From owner-freebsd-questions@FreeBSD.ORG Thu Aug 12 00:46:46 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A221516A4CE for ; Thu, 12 Aug 2004 00:46:46 +0000 (GMT) Received: from lakermmtao02.cox.net (lakermmtao02.cox.net [68.230.240.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13BA743D3F for ; Thu, 12 Aug 2004 00:46:46 +0000 (GMT) (envelope-from jacoulter@jacoulter.net) Received: from [68.105.58.150] by lakermmtao02.cox.net (InterMail vM.6.01.03.02.01 201-2131-111-104-103-20040709) with SMTP id <20040812004643.HXYF1467.lakermmtao02.cox.net@[68.105.58.150]> for ; Wed, 11 Aug 2004 20:46:43 -0400 Received: by _HOSTNAME_ (sSMTP sendmail emulation); Wed, 11 Aug 2004 19:46:47 -0500 From: "James A. Coulter" Date: Wed, 11 Aug 2004 19:46:47 -0500 To: freebsd-questions@freebsd.org Message-ID: <20040812004647.GA13990@sara.mshome.net> Mail-Followup-To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: Security log question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Aug 2004 00:46:46 -0000 This message has been showing up in /var/log/security: Aug 6 01:56:44 sara /kernel: drop session, too many entries Aug 6 16:40:05 sara /kernel: drop session, too many entries Aug 7 13:25:23 sara /kernel: drop session, too many entries Aug 7 15:32:00 sara /kernel: drop session, too many entries Aug 7 15:32:03 sara last message repeated 3 times Aug 8 22:30:53 sara /kernel: drop session, too many entries Aug 10 19:47:31 sara /kernel: drop session, too many entries Aug 11 11:11:46 sara /kernel: drop session, too many entries Aug 11 13:08:15 sara /kernel: drop session, too many entries Aug 11 13:10:26 sara last message repeated 12 times Aug 11 13:20:34 sara last message repeated 55 times Aug 11 13:30:00 sara last message repeated 66 times Aug 11 16:49:26 sara /kernel: drop session, too many entries Aug 11 16:49:58 sara last message repeated 5 times Aug 11 16:52:04 sara last message repeated 20 times Aug 11 17:02:01 sara last message repeated 93 times Aug 11 17:18:01 sara /kernel: drop session, too many entries Aug 11 17:23:03 sara /kernel: drop session, too many entries I'm running FreeBSD 4.10 with IPFW and NAT as a gateway/router/firewall for a home LAN. I am the only user (I hope!) with access to this system. I googled the "drop session" message and found e-mail correspondence indicating this message is a result of having too many telnet or ssh sessions open at the same time and could be an indication of a DOS attack. I have disabled telnet in inetd.conf. I am running ftp with anonymous log-in disabled and ssh with root login disabled. I am also running apache 1.3. Is this message something I should investigate further, or is it like the script kiddies who scan my ports every night - just something to live with? TIA for any enlightenment/suggestions anyone can provide. Jim