From owner-freebsd-questions@FreeBSD.ORG Sat Aug 14 14:43:24 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D2E416A4CE for ; Sat, 14 Aug 2004 14:43:24 +0000 (GMT) Received: from smtp14.wxs.nl (smtp14.wxs.nl [195.121.6.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4131243D46 for ; Sat, 14 Aug 2004 14:43:24 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp14.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I2F00H3FY2OPD@smtp14.wxs.nl> for freebsd-questions@freebsd.org; Sat, 14 Aug 2004 16:40:01 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i7EEdxOn001536 for ; Sat, 14 Aug 2004 16:39:59 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i7EEdwhY001535 for freebsd-questions@freebsd.org; Sat, 14 Aug 2004 16:39:58 +0200 Content-return: prohibited Date: Sat, 14 Aug 2004 16:39:58 +0200 From: Alex de Kruijff In-reply-to: <20040812004647.GA13990@sara.mshome.net> To: freebsd-questions@freebsd.org Message-id: <20040814143958.GC884@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <20040812004647.GA13990@sara.mshome.net> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f Subject: Re: Security log question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Aug 2004 14:43:24 -0000 On Wed, Aug 11, 2004 at 07:46:47PM -0500, James A. Coulter wrote: > This message has been showing up in /var/log/security: > > Aug 6 01:56:44 sara /kernel: drop session, too many entries > Aug 6 16:40:05 sara /kernel: drop session, too many entries > Aug 7 13:25:23 sara /kernel: drop session, too many entries > Aug 7 15:32:00 sara /kernel: drop session, too many entries > Aug 7 15:32:03 sara last message repeated 3 times > Aug 8 22:30:53 sara /kernel: drop session, too many entries > Aug 10 19:47:31 sara /kernel: drop session, too many entries > Aug 11 11:11:46 sara /kernel: drop session, too many entries > Aug 11 13:08:15 sara /kernel: drop session, too many entries > Aug 11 13:10:26 sara last message repeated 12 times > Aug 11 13:20:34 sara last message repeated 55 times > Aug 11 13:30:00 sara last message repeated 66 times > Aug 11 16:49:26 sara /kernel: drop session, too many entries > Aug 11 16:49:58 sara last message repeated 5 times > Aug 11 16:52:04 sara last message repeated 20 times > Aug 11 17:02:01 sara last message repeated 93 times > Aug 11 17:18:01 sara /kernel: drop session, too many entries > Aug 11 17:23:03 sara /kernel: drop session, too many entries > > I'm running FreeBSD 4.10 with IPFW and NAT as a gateway/router/firewall for a home LAN. I am the only user (I hope!) with access to this system. > > I googled the "drop session" message and found e-mail correspondence indicating this message is a result of having too many telnet or ssh sessions open at the same time and could be an indication of a DOS attack. > > I have disabled telnet in inetd.conf. I am running ftp with anonymous log-in disabled and ssh with root login disabled. I am also running apache 1.3. > > Is this message something I should investigate further, or is it like the script kiddies who scan my ports every night - just something to live with? Yes, but I don't think you are likly at risk to have someone bracking in on you system. You're server proberbly just handle the traffic nicly. You need to investigate further to find out what is causing this and what you can do about it. P.S. I notices you have very lone lines in you'r mail and use mutt. Whould you consider adding the following line to .muttrc (and install vim) so that this is automaticly wraped at 72 char? set editor="vim +':set tw=72' +':set ww=<,>,h,l,[,]' %s" -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/