Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Apr 1998 11:02:52 +0800
From:      Peter Wemm <peter@netplex.com.au>
To:        "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com>
Cc:        phk@critter.freebsd.dk (Poul-Henning Kamp), cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-usrsbin@freebsd.org, soren@dt.dk
Subject:   Re: cvs commit: src/usr.sbin/syslogd syslogd.c 
Message-ID:  <199804240302.LAA02485@spinner.netplex.com.au>
In-Reply-To: Your message of "Thu, 23 Apr 1998 19:20:20 MST." <199804240220.TAA10069@GndRsh.aac.dev.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote:
[..]
> > If you and peter agree with me that all -s should do is to not listen
> > for packets, but still bind to the syslog udp port so the remote
> > receiver of our syslog messages know we sent them, then I'll happily
> > make it do that.
> 
> Yes, I agree with that.

Yes, I agree too, but I suggest that if syslogd is going to bind to the 
address, then it should also select and receive the messages, but 
automatically discard them..  Otherwise the socket will hold the packets 
in buffers and consume resources indefinately.

If we're going to do that, then perhaps we count them as well and resource 
an exponential count..  ie, something like:
Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 1
Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 10
Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 100
Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 1000
Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 10000
[..]

I think it'd be interesting to know that somebody was trying to send the 
packets.  It should be possible to count them without blowing up the logs 
in an attack situation.  It would help detect misconfigurations etc if 
some internal machines were sending logs to the wrong host and so on.


Cheers,
-Peter
--
Peter Wemm <peter@netplex.com.au>   Netplex Consulting





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804240302.LAA02485>