Patrick, I did both and both had the same effect. Even the nmap test makes
my syslog, messages and kern.log logfiles almost 1MB in size which toasts
weblet viewing of them. The email I get from vulnerabilities.org after the
nmap scan is complete says it checks ~1500 ports. It appears that much
scanning kills my weblet interface. It seems weird that a 16MB system can
get screwy with only a few megs of logs.
After the scan is complete every local link on weblet takes the browser to a
blank page. The only way I am able to get the weblet interface working
again is to reboot. The firewall still routes traffic OK, which is the main
thing.
Here's the log section of my lrp.conf. I read it as saying if space
available is <= 2% logfiles will be wiped, starting with the oldest and
working to the newest until >2% space is available. When is this algorithm
executed? Is it every time a log operation is performed or is it on some
periodic basis?
Ideally I'd like the firewall to keep weblet operational and dump logging
info rather than allowing intruder attacks to kill weblet.
Thanks,
Paul
# SPACECHECK, will check the space available on the root device.
# If the remaining free space is <= MINKB or <= MINPER, each level
# of file mask(s) will be wiped, until the minimum available space
# is met or level 5 is reached. Files are individually null'ed
# to 0 size. They are not rm'ed. (syslogd will not be interrupted)
# When the level set in MAIL_LEVEL, is reached or exceeded, an
# alert will be sent to ADMIN. (If set)
lrp_SPACECHECK=NO # YES or NO
lrp_SC_MINKB=-1 # <= -1 to disable.
lrp_SC_MINPER=2 # >= 101 to disable. Default 2%.
lrp_SC_MAIL_LEVEL=2 # >= 6 to disable.
lrp_SC_DEL_L1="/var/log/*[4-9].gz"
lrp_SC_DEL_L2="/var/log/*[1-3].gz"
lrp_SC_DEL_L3="/var/log/*.gz"
lrp_SC_DEL_L4="/var/log/*.0"
lrp_SC_DEL_L5="/var/log/wtmp"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Patrick
Benson
Sent: July 13, 2001 5:45 PM
To: [EMAIL PROTECTED]
Subject: Re: [Leaf-user] Portsentry on ESBeta2 questions
[EMAIL PROTECTED] wrote:
> Out of curiosity, I'd think many people have the same memory config as me.
> 16MB system (486 or 586). Does anyone else experience this when using one
> of the port scanners at the websites listed at c0wz (i.e.
> www.vulnerabilities.org)?
Paul,
Did you use just the nmap scan or did use Nessus? The Nessus scan will
do much more probing than the nmap and will eventually make your logs
overflow. Quick nmap scans take only a few minutes, Nessus will take
about an hour or so....
--
Patrick Benson
Stockholm, Sweden
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
