From owner-freebsd-security@FreeBSD.ORG Sat Apr 17 08:35:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 407FB16A4CE for ; Sat, 17 Apr 2004 08:35:29 -0700 (PDT) Received: from out011.verizon.net (out011pub.verizon.net [206.46.170.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCEC443D5E for ; Sat, 17 Apr 2004 08:35:28 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.160.247.127]) by out011.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040417153528.FOM18566.out011.verizon.net@mac.com>; Sat, 17 Apr 2004 10:35:28 -0500 Message-ID: <40814F28.30501@mac.com> Date: Sat, 17 Apr 2004 11:37:12 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040316 X-Accept-Language: en-us, en MIME-Version: 1.0 To: z3l3zt@hackunite.net References: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> In-Reply-To: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out011.verizon.net from [68.160.247.127] at Sat, 17 Apr 2004 10:35:27 -0500 cc: freebsd-security@freebsd.org Subject: Re: Is log_in_vain really good or really bad? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2004 15:35:29 -0000 z3l3zt@hackunite.net wrote: > Yesterday someone "attacked" by box by connection to several ports.. In > other words, a simple portscan.. yet, since my box has "log_in_vain" > enabled, so it tries to log everything to /var/log/messages, [ ... ] > Isn't this a quite simple way of making a DoS attack against a system? Certainly turning on log_in_vain makes it easier to DoS a system, but it's possible to perform a DoS against anything if someone tries hard enough. Basicly, log_in_vain can be used to turn a system into a network sensor which tracks incoming connection requests. Normally, one has a firewall in place which blocks the majority of ports used by a port scan, and your sensor only detects the remainder-- ie, what you let through, in addition to any local traffic. Seeing your sensor get horribly busy like you did tends to indicate you're monitoring unfiltered Internet traffic (or your firewall is busted), in which case be prepared to possibly deal with hundreds of thousands of lines of logging per day. Or it indicates an internal machine has been virusized and is scanning the local subnet for other hosts to infect (or someone connecting a laptop to your network, etc). I've been seeing about 500 connection attempts per day per monitored IP address. For what it's worth, you provoked my curiousity enough to see what the last week looks like in terms of a histogram by port #: % zcat /var/log/system.log.*.gz | grep 'TCP.* S' | awk -F: '{print $7}' \ | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -30 20654 1433 4622 4444 4458 445 3451 135 3189 139 2455 80 448 6129 270 3127 140 2745 124 4000 96 21 87 4899 80 1025 79 1080 65 5000 58 3128 41 20168 41 1981 34 25 28 3410 26 36442 23 23 17 22 15 443 13 32772 13 113 7 81 7 8000 6 8080 5 901 -- -Chuck