Firstly I never said mentioned the word security, so I don't know where
Tobias got that from.
I apologise once again for not searching the archives and reading the
man pages.
May I suggest some tolerance(doesn't have to be sincere) for people who
are simply either too busy or too lazy to read man pages in their
entirety. or just simply ignore the email. surely certain people on this
list (theo - that's you!) don't actually enjoy patronising their loyal
userbase?
or perhaps that's openbsd's 'thing'? or if it isn't remind me what is...
thanks anyway
poncenby
Theo de Raadt wrote:
The port is also used to (potentially) send data out to other syslog
servers. Therefore, it is left open. This is made ASTOUNDINGLY
clear in the manual page, if you would read it:
syslogd opens the above described socket whether or not it is running in
secure mode. If syslogd is running in secure mode, all incoming data on
this socket is discarded. The socket is required for sending forwarded
messages.
See that? It says anything read is DISCARDED.
This behaviour is not going to be changed. Period.
I remember asking how to stop syslogd opening udp port 514 a while ago
and never doing anything about it, here goes again...
hopefully a relevant part of /etc/rc
echo 'starting system logger'
rm -f /dev/log
if [ "X${named_flags}" != X"NO" ]; then
rm -f /var/named/dev/log
syslogd_flags="${syslogd_flags} -a /var/named/dev/log"
fi
if [ -d /var/empty ]; then
rm -f /var/empty/dev/log
mkdir -p -m 0555 /var/empty/dev
syslogd_flags="${syslogd_flags} -a /var/empty/dev/log"
fi
syslogd ${syslogd_flags}
if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then
if ifconfig pflog0 >/dev/null 2>&1; then
ifconfig pflog0 up
pflogd ${pflogd_flags}
fi
fi
my /etc/rc.conf
syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
output from command: netstat -p udp -an
Proto Recv-Q Send-Q Local Address Foreign Address (state)
udp 0 0 *.514 *.*
reading the man page doesn't really answer why there is program
listening on udp 514, seeing as I haven't passed syslogd the -u switch
-u Select the historical ``insecure'' mode, in which syslogd will
accept input from the UDP port. Some software wants this, but
you can be subjected to a variety of attacks over the network,
including attackers remotely filling logs.
can anyone point me in the right direction so this annoying behaviour stops.
also, is there a switch for netstat which shows the pid/process for each
listening port?
thanks in advance
poncenby
--
This email has been verified as Virus free
Virus Protection and more available at http://www.plus.net
