From owner-cvs-usrsbin Thu Apr 23 20:06:10 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA11864 for cvs-usrsbin-outgoing; Thu, 23 Apr 1998 20:06:10 -0700 (PDT) (envelope-from owner-cvs-usrsbin) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA11794; Thu, 23 Apr 1998 20:05:50 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (8.8.8/8.8.8/Spinner) with ESMTP id LAA02485; Fri, 24 Apr 1998 11:02:53 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199804240302.LAA02485@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: "Rodney W. Grimes" cc: phk@critter.freebsd.dk (Poul-Henning Kamp), cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-usrsbin@freebsd.org, soren@dt.dk Subject: Re: cvs commit: src/usr.sbin/syslogd syslogd.c In-reply-to: Your message of "Thu, 23 Apr 1998 19:20:20 MST." <199804240220.TAA10069@GndRsh.aac.dev.com> Date: Fri, 24 Apr 1998 11:02:52 +0800 From: Peter Wemm Sender: owner-cvs-usrsbin@freebsd.org X-Loop: FreeBSD.org Precedence: bulk "Rodney W. Grimes" wrote: [..] > > If you and peter agree with me that all -s should do is to not listen > > for packets, but still bind to the syslog udp port so the remote > > receiver of our syslog messages know we sent them, then I'll happily > > make it do that. > > Yes, I agree with that. Yes, I agree too, but I suggest that if syslogd is going to bind to the address, then it should also select and receive the messages, but automatically discard them.. Otherwise the socket will hold the packets in buffers and consume resources indefinately. If we're going to do that, then perhaps we count them as well and resource an exponential count.. ie, something like: Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 1 Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 10 Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 100 Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 1000 Apr 24 10:52:17 spinner syslogd: unauthorized remote message count: 10000 [..] I think it'd be interesting to know that somebody was trying to send the packets. It should be possible to count them without blowing up the logs in an attack situation. It would help detect misconfigurations etc if some internal machines were sending logs to the wrong host and so on. Cheers, -Peter -- Peter Wemm Netplex Consulting