From owner-freebsd-security  Thu May 27  1: 6:37 1999
Delivered-To: freebsd-security@freebsd.org
Received: from kaa.kfunigraz.ac.at (KAA16.kfunigraz.ac.at [143.50.16.17])
	by hub.freebsd.org (Postfix) with ESMTP id E5AAB14E9D
	for <security@FreeBSD.ORG>; Thu, 27 May 1999 01:06:32 -0700 (PDT)
	(envelope-from dada@balu.kfunigraz.ac.at)
Received: from balu.kfunigraz.ac.at (balu [143.50.16.16])
	by kaa.kfunigraz.ac.at (8.9.2/8.9.2) with ESMTP id KAA24336
	for <security@FreeBSD.ORG>; Thu, 27 May 1999 10:05:48 +0200 (MDT)
Received: from localhost.kfunigraz.ac.at (IDENT:en7LWWnBqz5Du2Wj0NV9fa5snU2mqp73@BONLINEA51.kfunigraz.ac.at [143.50.36.51])
	by balu.kfunigraz.ac.at (8.9.2/8.9.2) with ESMTP id KAA14302
	for <security@FreeBSD.ORG>; Thu, 27 May 1999 10:06:20 +0200 (MDT)
Received: from localhost (i6zwjG/LSCuW/83cYGbKp6y5IkpNEFPi@localhost.kfunigraz.ac.at [127.0.0.1])
	by localhost.kfunigraz.ac.at (8.8.8/x.y.z) with SMTP id KAA00491
	for <security@FreeBSD.ORG>; Thu, 27 May 1999 10:00:38 +0200 (CEST)
	(envelope-from dada@localhost.kfunigraz.ac.at)
Date: Thu, 27 May 1999 10:00:38 +0200 (CEST)
From: Martin Kammerhofer <dada@balu.kfunigraz.ac.at>
Reply-To: Martin Kammerhofer <dada@sbox.tu-graz.ac.at>
To: security@FreeBSD.ORG
Subject: Re: TCP connect data logger 
In-Reply-To: <63985.927789886@axl.noc.iafrica.com>
Message-ID: <Pine.BSF.3.96.990527095231.466B-100000@localhost.kfunigraz.ac.at>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 27 May 1999, Sheldon Hearn wrote:

> On Wed, 26 May 1999 14:05:14 +0200, Martin Kammerhofer wrote:
> 
> > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting.
> > Enabling them can generate huge amounts of LOG_INFO messages during
> > port scans.
> 
> That's why they're only really useful if syslog writing their output
> away from sensitive filesystems like /var.
> 
> There's a lot of material in the archives of this list regarding
> suitable alternatives (printers, remote syslogd's, dedicated filesystems
> etc.) so there's no need for us to rehash that now. :-)
> 

You are suggesting the choice of redirecting the disk filling service?
This sounds to me like exporting toxic waste to preserve the environment.
There is a need for rate limiting and it should be implemented. It can
be done in a few LOC.

Regards,
  Martin



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message