[juneau-lug] For a good laugh

My firewall is an elderly Compaq Prolinea 4/33s, with the original 340MB
hard drive. Therefore I don't have a lot of extra disk space, although a
base Debian install leaves me with enough room to play with. Over time
this little machine has been going strong - until a few weeks ago, when
all of a sudden I was running out of disk space. Running du showed me that
/var/log was massive, specifically wtmp.

Running last only showed logins that I knew about, and lastb didn't show
any results at all (in fact /var/log/lastb consistently stayed at 0
bytes).  I scanned through kern.log, messages, and syslog to no avail - no
attack signatures that I could see, although I was convinced that
someone/something was attacking my firewall.

I even set up a cronjob to mail me the file size of wtmp - every half hour
I got a report, showing the file growing constantly.  I started a new
wtmp, and within 24 hours it was at 1.2MB!  At this point I was getting
worried, and started an inspection of every other machine on my LAN,
looking for signs of intrusion.  But nothing ever showed up.

Finally, I was about ready to start from scratch on the firewall with a
completely new installation to ensure that nothing was amiss.  Taking a
final look at /var/log I noticed what I had been missing the entire time
(Insert slap on forehead here):  auth.log.  The whole file was filled up
with these entries:

May 12 07:03:01 FW getty[4167]: tty1: input overrun
May 12 07:04:18 FW getty[4168]: tty1: input overrun
May 12 07:05:34 FW getty[4169]: tty1: input overrun

Sure enough, climbing up to the top of the gorilla rack that the firewall
lives on, the power cord from a test monitor was pushing down on the
keyboard.  Sigh...

Cheers,

James


------------------------------------
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the 
word unsubscribe in the subject header.

Other related posts: