From owner-freebsd-questions@FreeBSD.ORG Sun Aug 15 02:03:28 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BE1A16A4CE for ; Sun, 15 Aug 2004 02:03:28 +0000 (GMT) Received: from lakermmtao03.cox.net (lakermmtao03.cox.net [68.230.240.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAD4143D1D for ; Sun, 15 Aug 2004 02:03:27 +0000 (GMT) (envelope-from jacoulter@jacoulter.net) Received: from [68.105.58.150] by lakermmtao03.cox.net (InterMail vM.6.01.03.02.01 201-2131-111-104-103-20040709) with SMTP id <20040815020325.ZKYD12724.lakermmtao03.cox.net@[68.105.58.150]>; Sat, 14 Aug 2004 22:03:25 -0400 Received: by _HOSTNAME_ (sSMTP sendmail emulation); Sat, 14 Aug 2004 21:03:09 -0500 From: "James A. Coulter" Date: Sat, 14 Aug 2004 21:03:09 -0500 To: Alex de Kruijff Message-ID: <20040815020309.GA1579@sara.mshome.net> Mail-Followup-To: Alex de Kruijff , freebsd-questions@freebsd.org References: <20040812004647.GA13990@sara.mshome.net> <20040814143958.GC884@alex.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040814143958.GC884@alex.lan> User-Agent: Mutt/1.4.2.1i cc: freebsd-questions@freebsd.org Subject: Re: Security log question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Aug 2004 02:03:28 -0000 On Sat, Aug 14, 2004 at 04:39:58PM +0200, Alex de Kruijff wrote: > On Wed, Aug 11, 2004 at 07:46:47PM -0500, James A. Coulter wrote: > > This message has been showing up in /var/log/security: > > > > Aug 6 01:56:44 sara /kernel: drop session, too many entries > > Aug 6 16:40:05 sara /kernel: drop session, too many entries > > Aug 7 13:25:23 sara /kernel: drop session, too many entries > > Aug 7 15:32:00 sara /kernel: drop session, too many entries > > Aug 7 15:32:03 sara last message repeated 3 times > > Aug 8 22:30:53 sara /kernel: drop session, too many entries > > Aug 10 19:47:31 sara /kernel: drop session, too many entries > > Aug 11 11:11:46 sara /kernel: drop session, too many entries > > Aug 11 13:08:15 sara /kernel: drop session, too many entries > > Aug 11 13:10:26 sara last message repeated 12 times > > Aug 11 13:20:34 sara last message repeated 55 times > > Aug 11 13:30:00 sara last message repeated 66 times > > Aug 11 16:49:26 sara /kernel: drop session, too many entries > > Aug 11 16:49:58 sara last message repeated 5 times > > Aug 11 16:52:04 sara last message repeated 20 times > > Aug 11 17:02:01 sara last message repeated 93 times > > Aug 11 17:18:01 sara /kernel: drop session, too many entries > > Aug 11 17:23:03 sara /kernel: drop session, too many entries > > > > I'm running FreeBSD 4.10 with IPFW and NAT as a gateway/router/firewall for a home LAN. I am the only user (I hope!) with access to this system. > > > > I googled the "drop session" message and found e-mail correspondence indicating this message is a result of having too many telnet or ssh sessions open at the same time and could be an indication of a DOS attack. > > > > I have disabled telnet in inetd.conf. I am running ftp with anonymous log-in disabled and ssh with root login disabled. I am also running apache 1.3. > > > > Is this message something I should investigate further, or is it like the script kiddies who scan my ports every night - just something to live with? > > Yes, but I don't think you are likly at risk to have someone bracking in > on you system. You're server proberbly just handle the traffic nicly. > You need to investigate further to find out what is causing this and > what you can do about it. > > P.S. I notices you have very lone lines in you'r mail and use mutt. > Whould you consider adding the following line to .muttrc (and install > vim) so that this is automaticly wraped at 72 char? > > set editor="vim +':set tw=72' +':set ww=<,>,h,l,[,]' %s" > > > -- > Alex Alex - thanks for the response and for the .muttrc tip. I added it and hopefully my mail will now wrap at 72 characters. Jim