Date: Fri, 9 Jan 2004 14:49:56 +0000 From: Jez Hancock <jez.hancock@munk.nu> To: Alexandre Krasnov <tech@tern.ru> Cc: freebsd-security@freebsd.org Subject: Re: Problem with DNS (UDP) queries Message-ID: <20040109144956.GB87284@users.munk.nu> In-Reply-To: <1775511953.20040109173220@tern.ru> References: <1775511953.20040109173220@tern.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd@tern.ru wrote: > Hi all > > I am trying to get rid of strings: > kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53 > on my console and in log file > > I understand that those are replies on DNS queries that for some reason > took too long time to be answered. > I do not want to turn off the "log in vain" feature. > > As these strings fill up my log I am afraid to miss some sensitive > messages (e.g. hacker's attack :) > > I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both > DNS queries and DNS replies. > > The main application that generates queries is sendmail. > > What can be done? I believe those messages are generated if the following sysctl flag is set: net.inet.udp.log_in_vain you can disable it by executing: sysctl net.inet.udp.log_in_vain=0 on the commandline. Obviously though this will disable logging of all vain connection attempts using the udp protocol. However if you have ipfw set up to log such attempts, you don't really need that sysctl flag set anyway. See also the tcp equivalant flag: net.inet.tcp.log_in_vain also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf setting. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - personal weblog http://ipfwstats.sf.net/ - ipfw peruser traffic logging
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040109144956.GB87284>