On 8/4/05, poncenby <[EMAIL PROTECTED]> wrote:
> I remember asking how to stop syslogd opening udp port 514 a while ago
> and never doing anything about it, here goes again...
Sure, syslogd opens UDP/514, but unless you use the '-u' flag the very
next thing it does is call shutdown(), which prevents inbound traffic on
the "listening" port:
http://www.bsdforums.org/forums/showthread.php?t=33250
> reading the man page doesn't really answer why there is program
> listening on udp 514, seeing as I haven't passed syslogd the -u switch
>
> -u Select the historical ``insecure'' mode, in which syslogd will
> accept input from the UDP port. Some software wants this, but
> you can be subjected to a variety of attacks over the network,
> including attackers remotely filling logs.
>
> can anyone point me in the right direction so this annoying behaviour stops.
I agree, it is (mildly) annoying.
The syslog daemon must bind UDP/514 even without the '-u' flag because
syslogd uses this socket as the source port if/when you configure a
remote log destination in /etc/syslogd.conf.
FreeBSD has the '-s -s' flag which prevents the daemon from binding the
port at all, but this is not necessary as a security enhancement, forcing
syslogd not to bind the port is purely cosmetic, makes your netstat
output shorter by one line.
Kevin Kadow
