Re: Is log_in_vain really good or really bad?

• Previous message: Chuck Swiger: "Re: Is log_in_vain really good or really bad?"
• Maybe in reply to: z3l3zt_at_hackunite.net: "Is log_in_vain really good or really bad?"
• Next in thread: Dag-Erling Smørgrav: "Re: Is log_in_vain really good or really bad?"
• Reply: Dag-Erling Smørgrav: "Re: Is log_in_vain really good or really bad?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 17 Apr 2004 20:10:17 -0700 (PDT)
To: freebsd-security@freebsd.org

z3l3zt@hackunite.net wrote:
> Yesterday someone "attacked" by box by connection to several ports.. In
> other words, a simple portscan.. yet, since my box has "log_in_vain"
> enabled, so it tries to log everything to /var/log/messages, since the
> logfile got full and the size went over 100K, it tried to rotate the log
> to save diskspace.

This is hardware problem. Any ATA/SATA disk will suck up CPU with
every disk access. The solution is to switch to SCSI.

Proper partitioning would also allow you to rotate log files every
10 or 20MB instead of at 100K. For reasons exactly like this I
never partition a disk for anything other than swap. If filesystems
need to be separated they're put on separate (SCSI) disks.

Whether you need log_in_vain or not depend on what you do with the
logs. Are you compiling statistics? Running Snort or another IDE?
Separating facilities into different files (other than /var/log/messages)?
Reading them regularly and often? If you answered no to two or
more of these questions then there's probably little to lose by
disabling log_in_vain.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Chuck Swiger: "Re: Is log_in_vain really good or really bad?"
• Maybe in reply to: z3l3zt_at_hackunite.net: "Is log_in_vain really good or really bad?"
• Next in thread: Dag-Erling Smørgrav: "Re: Is log_in_vain really good or really bad?"
• Reply: Dag-Erling Smørgrav: "Re: Is log_in_vain really good or really bad?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages SUMMARY 1: Partition a big disk under Solaris 9? ... unassigned 30 MB (future RAID purpose) ... /var should be separate since it has globally writable ... partitions which are written to have a higher ... Slice 7 is in the event you use DiskSuite (Disk ... (SunManagers) Re: [patch] Real-Time Preemption, -RT-2.6.10-rc1-mm3-V0.7.23 ... disk copy - fewer bursts, but worst case is similar to disk write. ... RT kernel I use has no lost packets. ... I did a separate run of a script Ingo suggested that samples ... (Linux-Kernel) Re: Disk layout for new install of IDS 10 on Linux (SLES 10) ... I'm about to install IDS 10 on a shiny new server running under SuSE Linux ... The total size of all the databases together is ... My question is about disk layout: Should I bother splitting up the available ... Of course I will separate root-dbspace from the rest, ... (comp.databases.informix) Re: Review of new design - Please ... having regarding the physical disk requirements. ... > The reason to separate them as a best practice is because of I/O types. ... > better perforamance and space with RAID 1+0 than you could with just RAID 1. ... > elsewhere (not on the log file drives though). ... (microsoft.public.exchange.design) Re: Which partitioning scheme gives best performance? ... there are going to be disk hits spread all across the disk as a ... but why is /tmp a separate filesystem and why not just ... partition doesn't kill everything you own... ... If you have 1 GB of RAM, ... (comp.os.linux.setup)