From owner-freebsd-security@FreeBSD.ORG Mon Jan 12 00:08:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10FF616A4CE for ; Mon, 12 Jan 2004 00:08:59 -0800 (PST) Received: from ns.tern.ru (mail.tern.ru [195.210.170.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C00243D41 for ; Mon, 12 Jan 2004 00:08:53 -0800 (PST) (envelope-from freebsd@tern.ru) Received: from mail.tern.ru (mail.tern.ru [192.168.1.140]) by ns.tern.ru (X/X) with ESMTP id i0C86IYj048534 for ; Mon, 12 Jan 2004 11:06:19 +0300 X-Spam-Filter: check_local@ns.tern.ru by digitalanswers.org Received: from mail.tern.ru (localhost.tern.ru [127.0.0.1]) by mail.tern.ru (X/X) with ESMTP id i0C8Bb09002822 for ; Mon, 12 Jan 2004 11:11:37 +0300 (MSK) Received: (from root@localhost) by mail.tern.ru (X/X) id i0C8BbZM002821 for freebsd-security@freebsd.org.VIRCHECK; Mon, 12 Jan 2004 11:11:37 +0300 (MSK) Received: from snork.tern.ru (snork.tern.ru [192.168.1.133]) by mail.tern.ru (X/X) with ESMTP id i0C8BY09002812; Mon, 12 Jan 2004 11:11:36 +0300 (MSK) Date: Mon, 12 Jan 2004 11:10:45 +0300 From: freebsd@tern.ru Organization: Tern X-Priority: 3 (Normal) Message-ID: <1399021926.20040112111045@tern.ru> To: Jez Hancock In-Reply-To: <20040109230801.GE1488@users.munk.nu> References: <1775511953.20040109173220@tern.ru> <20040109144956.GB87284@users.munk.nu> <1839710842.20040109181325@tern.ru> <20040109230801.GE1488@users.munk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re[2]: Problem with DNS (UDP) queries X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Alexandre Krasnov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2004 08:08:59 -0000 Maybe you are right. I'll try to set it up (switch to logging via ipfw) and see if there is something that I do not like in this config. Don't know why, I feel some discomfort while thinking about this solution. JH> On Fri, Jan 09, 2004 at 06:13:25PM +0300, freebsd@tern.ru wrote: >> Yes, I had thought about what you wrote. >> Because of this I mentioned that 'I do not want to turn off the "log >> in vain" feature.' JH> In that case I imagine you'd need to hack the kernel source code to make JH> it not log vain udp port 53 requests. I'm fairly sure it's an 'all or JH> nothing' sysctl mib/flag. JH> Why do you want to log those vain connection attempts using JH> 'log_in_vain' though? It would be a lot more suitable to use the JH> logging feature in ipfw2 and disable the log_in_vain feature completely. JH> Just my opinion though :P >> JH> On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd@tern.ru wrote: >> >> Hi all >> >> >> >> I am trying to get rid of strings: >> >> kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53 >> >> on my console and in log file >> >> >> >> I understand that those are replies on DNS queries that for some reason >> >> took too long time to be answered. >> >> I do not want to turn off the "log in vain" feature. >> >> >> >> As these strings fill up my log I am afraid to miss some sensitive >> >> messages (e.g. hacker's attack :) >> >> >> >> I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both >> >> DNS queries and DNS replies. >> >> >> >> The main application that generates queries is sendmail. >> >> >> >> What can be done? >> JH> I believe those messages are generated if the following sysctl flag is >> JH> set: >> >> JH> net.inet.udp.log_in_vain >> >> JH> you can disable it by executing: >> >> JH> sysctl net.inet.udp.log_in_vain=0 >> >> JH> on the commandline. >> >> JH> Obviously though this will disable logging of all vain connection attempts using >> JH> the udp protocol. However if you have ipfw set up to log such attempts, >> JH> you don't really need that sysctl flag set anyway. >> >> JH> See also the tcp equivalant flag: >> >> JH> net.inet.tcp.log_in_vain >> >> JH> also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf >> JH> setting. >> >> Alex. >> >> Alex.