Date: Tue, 28 Mar 2000 09:11:36 +0200 (CEST) From: Johan Larsson <johan@ludd.luth.se> To: The Mad Scientist <madscientist@thegrid.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: syslogd compatibility Message-ID: <Pine.NEB.4.21.0003280908170.14193-100000@speedy.ludd.luth.se> In-Reply-To: <4.1.20000327220609.00927f00@mail.thegrid.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Mar 2000, The Mad Scientist wrote:
> All,
> It seems that syslogd on -stable rejects any syslog packets if they do not
> originate from udp port 514. One of the machines I have is a sparc running
> 2.8 and its syslogd sends messages from a random high-numbered port. I've
> poked through the mailing list archives a little and didn't see anything
> relevant. Is there an undocumented command-line/conf file that will fix
> the problem? I'm not much of a hacker, but from the syslogd.c code I think
> I can see the relevant part that drops the packets. Would getting rid of
> these lines do the trick (~line 1802 in /usr/src/usr.sbin/syslogd/syslogd.c)?
>
> if (ntohs(ap->port) != 0 && ap->port != sin->sin_port) {
> dprintf("rejected in rule %d due to port mismatch.\n", i);
> continue;
> }
>
> Am I correct in assuming that the idea here is to put more trust in remote
> syslogds running as root? Are there any other security implications with
> removing this check?
You shouldn't do that, instead use the :service argument to -a i.e.
-a IPofSUN/32:* (* can be substituted to the portnumber if that's known).
If you read the manpage you should see this :-)
>
> >From syslogd -a 10.0.0.0/8 -vv -d
> <snip>
> cvthname(10.0.1.4)
> validate: dgram from IP 10.0.1.4, port 32803, name splitbrain.;
> rejected in rule 0 due to port mismatch.
>
> I also don't see any logs of these rejected packets...
>
> My FreeBSD machine is:
> FreeBSD watchtower 3.4-STABLE FreeBSD 3.4-STABLE #2: Tue Mar 7 21:50:38
> PST 2000 root@watchtower:/usr/src/sys/compile/WATCHTOWER i386
>
> The Solaris box is:
> SunOS splitbrain 5.8 Generic sun4m sparc SUNW,SPARCstation-10
>
> Thanks for the help.
> -Dean
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
Johan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.4.21.0003280908170.14193-100000>