Is log_in_vain really good or really bad?

z3l3zt_at_hackunite.net
Date: 04/17/04

  • Next message: D J Hawkey Jr: "Re: Is log_in_vain really good or really bad?" 
    Date: Sat, 17 Apr 2004 16:28:35 +0200 (CEST)
To: freebsd-security@freebsd.org

    Heya..

    Yesterday someone "attacked" by box by connection to several ports.. In
    other words, a simple portscan.. yet, since my box has "log_in_vain"
    enabled, so it tries to log everything to /var/log/messages, since the
    logfile got full and the size went over 100K, it tried to rotate the log
    to save diskspace.

    (Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due to
    size>100K)

    My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from
    time to time since I only run ATA66 due to the old motherboard. When this
    "attack" occured yesterday, the box almost died and the box were working
    100%.. all users who were logged in got "spammed" since the default
    *.emerg in /etc/syslog.conf is set to "*" ..

    Isn't this a quite simple way of making a DoS attack against a system? My
    box is running on 10mbit and the person who scanned my server were
    connecting from a cable connection.. Someone (even with lower bandwidth)
    can simply portscan a box with "log_in_vain" enabled and the box will go
    crazy trying to log/store it? Also, I'm not sure if it was a "general"
    portscan since the "blackhole" mostly slow down those quite much.. but
    since this had about 30-40 connections per second, it was a quite
    aggressive scan.

    I would be glad if anyone could tell me how to solve this and/or how to
    make sure it doesn't happen again.

    Regards,
    Jesper 'Z3l3zT' Wallin
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: D J Hawkey Jr: "Re: Is log_in_vain really good or really bad?"

    Relevant Pages

    • Re: a third party PC is being used to scan my ports
      ... > As you have stated this as a truth rather than as your *opinion*, ... > whether any given packet is or is not part of an attack. ... i didnt said that a portscan could not be a part of an attack. ... handshake correctly...but opening a tcp connection is noting irregular ...
      (comp.security.misc)
    • Is log_in_vain really good or really bad?
      ... Yesterday someone "attacked" by box by connection to several ports.. ... other words, a simple portscan.. ... Isn't this a quite simple way of making a DoS attack against a system? ...
      (FreeBSD-Security)
    • [Full-disclosure] Re: RLA ("Remote LanD Attack")
      ... You are correct if your router is configured with such an ACL, ... and the LAND attack no longer works. ... hping2 on Comcast Cable connection behind Linksys Router ...
      (Full-Disclosure)
    • (fwd) FreeBSD Security Advisory FreeBSD-SA-01:39.tcp-isn (fwd)
      ... susceptible to attack than other unencrypted sessions. ... > incoming connection is being established, ... > All versions of FreeBSD 3.x and 4.x prior to the correction date ... > requiring other authentication of the originator are vulnerable to ...
      (FreeBSD-Security)
    • [NEWS] Land Attacks Still Going Strong
      ... Land Attacks Still Going Strong ... " <http://en.wikipedia.org/wiki/LAND_attack> A LAND attack is a DoS ... hping2 on Comcast Cable connection behind Linksys Router ...
      (Securiteam)