Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Aug 2004 19:46:47 -0500
From:      "James A. Coulter" <jacoulter@jacoulter.net>
To:        freebsd-questions@freebsd.org
Subject:   Security log question
Message-ID:  <20040812004647.GA13990@sara.mshome.net>

next in thread | raw e-mail | index | archive | help
This message has  been showing up in /var/log/security:

	Aug  6 01:56:44 sara /kernel: drop session, too many entries
	Aug  6 16:40:05 sara /kernel: drop session, too many entries
	Aug  7 13:25:23 sara /kernel: drop session, too many entries
	Aug  7 15:32:00 sara /kernel: drop session, too many entries
	Aug  7 15:32:03 sara last message repeated 3 times
	Aug  8 22:30:53 sara /kernel: drop session, too many entries
	Aug 10 19:47:31 sara /kernel: drop session, too many entries
	Aug 11 11:11:46 sara /kernel: drop session, too many entries
	Aug 11 13:08:15 sara /kernel: drop session, too many entries
	Aug 11 13:10:26 sara last message repeated 12 times
	Aug 11 13:20:34 sara last message repeated 55 times
	Aug 11 13:30:00 sara last message repeated 66 times
	Aug 11 16:49:26 sara /kernel: drop session, too many entries
	Aug 11 16:49:58 sara last message repeated 5 times
	Aug 11 16:52:04 sara last message repeated 20 times
	Aug 11 17:02:01 sara last message repeated 93 times
	Aug 11 17:18:01 sara /kernel: drop session, too many entries
	Aug 11 17:23:03 sara /kernel: drop session, too many entries

I'm running FreeBSD 4.10 with IPFW and NAT as a gateway/router/firewall for a home LAN.  I am the only user (I hope!) with access to this system.

I googled the "drop session" message and found e-mail correspondence indicating this message is a result of having too many telnet or ssh sessions open at the same time and could be an indication of a DOS attack.

I have disabled telnet in inetd.conf.  I am running ftp with anonymous log-in disabled and ssh with root login disabled.  I am also running apache 1.3.

Is this message something I should investigate further, or is it like the script kiddies who scan my ports every night - just something to live with?

TIA for any enlightenment/suggestions anyone can provide.

Jim




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040812004647.GA13990>