Is log_in_vain really good or really bad?
Chuck Swiger
cswiger at mac.com
Sat Apr 17 08:35:29 PDT 2004
z3l3zt at hackunite.net wrote:
> Yesterday someone "attacked" by box by connection to several ports.. In
> other words, a simple portscan.. yet, since my box has "log_in_vain"
> enabled, so it tries to log everything to /var/log/messages, [ ... ]
> Isn't this a quite simple way of making a DoS attack against a system?
Certainly turning on log_in_vain makes it easier to DoS a system, but it's
possible to perform a DoS against anything if someone tries hard enough.
Basicly, log_in_vain can be used to turn a system into a network sensor which
tracks incoming connection requests. Normally, one has a firewall in place
which blocks the majority of ports used by a port scan, and your sensor only
detects the remainder-- ie, what you let through, in addition to any local
traffic. Seeing your sensor get horribly busy like you did tends to indicate
you're monitoring unfiltered Internet traffic (or your firewall is busted),
in which case be prepared to possibly deal with hundreds of thousands of lines
of logging per day.
Or it indicates an internal machine has been virusized and is scanning the
local subnet for other hosts to infect (or someone connecting a laptop to your
network, etc).
I've been seeing about 500 connection attempts per day per monitored IP
address. For what it's worth, you provoked my curiousity enough to see what
the last week looks like in terms of a histogram by port #:
% zcat /var/log/system.log.*.gz | grep 'TCP.* S' | awk -F: '{print $7}' \
| awk '{print $1}' | sort -n | uniq -c | sort -nr | head -30
20654 1433
4622 4444
4458 445
3451 135
3189 139
2455 80
448 6129
270 3127
140 2745
124 4000
96 21
87 4899
80 1025
79 1080
65 5000
58 3128
41 20168
41 1981
34 25
28 3410
26 36442
23 23
17 22
15 443
13 32772
13 113
7 81
7 8000
6 8080
5 901
--
-Chuck
More information about the freebsd-security
mailing list