On Thursday, August 4, poncenby wrote: > > I remember asking how to stop syslogd opening udp port 514 a while ago > and never doing anything about it, here goes again...
And people asked you to search the archives. > Proto Recv-Q Send-Q Local Address Foreign Address (state) > udp 0 0 *.514 *.* Yes, yes, it's got a socket open. So what? > reading the man page doesn't really answer why there is program > listening on udp 514, seeing as I haven't passed syslogd the -u switch > > -u Select the historical ``insecure'' mode, in which syslogd will > accept input from the UDP port. Some software wants this, but > you can be subjected to a variety of attacks over the network, > including attackers remotely filling logs. > > can anyone point me in the right direction so this annoying behaviour stops. > also, is there a switch for netstat which shows the pid/process for each > listening port? About 5 F*ING LINES later the man page says: >> syslogd opens an Internet domain socket as specified in /etc/services. >> Normally syslogd will only use this socket to send messages outwards, but >> in ``insecure'' mode it will also read messages from this socket. >> syslogd also opens and reads messages from the UNIX domain socket >> /dev/log, and from the special device /dev/klog (to read kernel mes- >> sages). >> >> syslogd opens the above described socket whether or not it is running in >> secure mode. If syslogd is running in secure mode, all incoming data on >> this socket is discarded. The socket is required for sending forwarded >> messages. Read, breathe, relax... Just because a program has a port open does not mean it is insecure. It could be having a port open in order to *SEND* data, and never *EVER* receive data. --Toby.
