From owner-freebsd-security@FreeBSD.ORG Sat Apr 17 04:13:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E5BE16A4CE for ; Sat, 17 Apr 2004 04:13:50 -0700 (PDT) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4C2A43D31 for ; Sat, 17 Apr 2004 04:13:49 -0700 (PDT) (envelope-from z3l3zt@hackunite.net) Received: from mail.hackunite.net ([213.112.193.67] [213.112.193.67]) by mxfep02.bredband.com with SMTP <20040417111347.HPJB28534.mxfep02.bredband.com@mail.hackunite.net> for ; Sat, 17 Apr 2004 13:13:47 +0200 Received: from 213.112.193.35 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Sat, 17 Apr 2004 13:15:00 +0200 (CEST) Message-ID: <1881.213.112.193.35.1082200500.squirrel@mail.hackunite.net> Date: Sat, 17 Apr 2004 13:15:00 +0200 (CEST) From: "Jesper Wallin" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal X-Mailman-Approved-At: Mon, 19 Apr 2004 02:31:39 -0700 Subject: Is log_in_vain really good or really bad? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2004 11:13:50 -0000 Heya.. Yesterday someone "attacked" by box by connection to several ports.. In other words, a simple portscan.. yet, since my box has "log_in_vain" enabled, so it tries to log everything to /var/log/messages, since the logfile got full and the size went over 100K, it tried to rotate the log to save diskspace. (Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due to size>100K) My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from time to time since I only run ATA66 due to the old motherboard. When this "attack" occured yesterday, the box almost died and the box were working 100%.. all users who were logged in got "spammed" since the default *.emerg in /etc/syslog.conf is set to "*" .. Isn't this a quite simple way of making a DoS attack against a system? My box is running on 10mbit and the person who scanned my server were connecting from a cable connection.. Someone (even with lower bandwidth) can simply portscan a box with "log_in_vain" enabled and the box will go crazy trying to log/store it? Also, I'm not sure if it was a "general" portscan since the "blackhole" mostly slow down those quite much.. but since this had about 30-40 connections per second, it was a quite aggressive scan. I would be glad if anyone could tell me how to solve this and/or how to make sure it doesn't happen again. Regards, Jesper 'Z3l3zT' Wallin