Date: Mon, 19 Apr 2004 07:54:57 +0200 (CEST) From: "Jesper Wallin" <z3l3zt@hackunite.net> To: "Crist J. Clark" <cjc@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Is log_in_vain really good or really bad? Message-ID: <2220.213.112.193.91.1082354097.squirrel@mail.hackunite.net> In-Reply-To: <20040419021239.GA67288@blossom.cjclark.org> References: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> <20040419021239.GA67288@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sat, Apr 17, 2004 at 04:28:35PM +0200, z3l3zt@hackunite.net wrote: > [snip] > >> My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from >> time to time since I only run ATA66 due to the old motherboard. When this >> "attack" occured yesterday, the box almost died and the box were working >> 100%.. all users who were logged in got "spammed" since the default >> *.emerg in /etc/syslog.conf is set to "*" .. > > Not sure what that has to do with anything. The log_in_vain messages get > logged at "info" level. What messages were your users seeing? > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > Heya.. The logs I got were "normal" log_in_vain logs.. the reason I detected this (or, I were asleep and my girlfriend detected it) was because the syslogd daemon did send messages to everyone logged in. Sure, you can DoS most things if you really want to, but a simple "connection flood" which is on even lower bandwidths shouldn't make the box die.. and no, SCSI might be faster, but if I can download/upload to the machine in 9000kb/s, then it should be fast enough to store the logs even if it's ATA66.. I also detected that if I nmap my own ip with log_in_vain enabled, I get the same errors.. the box doesn't die really but syslogd will start to spit it's output to all the users. <snip> Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:32672 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:39323 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:33426 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:32432 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:39834 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:37231 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:33524 from 213.151.136.3:54568 </snip> Regards, Jesper Wallin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2220.213.112.193.91.1082354097.squirrel>