From owner-freebsd-security@FreeBSD.ORG Sat Apr 17 08:28:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04BEA16A4CE for ; Sat, 17 Apr 2004 08:28:32 -0700 (PDT) Received: from corb.mc.mpls.visi.com (corb.mc.mpls.visi.com [208.42.156.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id B133443D2F for ; Sat, 17 Apr 2004 08:28:31 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by corb.mc.mpls.visi.com (Postfix) with ESMTP id EDFB7863C; Sat, 17 Apr 2004 10:28:30 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i3HFSUo58980; Sat, 17 Apr 2004 10:28:30 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Sat, 17 Apr 2004 10:28:30 -0500 From: D J Hawkey Jr To: z3l3zt@hackunite.net Message-ID: <20040417152830.GA58923@sheol.localdomain> References: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Is log_in_vain really good or really bad? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2004 15:28:32 -0000 On Apr 17, at 04:28 PM, z3l3zt@hackunite.net wrote: > > Heya.. > > Yesterday someone "attacked" by box by connection to several ports.. In > other words, a simple portscan.. yet, since my box has "log_in_vain" > enabled, so it tries to log everything to /var/log/messages, since the > logfile got full and the size went over 100K, it tried to rotate the log > to save diskspace. > > (Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due to > size>100K) > > My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from > time to time since I only run ATA66 due to the old motherboard. When this > "attack" occured yesterday, the box almost died and the box were working > 100%.. all users who were logged in got "spammed" since the default > *.emerg in /etc/syslog.conf is set to "*" .. If you're running a relatively slow bus, chances are you could (maybe even "have"?) experienced this already by a completely different set of circumstances, but didn't put it together? > Isn't this a quite simple way of making a DoS attack against a system? My > box is running on 10mbit and the person who scanned my server were > connecting from a cable connection... > [SNIP] Assuming the attacker knew you had a slower bus, were running FreeBSD, had log_in_vain turned on, and ... ? > I would be glad if anyone could tell me how to solve this and/or how to > make sure it doesn't happen again. Seems to me you're hampered by your hardware, and this episode is/was just the latest symptom. Moving /var to another physical drive on a different channel will help. So would tuning /etc/syslog.conf. Of course, so would turning off the log_in_vain knob (though I like it on, too). A new ATA adapter isn't all that expensive anymore, and would boost performance overall. HTH, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/