[5222] in bugtraq
Re: syslogd fun (erratum)
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Fri Aug 29 12:49:30 1997
Date: Thu, 28 Aug 1997 23:55:38 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 28 Aug 1997 15:59:18 CDT."
<Pine.A41.3.95.970828154248.22990E-100000@t1.chem.umn.edu>
> I wasn't exactly right about using netstat to determine if remote reception
> is on. I looked at the sources of syslogd 1.3 more carefully. In fact,
> even though it defaults to no remote reception, it creates an AF_INET socket
> and binds to it unconditionally (well, if SYSLOG_INET was defined during the
> compilation, and it was defined in RedHat 4.2 build). It doesn't pay
> attention to it from that point on, though, if remote reception is off, but
> socket is there and it does appear in netstat output. I don't know why it's
> done this way, I guess you may consider it as a feature. No harm, just
> could be misleading.
It is done that way because @loghost transfers use that same socket for
communication with remote syslogd's.
You can't simply not create it. If the config file contains any packet
redirections, you are going to need the socket. Hence in 'secure
mode' syslogd simply ignores all input packets.
Here's the relevant entry from the OpenBSD syslogd man page:
-u Select the historical ``insecure'' mode, in which syslogd will
accept input from the UDP port. Some software wants this, but
you can be subjected to a variety of attacks over the network,
including attackers remotely filling logs.
