From owner-freebsd-security@FreeBSD.ORG  Mon Aug  9 07:00:34 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 22B9916A4CE
	for <freebsd-security@freebsd.org>;
	Mon,  9 Aug 2004 07:00:34 +0000 (GMT)
Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0743343D1F
	for <freebsd-security@freebsd.org>;
	Mon,  9 Aug 2004 07:00:33 +0000 (GMT)	(envelope-from prosa@pro.sk)
Received: from peter (Peter [192.168.1.53])
	by ns.pro.sk (8.12.11/8.12.11) with SMTP id i7970NaL087295;
	Mon, 9 Aug 2004 09:00:23 +0200 (CEST)
	(envelope-from prosa@pro.sk)
Message-ID: <001e01c47dde$7f562420$3501a8c0@pro.sk>
From: "Peter Rosa" <prosa@pro.sk>
To: "FreeBSD Security" <freebsd-security@freebsd.org>
References:
	<20040808053526.GA652@kolic.net><a992d1e5040808111970de2d93@mail.gmail.com>
	<20040809061818.GA634@kolic.net>
Date: Mon, 9 Aug 2004 09:00:04 +0200
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.3
	(ns.pro.sk [192.168.1.1]); Mon, 09 Aug 2004 09:00:23 +0200 (CEST)
X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk)
cc: Zoran Kolic <kolicz@eunet.yu>
Subject: Re: about nmap
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2004 07:00:34 -0000

> When I find something open and check
> it again, it is closed. And... cannot
> close "syslogd" for report issues.

At least, can not you run syslogd with syslogd_flags="-ss" in /etc/rc.conf ?
It disables listening on 514 at all, but still works locally.
Do not use it, if your machine is used as syslogd "file server" for other
machines !


And what about some milter ? It could open some local connections on high
ports. Do not you have some kind of antispam system on your machine ? Or
DansGuardian or something like ?


Have you tried to run "sockstat >> /some/file" every minute from cron and
try to find which process opens the port ?


Peter Rosa