Date: Sat, 14 Aug 2004 16:39:58 +0200 From: Alex de Kruijff <freebsd@akruijff.dds.nl> To: freebsd-questions@freebsd.org Subject: Re: Security log question Message-ID: <20040814143958.GC884@alex.lan> In-Reply-To: <20040812004647.GA13990@sara.mshome.net> References: <20040812004647.GA13990@sara.mshome.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 11, 2004 at 07:46:47PM -0500, James A. Coulter wrote: > This message has been showing up in /var/log/security: > > Aug 6 01:56:44 sara /kernel: drop session, too many entries > Aug 6 16:40:05 sara /kernel: drop session, too many entries > Aug 7 13:25:23 sara /kernel: drop session, too many entries > Aug 7 15:32:00 sara /kernel: drop session, too many entries > Aug 7 15:32:03 sara last message repeated 3 times > Aug 8 22:30:53 sara /kernel: drop session, too many entries > Aug 10 19:47:31 sara /kernel: drop session, too many entries > Aug 11 11:11:46 sara /kernel: drop session, too many entries > Aug 11 13:08:15 sara /kernel: drop session, too many entries > Aug 11 13:10:26 sara last message repeated 12 times > Aug 11 13:20:34 sara last message repeated 55 times > Aug 11 13:30:00 sara last message repeated 66 times > Aug 11 16:49:26 sara /kernel: drop session, too many entries > Aug 11 16:49:58 sara last message repeated 5 times > Aug 11 16:52:04 sara last message repeated 20 times > Aug 11 17:02:01 sara last message repeated 93 times > Aug 11 17:18:01 sara /kernel: drop session, too many entries > Aug 11 17:23:03 sara /kernel: drop session, too many entries > > I'm running FreeBSD 4.10 with IPFW and NAT as a gateway/router/firewall for a home LAN. I am the only user (I hope!) with access to this system. > > I googled the "drop session" message and found e-mail correspondence indicating this message is a result of having too many telnet or ssh sessions open at the same time and could be an indication of a DOS attack. > > I have disabled telnet in inetd.conf. I am running ftp with anonymous log-in disabled and ssh with root login disabled. I am also running apache 1.3. > > Is this message something I should investigate further, or is it like the script kiddies who scan my ports every night - just something to live with? Yes, but I don't think you are likly at risk to have someone bracking in on you system. You're server proberbly just handle the traffic nicly. You need to investigate further to find out what is causing this and what you can do about it. P.S. I notices you have very lone lines in you'r mail and use mutt. Whould you consider adding the following line to .muttrc (and install vim) so that this is automaticly wraped at 72 char? set editor="vim +':set tw=72' +':set ww=<,>,h,l,[,]' %s" -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040814143958.GC884>