From owner-freebsd-security  Mon Jul 28 08:00:31 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA10996
          for security-outgoing; Mon, 28 Jul 1997 08:00:31 -0700 (PDT)
Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA10990
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 08:00:28 -0700 (PDT)
Received: from localhost (robert@localhost)
	by cyrus.watson.org (8.8.5/8.8.5) with SMTP id KAA03282;
	Mon, 28 Jul 1997 10:59:45 -0400 (EDT)
Date: Mon, 28 Jul 1997 10:59:44 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
Reply-To: Robert Watson <robert@cyrus.watson.org>
To: Guido van Rooij <guido@gvr.win.tue.nl>
cc: vince@mail.MCESTATE.COM, loco@onyks.wszib.poznan.pl, security@FreeBSD.ORG,
        mario1@PrimeNet.Com, johnnyu@accessus.net
Subject: Re: security hole in FreeBSD
In-Reply-To: <199707281353.PAA04645@gvr.win.tue.nl>
Message-ID: <Pine.BSF.3.95q.970728105715.3000H-100000@cyrus.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Guido van Rooij wrote:

> > 
> > BTW, does anyone know if there is a secure logging protocol?  Syslog on
> > UDP seems a tad unreliable, not to mention opening one up from DoS.  I log
> 
> Not on local delivery of udp packets. Nowadays, the FreeBSD syslogd is shipped
> with an option -s that makes it refuse syslog messages form remote
> machins. This of course does not help if you want to be able to get
> syslog entries from a remote host. But you can refure udp packet
> with destination port 513 on your routers.

Unfortunately, I don't have the liberty of reconfiguring some of the
routers my hosts are acessible through.  Using ipfirewall to restrict
incoming messages is possible, but undesirable as it doesn't help against
spoofing, if the threat is also inside your network.  The vulnerable host
in the -s case is the loghost, which must accept network log messages.
Configuring with a default of -s is a good arrangement.

  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Security Research, Trusted Information Systems http://www.tis.com/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org   rwatson@tis.com  http://www.watson.org/~robert/