Re: syslogd udp port

[Shawn K. Quinn]

On Sat, 2005-08-06 at 03:00 +0100, poncenby wrote:
 Shawn K. Quinn wrote:
  On Fri, 2005-08-05 at 07:33 +0100, poncenby wrote:
  
 May I suggest some tolerance(doesn't have to be sincere) for people
 who are simply either too busy or too lazy to read man pages in their 
 entirety. or just simply ignore the email. surely certain people on
 this list (theo - that's you!) don't actually enjoy patronising their
 loyal userbase?
  
  
  You should be reading the man page first, then asking questions on list
  (or elsewhere, e.g. IRC), not the other way around. And ignoring these
  sorts of e-mails isn't an option, as people need to know the expected
  protocol is to read the man page first.
  
  Start out with the goal of making an operating system possible to use
  without reading documentation, and you wind up with something like
  Microsoft Windows (however, even Microsoft must document a lot of
  things, even if it is only available in electronic form). I'm sure
  you've either already been down that road, or have no desire to go down
  it.
  
  The people that WTFM intend for you to RTFM.
  
 
 wow shawn, that's really clever. you have saved yourself thirty eight 
 key depressions and managed to convey no sense of authority.

Wow ponceby, that's really clever. You have shown the world your ability
to half-ass-type and not express one Goddamn coherent thought.

In the time it took you to write this, you could have read a man page,
possibly two or three if you're a fast reader.

 if only i could be as l33t

If you want to be understood, type English. I have no idea what the hell
an el-thirty-three-tee is.

You're obviously not averse to reading (and, rather unfortunately,
replying to) messages on the list. Why, then, are you averse to reading
man pages? (Don't answer this publicly, but reflect on the answer to
yourself.)

-- 
Shawn K. Quinn [EMAIL PROTECTED]

Re: syslogd udp port

[Theo de Raadt]

 May I suggest some tolerance(doesn't have to be sincere) for people who 
 are simply either too busy or too lazy to read man pages in their 
 entirety.

Absolutely not.  You were lazy and unwilling to educate yourself, and
are making other people watch you sluffing your way through life.

Re: syslogd udp port

[Shawn K. Quinn]

On Fri, 2005-08-05 at 07:33 +0100, poncenby wrote:
 
 May I suggest some tolerance(doesn't have to be sincere) for people
 who are simply either too busy or too lazy to read man pages in their 
 entirety. or just simply ignore the email. surely certain people on
 this list (theo - that's you!) don't actually enjoy patronising their
 loyal userbase?

You should be reading the man page first, then asking questions on list
(or elsewhere, e.g. IRC), not the other way around. And ignoring these
sorts of e-mails isn't an option, as people need to know the expected
protocol is to read the man page first.

Start out with the goal of making an operating system possible to use
without reading documentation, and you wind up with something like
Microsoft Windows (however, even Microsoft must document a lot of
things, even if it is only available in electronic form). I'm sure
you've either already been down that road, or have no desire to go down
it.

The people that WTFM intend for you to RTFM.

-- 
Shawn K. Quinn [EMAIL PROTECTED]

Re: syslogd udp port

[Karsten McMinn]

On 8/4/05, poncenby [EMAIL PROTECTED] wrote:
 I remember asking how to stop syslogd opening udp port 514 a while ago
 and never doing anything about it, here goes again...

better yet just compile your own version of nmap that
doesnt scan udp 514.

Re: syslogd udp port

[Abraham Al-Saleh]

On 8/5/05, poncenby [EMAIL PROTECTED] wrote:
 Firstly I never said mentioned the word security, so I don't know where
 Tobias got that from.
 
 I apologise once again for not searching the archives and reading the
 man pages.
 
 May I suggest some tolerance(doesn't have to be sincere) for people who
 are simply either too busy or too lazy to read man pages in their
 entirety. or just simply ignore the email. surely certain people on this
 list (theo - that's you!) don't actually enjoy patronising their loyal
 userbase?

snip

In the long run, it's usually faster to do research than to send a
question to a mailing list and hope someone is going to hold your
hand. You waste your time and everyone elses. If you want to be lazy,
pay someone to do your administration, don't expect everyone else to
do it for free.

Re: syslogd udp port

[mdff]

snipblah blah...snap
he'd better do man syslogd... but assume this:
- no pf for udp/514.
- a DOS or DDOS to this OPEN port.
- syslogd running just in send mode.
- and finally: no remote syslogging configured because of only 1 box here.

will it take more ressources to handle this with an open port
compared to a closed one or not? i guess yes. and for security,
i guess a closed port is still better, than an application reading
all packets and discarding them...

question: what about 1 more argv to have syslogd not to bind udp/514 at all?

br, mdff...

Re: syslogd udp port

[imEnsion]

haha, henning.. i love your technical responses to problems. they're
always very short, sweet and to the point (and you're 99.999% of the
time right).

if i could make it to a hackathon (or even get invited, heh) i'd buy a
round of beer for everyone to calm the *%# down :P



On 8/5/05, Henning Brauer [EMAIL PROTECTED] wrote:
 syslog shutdown()s  the port for reading. there is no real difference
 to not opening it at all.
 
 * mdff [EMAIL PROTECTED] [2005-08-05 13:13]:
  snipblah blah...snap
  he'd better do man syslogd... but assume this:
  - no pf for udp/514.
  - a DOS or DDOS to this OPEN port.
  - syslogd running just in send mode.
  - and finally: no remote syslogging configured because of only 1 box here.
 
  will it take more ressources to handle this with an open port
  compared to a closed one or not? i guess yes. and for security,
  i guess a closed port is still better, than an application reading
  all packets and discarding them...
 
  question: what about 1 more argv to have syslogd not to bind udp/514 at all?
 
  br, mdff...
 
 
 --
 BS Web Services, http://www.bsws.de/
 OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
 Unix is very simple, but it takes a genius to understand the simplicity.
 (Dennis Ritchie)

Re: syslogd udp port

[poncenby]

Shawn K. Quinn wrote:

On Fri, 2005-08-05 at 07:33 +0100, poncenby wrote:


May I suggest some tolerance(doesn't have to be sincere) for people
who are simply either too busy or too lazy to read man pages in their 
entirety. or just simply ignore the email. surely certain people on

this list (theo - that's you!) don't actually enjoy patronising their
loyal userbase?



You should be reading the man page first, then asking questions on list
(or elsewhere, e.g. IRC), not the other way around. And ignoring these
sorts of e-mails isn't an option, as people need to know the expected
protocol is to read the man page first.

Start out with the goal of making an operating system possible to use
without reading documentation, and you wind up with something like
Microsoft Windows (however, even Microsoft must document a lot of
things, even if it is only available in electronic form). I'm sure
you've either already been down that road, or have no desire to go down
it.

The people that WTFM intend for you to RTFM.



wow shawn, that's really clever. you have saved yourself thirty eight 
key depressions and managed to convey no sense of authority.


if only i could be as l33t

poncenby

Re: syslogd udp port

[poncenby]

Abraham Al-Saleh wrote:

On 8/5/05, poncenby [EMAIL PROTECTED] wrote:


Firstly I never said mentioned the word security, so I don't know where
Tobias got that from.

I apologise once again for not searching the archives and reading the
man pages.

May I suggest some tolerance(doesn't have to be sincere) for people who
are simply either too busy or too lazy to read man pages in their
entirety. or just simply ignore the email. surely certain people on this
list (theo - that's you!) don't actually enjoy patronising their loyal
userbase?



snip

In the long run, it's usually faster to do research than to send a
question to a mailing list and hope someone is going to hold your
hand. You waste your time and everyone elses. If you want to be lazy,
pay someone to do your administration, don't expect everyone else to
do it for free.


if you think about what you said...

in the long run it's usually faster to do research

just doesn't make sense. i wanted an answer within a day, didn't have 
time to read the man pages so posted a question to misc and got an 
answer (within a day). f*%k the long run, what exactly is the long run 
anyway.


(see, anyone can be pedantic if they can be arsed).

When i post to misc I hope some kind folk will receive it in the manner 
intended (i.e. a newbie attempting to grasp a solid foundation in BSD 
concepts). Yes I realise I could gain this from reading every single man 
page but that is not realistic (maybe it is for people with nothing 
better to do at that time).


the box is run in my own time and when I post a question (as stupid as 
it might seem) then go to work and come back with a maillist full of 
utter dribble like this, hoping there will be at least 1 constructive 
answer somewhere buried within it.
i run a box with openbsd in my spare time - i'm not going to pay for 
someone to do it for me. i'll learn the way i want to learn, which 
differs depending on how lazy/busy I am at that point in time.


it seems a lot of people assume that openbsd enthusiasts actually have 
an unlimited time to find the answers to every single question they will 
ever have.


it just isn't the case and tolerance is needed.

do you agree theo? :)

poncenby

Re: syslogd udp port

[ddp]

On 8/5/05, poncenby [EMAIL PROTECTED] wrote:

 if you think about what you said...
 
 in the long run it's usually faster to do research
 
 just doesn't make sense. i wanted an answer within a day, didn't have
 time to read the man pages so posted a question to misc and got an
 answer (within a day). f*%k the long run, what exactly is the long run
 anyway.
 

It doesn't take a day to read the man pages, usualy just a couple of
minutes.  It's easier, and nicer to the people reading the list. :)

ddp

Re: syslogd udp port

[Lars Hansson]

On Sat, 06 Aug 2005 03:15:07 +0100
poncenby [EMAIL PROTECTED] wrote:
 just doesn't make sense. i wanted an answer within a day, didn't have 
 time to read the man pages so posted a question to misc and got an 
 answer (within a day).

What *you* want is rather irrelevant.

 When i post to misc I hope some kind folk will receive it in the manner 
 intended (i.e. a newbie attempting to grasp a solid foundation in BSD 
 concepts). Yes I realise I could gain this from reading every single man 
 page but that is not realistic (maybe it is for people with nothing 
 better to do at that time).

Ever heard of apropos and man -k?
And really, it's not THAT difficult to find the man page for syslogd...

 i run a box with openbsd in my spare time - i'm not going to pay for 
 someone to do it for me.
If you dont want to pay I guess you'll just have to do your own homework, eh?

 it seems a lot of people assume that openbsd enthusiasts actually have 
 an unlimited time to find the answers to every single question they will 
 ever have.

It seems many people who post on misc@ seem to think the openbsd users exists 
solely
to answer their questions, no matter how many time's they'e been answered 
before.

---
Lars Hansson

Re: syslogd udp port

[Roger Neth Jr]

From: poncenby [EMAIL PROTECTED]
To: misc@openbsd.org
Subject: Re: syslogd udp port
Date: Sat, 06 Aug 2005 03:15:07 +0100

Abraham Al-Saleh wrote:

On 8/5/05, poncenby [EMAIL PROTECTED] wrote:


Firstly I never said mentioned the word security, so I don't know where
Tobias got that from.

I apologise once again for not searching the archives and reading the
man pages.

May I suggest some tolerance(doesn't have to be sincere) for people who
are simply either too busy or too lazy to read man pages in their
entirety. or just simply ignore the email. surely certain people on this
list (theo - that's you!) don't actually enjoy patronising their loyal
userbase?



snip

In the long run, it's usually faster to do research than to send a
question to a mailing list and hope someone is going to hold your
hand. You waste your time and everyone elses. If you want to be lazy,
pay someone to do your administration, don't expect everyone else to
do it for free.


if you think about what you said...

in the long run it's usually faster to do research

just doesn't make sense. i wanted an answer within a day, didn't have time 
to read the man pages so posted a question to misc and got an answer 
(within a day). f*%k the long run, what exactly is the long run anyway.


(see, anyone can be pedantic if they can be arsed).

When i post to misc I hope some kind folk will receive it in the manner 
intended (i.e. a newbie attempting to grasp a solid foundation in BSD 
concepts). Yes I realise I could gain this from reading every single man 
page but that is not realistic (maybe it is for people with nothing better 
to do at that time).


the box is run in my own time and when I post a question (as stupid as it 
might seem) then go to work and come back with a maillist full of utter 
dribble like this, hoping there will be at least 1 constructive answer 
somewhere buried within it.
i run a box with openbsd in my spare time - i'm not going to pay for 
someone to do it for me. i'll learn the way i want to learn, which differs 
depending on how lazy/busy I am at that point in time.


it seems a lot of people assume that openbsd enthusiasts actually have an 
unlimited time to find the answers to every single question they will ever 
have.


it just isn't the case and tolerance is needed.

do you agree theo? :)

poncenby



Hello,

I have spent the last six months installing and uninstalling OpenBSD 
countless times on i386, Alpha, Sgi Mips, and Sparc to learn.


Tried Linux, NetBSD and FreeBSD and came to appreciate OpenBSD more and 
more.


The last month pretty much full time on learning OpenBSD.

I am sacrificing my consulting time $$ to do this and find it time well 
spent.


Still got a long ways to go but am learning all I can.

And am subscribed to the mailing lists and read in my spare time. : )

Best regards,

rogern

_
Dont just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

syslogd udp port

[poncenby]

I remember asking how to stop syslogd opening udp port 514 a while ago 
and never doing anything about it, here goes again...


hopefully a relevant part of /etc/rc

echo 'starting system logger'
rm -f /dev/log
if [ X${named_flags} != XNO ]; then
rm -f /var/named/dev/log
syslogd_flags=${syslogd_flags} -a /var/named/dev/log
fi
if [ -d /var/empty ]; then
rm -f /var/empty/dev/log
mkdir -p -m 0555 /var/empty/dev
syslogd_flags=${syslogd_flags} -a /var/empty/dev/log
fi
syslogd ${syslogd_flags}

if [ X${pf} != XNO -a X${pflogd_flags} != XNO ]; then
if ifconfig pflog0 /dev/null 21; then
ifconfig pflog0 up
pflogd ${pflogd_flags}
fi
fi

my /etc/rc.conf

syslogd_flags=# add more flags, ie. -u -a /chroot/dev/log

output from command: netstat -p udp -an

Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
udp0  0  *.514  *.*

reading the man page doesn't really answer why there is program 
listening on udp 514, seeing as I haven't passed syslogd the -u switch


-u  Select the historical ``insecure'' mode, in which syslogd will
 accept input from the UDP port.  Some software wants this, but
 you can be subjected to a variety of attacks over the network,
 including attackers remotely filling logs.

can anyone point me in the right direction so this annoying behaviour stops.
also, is there a switch for netstat which shows the pid/process for each 
listening port?


thanks in advance

poncenby

Re: syslogd udp port

[Theo de Raadt]

The port is also used to (potentially) send data out to other syslog
servers.  Therefore, it is left open.  This is made ASTOUNDINGLY
clear in the manual page, if you would read it:

 syslogd opens the above described socket whether or not it is running in
 secure mode.  If syslogd is running in secure mode, all incoming data on
 this socket is discarded.  The socket is required for sending forwarded
 messages.

See that?  It says anything read is DISCARDED.

This behaviour is not going to be changed.  Period.




 I remember asking how to stop syslogd opening udp port 514 a while ago 
 and never doing anything about it, here goes again...
 
 hopefully a relevant part of /etc/rc
 
 echo 'starting system logger'
 rm -f /dev/log
 if [ X${named_flags} != XNO ]; then
  rm -f /var/named/dev/log
  syslogd_flags=${syslogd_flags} -a /var/named/dev/log
 fi
 if [ -d /var/empty ]; then
  rm -f /var/empty/dev/log
  mkdir -p -m 0555 /var/empty/dev
  syslogd_flags=${syslogd_flags} -a /var/empty/dev/log
 fi
 syslogd ${syslogd_flags}
 
 if [ X${pf} != XNO -a X${pflogd_flags} != XNO ]; then
  if ifconfig pflog0 /dev/null 21; then
  ifconfig pflog0 up
  pflogd ${pflogd_flags}
  fi
 fi
 
 my /etc/rc.conf
 
 syslogd_flags=# add more flags, ie. -u -a /chroot/dev/log
 
 output from command: netstat -p udp -an
 
 Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
 udp0  0  *.514  *.*
 
 reading the man page doesn't really answer why there is program 
 listening on udp 514, seeing as I haven't passed syslogd the -u switch
 
 -u  Select the historical ``insecure'' mode, in which syslogd will
   accept input from the UDP port.  Some software wants this, but
   you can be subjected to a variety of attacks over the network,
   including attackers remotely filling logs.
 
 can anyone point me in the right direction so this annoying behaviour stops.
 also, is there a switch for netstat which shows the pid/process for each 
 listening port?
 
 thanks in advance
 
 poncenby

Re: syslogd udp port

[Tobias Weingartner]

On Thursday, August 4, poncenby wrote:
 
 I remember asking how to stop syslogd opening udp port 514 a while ago 
 and never doing anything about it, here goes again...

And people asked you to search the archives.


 Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
 udp0  0  *.514  *.*

Yes, yes, it's got a socket open.  So what?


 reading the man page doesn't really answer why there is program 
 listening on udp 514, seeing as I haven't passed syslogd the -u switch
 
 -u  Select the historical ``insecure'' mode, in which syslogd will
   accept input from the UDP port.  Some software wants this, but
   you can be subjected to a variety of attacks over the network,
   including attackers remotely filling logs.
 
 can anyone point me in the right direction so this annoying behaviour stops.
 also, is there a switch for netstat which shows the pid/process for each 
 listening port?

About 5 F*ING LINES later the man page says:


   syslogd opens an Internet domain socket as specified in /etc/services.
   Normally syslogd will only use this socket to send messages outwards, but
   in ``insecure'' mode it will also read messages from this socket.
   syslogd also opens and reads messages from the UNIX domain socket
   /dev/log, and from the special device /dev/klog (to read kernel mes-
   sages).

   syslogd opens the above described socket whether or not it is running in
   secure mode.  If syslogd is running in secure mode, all incoming data on
   this socket is discarded.  The socket is required for sending forwarded
   messages.

Read, breathe, relax...  Just because a program has a port open does not
mean it is insecure.  It could be having a port open in order to *SEND*
data, and never *EVER* receive data.

--Toby.

Re: syslogd udp port

[Kevin]

On 8/4/05, poncenby [EMAIL PROTECTED] wrote:
 I remember asking how to stop syslogd opening udp port 514 a while ago
 and never doing anything about it, here goes again...

Sure, syslogd opens UDP/514, but unless you use the '-u' flag the very
next thing it does is call shutdown(), which prevents inbound traffic on
the listening port:
 http://www.bsdforums.org/forums/showthread.php?t=33250


 reading the man page doesn't really answer why there is program
 listening on udp 514, seeing as I haven't passed syslogd the -u switch
 
 -u  Select the historical ``insecure'' mode, in which syslogd will
  accept input from the UDP port.  Some software wants this, but
  you can be subjected to a variety of attacks over the network,
  including attackers remotely filling logs.
 
 can anyone point me in the right direction so this annoying behaviour stops.

I agree, it is (mildly) annoying.

The syslog daemon must bind UDP/514 even without the '-u' flag because
syslogd uses this socket as the source port if/when you configure a
remote log destination in /etc/syslogd.conf.

FreeBSD has the '-s -s' flag which prevents the daemon from binding the
port at all, but this is not necessary as a security enhancement, forcing
syslogd not to bind the port is purely cosmetic, makes your netstat
output shorter by one line.

Kevin Kadow

Re: syslogd udp port

[J.C. Roberts]

On Thu, 04 Aug 2005 15:50:58 -0600, Theo de Raadt
[EMAIL PROTECTED] wrote:

The port is also used to (potentially) send data out to other syslog
servers.  Therefore, it is left open.  This is made ASTOUNDINGLY
clear in the manual page, if you would read it:

 syslogd opens the above described socket whether or not it is running in
 secure mode.  If syslogd is running in secure mode, all incoming data on
 this socket is discarded.  The socket is required for sending forwarded
 messages.

See that?  It says anything read is DISCARDED.

This behaviour is not going to be changed.  Period.

Welcome Home Theo!

(;

JCR

--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?