From owner-freebsd-security@FreeBSD.ORG  Wed Jun 30 09:24:13 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9A40116A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 30 Jun 2004 09:24:13 +0000 (GMT)
Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 915F143D55
	for <freebsd-security@freebsd.org>;
	Wed, 30 Jun 2004 09:24:12 +0000 (GMT)
	(envelope-from guy@device.dyndns.org)
Received: from pissenlit.device.local ([172.16.10.66])
	by pol.dyndns.org (8.12.9/8.12.9) with ESMTP id i5U9NVSE013836
	for <freebsd-security@freebsd.org>;
	Wed, 30 Jun 2004 11:23:33 +0200 (CEST)
Message-ID: <XFMail.20040630112331.guy@device.dyndns.org>
X-Mailer: XFMail 1.5.5 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <20040629191556.L47985@metafocus.net>
Date: Wed, 30 Jun 2004 11:23:31 +0200 (CEST)
From: guy@device.dyndns.org
To: freebsd-security@freebsd.org
X-Virus-Scanned: by an antivirus :]
Subject: Re: ttyv for local only?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2004 09:24:13 -0000

Your problem make me curious...

On 30-Jun-2004 Dave wrote:
> 
> I didn't think syslogd was open to the world by default?  Just in case, I
> now blocked off port 514 for UDP.  If it was, then I was just running it
> open to the world for 2 years and finally noticed :)  I guess its not
> commonly picked on.

With default settings on a freshly updated 4.10-STABLE "ps ax" says my
syslogd is running as "/usr/sbin/syslogd -s".
"man syslogd" says :
     -s      Operate in secure mode.  Do not log messages from remote
             machines.  If specified twice, no network socket will be opened
             at all, which also disables logging to remote machines.

So unless someone changed the way syslogd is launched, this should not be a
spurious message from a remote machine (but could be from local).


You may consider using a tool such as security/aide after a fresh
buildworld to get sure no unauthorised changes are made to your
system. Assuming your buildchain tools have not been trojaned you can do it
on the target system. If you have some suspicion, run the buildworld/kernel
from a live cd or another machine.


Sorry if all i said sounds obvious, there are some times when possibly
useless repeating seems worth :]



--
        Guy