebsd.org>;
	Sat, 17 Apr 2004 20:10:19 -0700 (PDT)
	(envelope-from marquis@roble.com)
Received: by mx7.roble.com (Postfix, from userid 65534)
	id BC0F0DAE7D; Sat, 17 Apr 2004 20:10:18 -0700 (PDT)
Date: Sat, 17 Apr 2004 20:10:17 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
In-Reply-To: <20040417190059.06B0316A4F7@hub.freebsd.org>
References: <20040417190059.06B0316A4F7@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <20040418031017.98ACEDAC11@mx7.roble.com>
X-Spam-Level: 
X-Spam-Status: No, hits=-4.9 required=6.0 tests=BAYES_00 autolearn=no 
	version=2.63
Subject: Re: Is log_in_vain really good or really bad?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Apr 2004 03:10:21 -0000

z3l3zt@hackunite.net wrote:
> Yesterday someone "attacked" by box by connection to several ports.. In
> other words, a simple portscan.. yet, since my box has "log_in_vain"
> enabled, so it tries to log everything to /var/log/messages, since the
> logfile got full and the size went over 100K, it tried to rotate the log
> to save diskspace.

This is hardware problem.  Any ATA/SATA disk will suck up CPU with
every disk access.  The solution is to switch to SCSI.

Proper partitioning would also allow you to rotate log files every
10 or 20MB instead of at 100K.  For reasons exactly like this I
never partition a disk for anything other than swap.  If filesystems
need to be separated they're put on separate (SCSI) disks.

Whether you need log_in_vain or not depend on what you do with the
logs.  Are you compiling statistics?  Running Snort or another IDE?
Separating facilities into different files (other than /var/log/messages)?
Reading them regularly and often?  If you answered no to two or
more of these questions then there's probably little to lose by
disabling log_in_vain.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/