Is log_in_vain really good or really bad?
z3l3zt at hackunite.net
z3l3zt at hackunite.net
Sat Apr 17 07:27:23 PDT 2004
Heya..
Yesterday someone "attacked" by box by connection to several ports.. In
other words, a simple portscan.. yet, since my box has "log_in_vain"
enabled, so it tries to log everything to /var/log/messages, since the
logfile got full and the size went over 100K, it tried to rotate the log
to save diskspace.
(Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due to
size>100K)
My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from
time to time since I only run ATA66 due to the old motherboard. When this
"attack" occured yesterday, the box almost died and the box were working
100%.. all users who were logged in got "spammed" since the default
*.emerg in /etc/syslog.conf is set to "*" ..
Isn't this a quite simple way of making a DoS attack against a system? My
box is running on 10mbit and the person who scanned my server were
connecting from a cable connection.. Someone (even with lower bandwidth)
can simply portscan a box with "log_in_vain" enabled and the box will go
crazy trying to log/store it? Also, I'm not sure if it was a "general"
portscan since the "blackhole" mostly slow down those quite much.. but
since this had about 30-40 connections per second, it was a quite
aggressive scan.
I would be glad if anyone could tell me how to solve this and/or how to
make sure it doesn't happen again.
Regards,
Jesper 'Z3l3zT' Wallin
More information about the freebsd-security
mailing list