Re: grsec: attempted resource overstep - what's this?
From: Mario (mario_at_fga-software.com)
Date: Tue, 26 Aug 2003 19:40:51 +0200
> In article <ZYF2b.firstname.lastname@example.org>, Mario wrote:
>>As far as I understand and as I could find on Linux newsgroups, this
>>message is produced by grsec (kind of a process which checks for
>>security and whith is hourly activated by crond). I coulnd't find any
> GRSecurity is a set of kernel patches. IMHO those who do not understand
> what it does should not deploy it. It will not enhance your system
> security unless properly understood and configured, and even then, the
> benefits are questionable.
> Does Mandrake ship this in their precompiled kernels? I don't see the
> logic in that, unless it's a cynical ploy to give users a false sense of
> security. I'd like to think they would be more honest than that.
>>I'm afraid that someone is using my server for spam (since I find
>>"procmail" in the message). Should I worry about this message?
> Some friendly advice: never assume that log messages you don't
> understand are indicative of a security problem. Instead, assume that
> it's just something innocent about which you have not yet learned. Look
> it up, and you'll see that it was innocent, and you will keep your blood
> pressure down. :)
> procmail is a mail filter, usually deployed in GNU/Linux as the default
> mail local delivery agent (LDA). It's invoked whenever a local user
> receives an email. Your system cron daemon may be sending cron job
> output to root at regular intervals.
Thanks for your help. I've been comforted reading that I should not
panic (at least by now) for a security problem.
I installed mandrake right from the box (I purchased the server version)
and I'm quite happy with the product. I raised the security level to
"Higher", using their console wizards, which is the one that the wizard
suggest for servers connected to the internet. However, as far as I
could understand, the Mandrake security level has nothing to do with
grsecurity. Instead, it has to do with mandrake "msec" program/utility.
After receiving and reading the reply from Daniel I went to the
grsecurity project and tried to understand what it is for. As far as I
could understand, it is built in the OS kernel thus I suppose that
mandrake delivers grsecurity with its distribution.
My server is connected to the internet and running PostFix. The Postfix
server is/was there (and up) mainly due to my laziness: I decided that
some day I'd take a look and I'd learn how to handle mail locally. All
of our computers are (ugh!) Windows. Linux is used mainly as server (we
run samba for file sharing). Today, early in the morning (in Italy is
now ... well, time for dinner) I turned off the Postfix service and,
suprisingly, grsec stopped complaining. No more messages from grsec!
Thus, I can only suspect that the problem was with Postfix. Since we do
not use Linux at all for sending or receiving mail (we use an external
provider for that, I don't trust myself that much), I'm suspecting that
someone else, on the outside, was using it. Also, since grsec says:
"attempted resource overstep by requesting 51200000 for RLIMIT_FSIZE
against limit 51200000"
I'm supposing (maybe incorrectly) that there has been a disk space
request for about 48MB by procmail and this is quite exhagerated for a
server which doesn't receive mail and almost doesn't send mail.
Well, all of this are simply my Linux newbie assumptions. I tried to
find some "conf" file for grsecurity under /etc, but I couldn't find
any. Now I need to understand:
1. Where are the files used to configure grsecurity (I tried to run
gradm but even as root I couldn't find any "gradm" command)
2. Whether someone outside was effectively abusing of our Postfix
service and, if not, reactivate PostFix.
If you have any idea I'll really appreciate. Anyway I'm really
appreciating your help (I'm getting really surprised on how much help a
newbie can find in Linux newsgroup).