Date: Mon, 27 Mar 2000 22:06:25 -0800 From: The Mad Scientist <madscientist@thegrid.net> To: freebsd-security@freebsd.org Subject: syslogd compatibility Message-ID: <4.1.20000327220609.00927f00@mail.thegrid.net>
next in thread | raw e-mail | index | archive | help
All,
It seems that syslogd on -stable rejects any syslog packets if they do not
originate from udp port 514. One of the machines I have is a sparc running
2.8 and its syslogd sends messages from a random high-numbered port. I've
poked through the mailing list archives a little and didn't see anything
relevant. Is there an undocumented command-line/conf file that will fix
the problem? I'm not much of a hacker, but from the syslogd.c code I think
I can see the relevant part that drops the packets. Would getting rid of
these lines do the trick (~line 1802 in /usr/src/usr.sbin/syslogd/syslogd.c)?
if (ntohs(ap->port) != 0 && ap->port != sin->sin_port) {
dprintf("rejected in rule %d due to port mismatch.\n", i);
continue;
}
Am I correct in assuming that the idea here is to put more trust in remote
syslogds running as root? Are there any other security implications with
removing this check?
From syslogd -a 10.0.0.0/8 -vv -d
<snip>
cvthname(10.0.1.4)
validate: dgram from IP 10.0.1.4, port 32803, name splitbrain.;
rejected in rule 0 due to port mismatch.
I also don't see any logs of these rejected packets...
My FreeBSD machine is:
FreeBSD watchtower 3.4-STABLE FreeBSD 3.4-STABLE #2: Tue Mar 7 21:50:38
PST 2000 root@watchtower:/usr/src/sys/compile/WATCHTOWER i386
The Solaris box is:
SunOS splitbrain 5.8 Generic sun4m sparc SUNW,SPARCstation-10
Thanks for the help.
-Dean
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.20000327220609.00927f00>