Heya.. Yesterday someone "attacked" by box by connection to several ports.. In other words, a simple portscan.. yet, since my box has "log_in_vain" enabled, so it tries to log everything to /var/log/messages, since the logfile got full and the size went over 100K, it tried to rotate the log to save diskspace. (Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due to size>100K) My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from time to time since I only run ATA66 due to the old motherboard. When this "attack" occured yesterday, the box almost died and the box were working 100%.. all users who were logged in got "spammed" since the default *.emerg in /etc/syslog.conf is set to "*" .. Isn't this a quite simple way of making a DoS attack against a system? My box is running on 10mbit and the person who scanned my server were connecting from a cable connection.. Someone (even with lower bandwidth) can simply portscan a box with "log_in_vain" enabled and the box will go crazy trying to log/store it? Also, I'm not sure if it was a "general" portscan since the "blackhole" mostly slow down those quite much.. but since this had about 30-40 connections per second, it was a quite aggressive scan. I would be glad if anyone could tell me how to solve this and/or how to make sure it doesn't happen again. Regards, Jesper 'Z3l3zT' Wallin _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"