From owner-freebsd-security  Thu Apr 20 14:34:44 2000
Delivered-To: freebsd-security@freebsd.org
Received: from rip.psg.com (rip.psg.com [147.28.0.39])
	by hub.freebsd.org (Postfix) with ESMTP id A84A537B50D
	for <freebsd-security@freebsd.org>; Thu, 20 Apr 2000 14:34:41 -0700 (PDT)
	(envelope-from randy@psg.com)
Received: from randy by rip.psg.com with local (Exim 3.13 #1)
	id 12iOat-000C0e-00; Thu, 20 Apr 2000 14:34:39 -0700
From: Randy Bush <randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Christopher Nielsen <enkhyl@pobox.com>
Cc: freebsd-security@freebsd.org
Subject: Re: log-in-vain [ was: 10 days ]
Message-Id: <E12iOat-000C0e-00@rip.psg.com>
Date: Thu, 20 Apr 2000 14:34:39 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Something you might want to do, if you haven't already, is enable
> log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. It will log
> connection attempts on ports that have nothing listening on them. It can
> be very enlightening.

but what does one *do* with the info?  there is so much scanning and so many
baby cracker attempts that it does little good writing to source address
admins.  and the sources are spoofed in the majority of the cases anyway.

while i think log watching is important, it can be massive data.  so i try
to keep it down to those data about which i can do something, either by
changing my defenses or by dealing with the source of the problem.

i am open to having my mind changed on this.

randy


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message