2018-03-19 8:07 GMT+01:00 Torsten <[email protected]>: > >> On my OpenBSD 6.2 syslogd is listening to port 514 > >> [...] > >> prevent syslogd from opening that port in the first place? > > > If [...] no logging rules exist to send to a remote > > host the socket is closed per default since 6.2. Perhaps you are logging > > to a remote host? > > Thank you for you answer, indeed I am logging to a remote host. However, > I don't understand why logging to a remote host opens port 514 incoming. > > Because that is how UDP works. The code will not collect anything incoming to that port, but it will still look like it's "listening" because its open, and its open so that syslog can send on it.
> Anyway, I understand you're saying that this is intended behaviour and > cannot be circumvented other than using pf, right? > > Well, given how it actually works, it is your test methodology that is broken (ie assuming an open port means someone will read and act on the data and that this in turn means you are in trouble) so "circumventing" a faulty assumption is hard to give a decent answer to. Sure, you should PF all ports that you don't want to receive packets on so that is still valid for UDP on port 514 and 512 and 30044, but you don't have to do it in order for syslog to not fill up your harddrive with spoofed log lines which you already concluded, so PF is always good, and it is also a solution to the non-problem you already knew you had. Other syslog daemons may be worse in this regard and reading guidelines about them might lead you to think that you also must do X,Y and Z for this particular daemon, but that is not so. You might actually be able to find previous discussions on misc/tech about it, since it comes up now and then. -- May the most significant bit of your life be positive.
