Re: Is log_in_vain really good or really bad?

From: D J Hawkey Jr (hawkeyd_at_visi.com)
Date: 04/17/04

Next message: Chuck Swiger: "Re: Is log_in_vain really good or really bad?"

Previous message: z3l3zt_at_hackunite.net: "Is log_in_vain really good or really bad?"
In reply to: z3l3zt_at_hackunite.net: "Is log_in_vain really good or really bad?"
Next in thread: Chuck Swiger: "Re: Is log_in_vain really good or really bad?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 17 Apr 2004 10:28:30 -0500
To: z3l3zt@hackunite.net

On Apr 17, at 04:28 PM, z3l3zt@hackunite.net wrote:
>
> Heya..
>
> Yesterday someone "attacked" by box by connection to several ports.. In
> other words, a simple portscan.. yet, since my box has "log_in_vain"
> enabled, so it tries to log everything to /var/log/messages, since the
> logfile got full and the size went over 100K, it tried to rotate the log
> to save diskspace.
>
> (Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due to
> size>100K)
>
> My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from
> time to time since I only run ATA66 due to the old motherboard. When this
> "attack" occured yesterday, the box almost died and the box were working
> 100%.. all users who were logged in got "spammed" since the default
> *.emerg in /etc/syslog.conf is set to "*" ..

If you're running a relatively slow bus, chances are you could (maybe
even "have"?) experienced this already by a completely different set
of circumstances, but didn't put it together?

> Isn't this a quite simple way of making a DoS attack against a system? My
> box is running on 10mbit and the person who scanned my server were
> connecting from a cable connection...
> [SNIP]

Assuming the attacker knew you had a slower bus, were running FreeBSD,
had log_in_vain turned on, and ... ?

> I would be glad if anyone could tell me how to solve this and/or how to
> make sure it doesn't happen again.

Seems to me you're hampered by your hardware, and this episode is/was
just the latest symptom.

Moving /var to another physical drive on a different channel will help.
So would tuning /etc/syslog.conf. Of course, so would turning off the
log_in_vain knob (though I like it on, too). A new ATA adapter isn't all
that expensive anymore, and would boost performance overall.

HTH,
Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: Chuck Swiger: "Re: Is log_in_vain really good or really bad?"

Previous message: z3l3zt_at_hackunite.net: "Is log_in_vain really good or really bad?"
In reply to: z3l3zt_at_hackunite.net: "Is log_in_vain really good or really bad?"
Next in thread: Chuck Swiger: "Re: Is log_in_vain really good or really bad?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]