From owner-freebsd-security@FreeBSD.ORG Sun Apr 18 22:55:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D840516A4CE; Sun, 18 Apr 2004 22:55:01 -0700 (PDT) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9399343D5A; Sun, 18 Apr 2004 22:55:00 -0700 (PDT) (envelope-from z3l3zt@hackunite.net) Received: from mail.hackunite.net ([213.112.193.7] [213.112.193.7]) by mxfep02.bredband.com with SMTP <20040419055457.VRPU28534.mxfep02.bredband.com@mail.hackunite.net>; Mon, 19 Apr 2004 07:54:57 +0200 Received: from 213.112.193.91 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Mon, 19 Apr 2004 07:54:57 +0200 (CEST) Message-ID: <2220.213.112.193.91.1082354097.squirrel@mail.hackunite.net> In-Reply-To: <20040419021239.GA67288@blossom.cjclark.org> References: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> <20040419021239.GA67288@blossom.cjclark.org> Date: Mon, 19 Apr 2004 07:54:57 +0200 (CEST) From: "Jesper Wallin" To: "Crist J. Clark" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: Is log_in_vain really good or really bad? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: z3l3zt@hackunite.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2004 05:55:02 -0000 > On Sat, Apr 17, 2004 at 04:28:35PM +0200, z3l3zt@hackunite.net wrote: > [snip] > >> My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from >> time to time since I only run ATA66 due to the old motherboard. When this >> "attack" occured yesterday, the box almost died and the box were working >> 100%.. all users who were logged in got "spammed" since the default >> *.emerg in /etc/syslog.conf is set to "*" .. > > Not sure what that has to do with anything. The log_in_vain messages get > logged at "info" level. What messages were your users seeing? > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > Heya.. The logs I got were "normal" log_in_vain logs.. the reason I detected this (or, I were asleep and my girlfriend detected it) was because the syslogd daemon did send messages to everyone logged in. Sure, you can DoS most things if you really want to, but a simple "connection flood" which is on even lower bandwidths shouldn't make the box die.. and no, SCSI might be faster, but if I can download/upload to the machine in 9000kb/s, then it should be fast enough to store the logs even if it's ATA66.. I also detected that if I nmap my own ip with log_in_vain enabled, I get the same errors.. the box doesn't die really but syslogd will start to spit it's output to all the users. Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:32672 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:39323 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:33426 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:32432 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:39834 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:37231 from 213.151.136.3:54568 Apr 16 19:38:07 omikron kernel: Connection attempt to UDP 213.112.193.67:33524 from 213.151.136.3:54568 Regards, Jesper Wallin