OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Douglas K. Rand (rand_at_meridian-enviro.com)
Date: Mon Feb 17 2003 - 20:17:57 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I've been playing with MessageWall on one of our systems, and I
    noticed that we've been getting a lot of messages like:

      Connection attempt to UDP <our-ip>:<port-above-1024> from <ip-addr-in-resolv.conf>:53

    in our logs. I have log_in_vain="YES" in my /etc/rc.conf, which sets:

       net.inet.tcp.log_in_vain: 1
       net.inet.udp.log_in_vain: 1

    After a little work with tcpdump, these are queries of the black hole
    lists (openrbl.org) that MessageWall does. For speed (and security?),
    MessageWall uses the FireDNS library to do DNS queries. After a little
    more digging, I found that I can reproduce these messages by using the
    fdnsip command that comes with FireDNS.

    Everything seems to work just fine, the queries work, and return what
    you expect.

    It seems that I can virtually eliminate these messages by removing all
    but one host from my /etc/resolv.conf, not a solution that I'm keen
    on.

    Has anybody else noticed this, and is there a solution other than
    "Ignore those log messages" or "Unset net.inet.udp.log_in_vain"? (Both
    of these solutions /are/ fairly reasonable.)

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message