Re: syslogd udp port
On Sat, 2005-08-06 at 03:00 +0100, poncenby wrote: > Shawn K. Quinn wrote: > > On Fri, 2005-08-05 at 07:33 +0100, poncenby wrote: > > > >>May I suggest some tolerance(doesn't have to be sincere) for people > >>who are simply either too busy or too lazy to read man pages in their > >>entirety. or just simply ignore the email. surely certain people on > >>this list (theo - that's you!) don't actually enjoy patronising their > >>loyal userbase? > > > > > > You should be reading the man page first, then asking questions on list > > (or elsewhere, e.g. IRC), not the other way around. And ignoring these > > sorts of e-mails isn't an option, as people need to know the expected > > protocol is to read the man page first. > > > > Start out with the goal of making an operating system possible to use > > without reading documentation, and you wind up with something like > > Microsoft Windows (however, even Microsoft must document a lot of > > things, even if it is only available in electronic form). I'm sure > > you've either already been down that road, or have no desire to go down > > it. > > > > The people that WTFM intend for you to RTFM. > > > > wow shawn, that's really clever. you have saved yourself thirty eight > key depressions and managed to convey no sense of authority. Wow ponceby, that's really clever. You have shown the world your ability to half-ass-type and not express one Goddamn coherent thought. In the time it took you to write this, you could have read a man page, possibly two or three if you're a fast reader. > if only i could be as l33t If you want to be understood, type English. I have no idea what the hell an el-thirty-three-tee is. You're obviously not averse to reading (and, rather unfortunately, replying to) messages on the list. Why, then, are you averse to reading man pages? (Don't answer this publicly, but reflect on the answer to yourself.) -- Shawn K. Quinn <[EMAIL PROTECTED]>
Re: syslogd udp port
From: poncenby <[EMAIL PROTECTED]> To: misc@openbsd.org Subject: Re: syslogd udp port Date: Sat, 06 Aug 2005 03:15:07 +0100 Abraham Al-Saleh wrote: On 8/5/05, poncenby <[EMAIL PROTECTED]> wrote: Firstly I never said mentioned the word security, so I don't know where Tobias got that from. I apologise once again for not searching the archives and reading the man pages. May I suggest some tolerance(doesn't have to be sincere) for people who are simply either too busy or too lazy to read man pages in their entirety. or just simply ignore the email. surely certain people on this list (theo - that's you!) don't actually enjoy patronising their loyal userbase? In the long run, it's usually faster to do research than to send a question to a mailing list and hope someone is going to hold your hand. You waste your time and everyone elses. If you want to be lazy, pay someone to do your administration, don't expect everyone else to do it for free. if you think about what you said... "in the long run it's usually faster to do research" just doesn't make sense. i wanted an answer within a day, didn't have time to read the man pages so posted a question to misc and got an answer (within a day). f*%k the long run, what exactly is "the long run" anyway. (see, anyone can be pedantic if they can be arsed). When i post to misc I hope some kind folk will receive it in the manner intended (i.e. a newbie attempting to grasp a solid foundation in BSD concepts). Yes I realise I could gain this from reading every single man page but that is not realistic (maybe it is for people with nothing better to do at that time). the box is run in my own time and when I post a question (as stupid as it might seem) then go to work and come back with a maillist full of utter dribble like this, hoping there will be at least 1 constructive answer somewhere buried within it. i run a box with openbsd in my spare time - i'm not going to pay for someone to do it for me. i'll learn the way i want to learn, which differs depending on how lazy/busy I am at that point in time. it seems a lot of people assume that openbsd enthusiasts actually have an unlimited time to find the answers to every single question they will ever have. it just isn't the case and tolerance is needed. do you agree theo? :) poncenby Hello, I have spent the last six months installing and uninstalling OpenBSD countless times on i386, Alpha, Sgi Mips, and Sparc to learn. Tried Linux, NetBSD and FreeBSD and came to appreciate OpenBSD more and more. The last month pretty much full time on learning OpenBSD. I am sacrificing my consulting time $$ to do this and find it time well spent. Still got a long ways to go but am learning all I can. And am subscribed to the mailing lists and read in my spare time. : ) Best regards, rogern _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Re: syslogd udp port
On Sat, 06 Aug 2005 03:15:07 +0100 poncenby <[EMAIL PROTECTED]> wrote: > just doesn't make sense. i wanted an answer within a day, didn't have > time to read the man pages so posted a question to misc and got an > answer (within a day). What *you* want is rather irrelevant. > When i post to misc I hope some kind folk will receive it in the manner > intended (i.e. a newbie attempting to grasp a solid foundation in BSD > concepts). Yes I realise I could gain this from reading every single man > page but that is not realistic (maybe it is for people with nothing > better to do at that time). Ever heard of "apropos" and "man -k"? And really, it's not THAT difficult to find the man page for syslogd... > i run a box with openbsd in my spare time - i'm not going to pay for > someone to do it for me. If you dont want to pay I guess you'll just have to do your own homework, eh? > it seems a lot of people assume that openbsd enthusiasts actually have > an unlimited time to find the answers to every single question they will > ever have. It seems many people who post on misc@ seem to think the openbsd users exists solely to answer their questions, no matter how many time's they'e been answered before. --- Lars Hansson
Re: syslogd udp port
On 8/5/05, poncenby <[EMAIL PROTECTED]> wrote: > if you think about what you said... > > "in the long run it's usually faster to do research" > > just doesn't make sense. i wanted an answer within a day, didn't have > time to read the man pages so posted a question to misc and got an > answer (within a day). f*%k the long run, what exactly is "the long run" > anyway. > It doesn't take a day to read the man pages, usualy just a couple of minutes. It's easier, and nicer to the people reading the list. :) ddp
Re: syslogd udp port
Abraham Al-Saleh wrote: On 8/5/05, poncenby <[EMAIL PROTECTED]> wrote: Firstly I never said mentioned the word security, so I don't know where Tobias got that from. I apologise once again for not searching the archives and reading the man pages. May I suggest some tolerance(doesn't have to be sincere) for people who are simply either too busy or too lazy to read man pages in their entirety. or just simply ignore the email. surely certain people on this list (theo - that's you!) don't actually enjoy patronising their loyal userbase? In the long run, it's usually faster to do research than to send a question to a mailing list and hope someone is going to hold your hand. You waste your time and everyone elses. If you want to be lazy, pay someone to do your administration, don't expect everyone else to do it for free. if you think about what you said... "in the long run it's usually faster to do research" just doesn't make sense. i wanted an answer within a day, didn't have time to read the man pages so posted a question to misc and got an answer (within a day). f*%k the long run, what exactly is "the long run" anyway. (see, anyone can be pedantic if they can be arsed). When i post to misc I hope some kind folk will receive it in the manner intended (i.e. a newbie attempting to grasp a solid foundation in BSD concepts). Yes I realise I could gain this from reading every single man page but that is not realistic (maybe it is for people with nothing better to do at that time). the box is run in my own time and when I post a question (as stupid as it might seem) then go to work and come back with a maillist full of utter dribble like this, hoping there will be at least 1 constructive answer somewhere buried within it. i run a box with openbsd in my spare time - i'm not going to pay for someone to do it for me. i'll learn the way i want to learn, which differs depending on how lazy/busy I am at that point in time. it seems a lot of people assume that openbsd enthusiasts actually have an unlimited time to find the answers to every single question they will ever have. it just isn't the case and tolerance is needed. do you agree theo? :) poncenby
Re: syslogd udp port
Shawn K. Quinn wrote: On Fri, 2005-08-05 at 07:33 +0100, poncenby wrote: May I suggest some tolerance(doesn't have to be sincere) for people who are simply either too busy or too lazy to read man pages in their entirety. or just simply ignore the email. surely certain people on this list (theo - that's you!) don't actually enjoy patronising their loyal userbase? You should be reading the man page first, then asking questions on list (or elsewhere, e.g. IRC), not the other way around. And ignoring these sorts of e-mails isn't an option, as people need to know the expected protocol is to read the man page first. Start out with the goal of making an operating system possible to use without reading documentation, and you wind up with something like Microsoft Windows (however, even Microsoft must document a lot of things, even if it is only available in electronic form). I'm sure you've either already been down that road, or have no desire to go down it. The people that WTFM intend for you to RTFM. wow shawn, that's really clever. you have saved yourself thirty eight key depressions and managed to convey no sense of authority. if only i could be as l33t poncenby
Re: syslogd udp port
haha, henning.. i love your technical responses to problems. they're always very short, sweet and to the point (and you're 99.999% of the time right). if i could make it to a hackathon (or even get invited, heh) i'd buy a round of beer for everyone to calm the *&%# down :P On 8/5/05, Henning Brauer <[EMAIL PROTECTED]> wrote: > syslog shutdown()s the port for reading. there is no real difference > to not opening it at all. > > * mdff <[EMAIL PROTECTED]> [2005-08-05 13:13]: > > blah blah... > > he'd better do man syslogd... but assume this: > > - no pf for udp/514. > > - a DOS or DDOS to this OPEN port. > > - syslogd running just in "send mode". > > - and finally: no remote syslogging configured because of only 1 box here. > > > > will it take more ressources to handle this with an open port > > compared to a closed one or not? i guess yes. and for security, > > i guess a closed port is still better, than an application reading > > all packets and discarding them... > > > > question: what about 1 more argv to have syslogd not to bind udp/514 at all? > > > > br, mdff... > > > > -- > BS Web Services, http://www.bsws.de/ > OpenBSD-based Webhosting, Mail Services, Managed Servers, ... > Unix is very simple, but it takes a genius to understand the simplicity. > (Dennis Ritchie)
Re: syslogd udp port
On Fri, Aug 05, 2005 at 12:58:04PM +0200, mdff wrote: > blah blah... > he'd better do man syslogd... but assume this: > - no pf for udp/514. > - a DOS or DDOS to this OPEN port. To DOS or DDOS a udp port it does not need to be open. > - syslogd running just in "send mode". > - and finally: no remote syslogging configured because of only 1 box here. > > will it take more ressources to handle this with an open port > compared to a closed one or not? i guess yes. and for security, > i guess a closed port is still better, than an application reading > all packets and discarding them... The additional resource usage of this additional port is not measurable and a socket that was shutdown(fd, SHUT_RD); is mostly a closed port (in the read direction). syslogd does not read all packtes and discards them, the kernel discards them. -- :wq Claudio
Re: syslogd udp port
syslog shutdown()s the port for reading. there is no real difference to not opening it at all. * mdff <[EMAIL PROTECTED]> [2005-08-05 13:13]: > blah blah... > he'd better do man syslogd... but assume this: > - no pf for udp/514. > - a DOS or DDOS to this OPEN port. > - syslogd running just in "send mode". > - and finally: no remote syslogging configured because of only 1 box here. > > will it take more ressources to handle this with an open port > compared to a closed one or not? i guess yes. and for security, > i guess a closed port is still better, than an application reading > all packets and discarding them... > > question: what about 1 more argv to have syslogd not to bind udp/514 at all? > > br, mdff... > -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: syslogd udp port
blah blah... he'd better do man syslogd... but assume this: - no pf for udp/514. - a DOS or DDOS to this OPEN port. - syslogd running just in "send mode". - and finally: no remote syslogging configured because of only 1 box here. will it take more ressources to handle this with an open port compared to a closed one or not? i guess yes. and for security, i guess a closed port is still better, than an application reading all packets and discarding them... question: what about 1 more argv to have syslogd not to bind udp/514 at all? br, mdff...
Re: syslogd udp port
On 8/5/05, poncenby <[EMAIL PROTECTED]> wrote: > Firstly I never said mentioned the word security, so I don't know where > Tobias got that from. > > I apologise once again for not searching the archives and reading the > man pages. > > May I suggest some tolerance(doesn't have to be sincere) for people who > are simply either too busy or too lazy to read man pages in their > entirety. or just simply ignore the email. surely certain people on this > list (theo - that's you!) don't actually enjoy patronising their loyal > userbase? In the long run, it's usually faster to do research than to send a question to a mailing list and hope someone is going to hold your hand. You waste your time and everyone elses. If you want to be lazy, pay someone to do your administration, don't expect everyone else to do it for free.
Re: syslogd udp port
On 8/4/05, poncenby <[EMAIL PROTECTED]> wrote: > I remember asking how to stop syslogd opening udp port 514 a while ago > and never doing anything about it, here goes again... better yet just compile your own version of nmap that doesnt scan udp 514.
Re: syslogd udp port
On Fri, 2005-08-05 at 07:33 +0100, poncenby wrote: > > May I suggest some tolerance(doesn't have to be sincere) for people > who are simply either too busy or too lazy to read man pages in their > entirety. or just simply ignore the email. surely certain people on > this list (theo - that's you!) don't actually enjoy patronising their > loyal userbase? You should be reading the man page first, then asking questions on list (or elsewhere, e.g. IRC), not the other way around. And ignoring these sorts of e-mails isn't an option, as people need to know the expected protocol is to read the man page first. Start out with the goal of making an operating system possible to use without reading documentation, and you wind up with something like Microsoft Windows (however, even Microsoft must document a lot of things, even if it is only available in electronic form). I'm sure you've either already been down that road, or have no desire to go down it. The people that WTFM intend for you to RTFM. -- Shawn K. Quinn <[EMAIL PROTECTED]>
Re: syslogd udp port
> May I suggest some tolerance(doesn't have to be sincere) for people who > are simply either too busy or too lazy to read man pages in their > entirety. Absolutely not. You were lazy and unwilling to educate yourself, and are making other people watch you sluffing your way through life.
Re: syslogd udp port
Firstly I never said mentioned the word security, so I don't know where Tobias got that from. I apologise once again for not searching the archives and reading the man pages. May I suggest some tolerance(doesn't have to be sincere) for people who are simply either too busy or too lazy to read man pages in their entirety. or just simply ignore the email. surely certain people on this list (theo - that's you!) don't actually enjoy patronising their loyal userbase? or perhaps that's openbsd's 'thing'? or if it isn't remind me what is... thanks anyway poncenby Theo de Raadt wrote: The port is also used to (potentially) send data out to other syslog servers. Therefore, it is left open. This is made ASTOUNDINGLY clear in the manual page, if you would read it: syslogd opens the above described socket whether or not it is running in secure mode. If syslogd is running in secure mode, all incoming data on this socket is discarded. The socket is required for sending forwarded messages. See that? It says anything read is DISCARDED. This behaviour is not going to be changed. Period. I remember asking how to stop syslogd opening udp port 514 a while ago and never doing anything about it, here goes again... hopefully a relevant part of /etc/rc echo 'starting system logger' rm -f /dev/log if [ "X${named_flags}" != X"NO" ]; then rm -f /var/named/dev/log syslogd_flags="${syslogd_flags} -a /var/named/dev/log" fi if [ -d /var/empty ]; then rm -f /var/empty/dev/log mkdir -p -m 0555 /var/empty/dev syslogd_flags="${syslogd_flags} -a /var/empty/dev/log" fi syslogd ${syslogd_flags} if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then if ifconfig pflog0 >/dev/null 2>&1; then ifconfig pflog0 up pflogd ${pflogd_flags} fi fi my /etc/rc.conf syslogd_flags=# add more flags, ie. "-u -a /chroot/dev/log" output from command: netstat -p udp -an Proto Recv-Q Send-Q Local Address Foreign Address(state) udp0 0 *.514 *.* reading the man page doesn't really answer why there is program listening on udp 514, seeing as I haven't passed syslogd the -u switch -u Select the historical ``insecure'' mode, in which syslogd will accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs. can anyone point me in the right direction so this annoying behaviour stops. also, is there a switch for netstat which shows the pid/process for each listening port? thanks in advance poncenby -- This email has been verified as Virus free Virus Protection and more available at http://www.plus.net
Re: syslogd udp port
On Thu, 04 Aug 2005 15:50:58 -0600, Theo de Raadt <[EMAIL PROTECTED]> wrote: >The port is also used to (potentially) send data out to other syslog >servers. Therefore, it is left open. This is made ASTOUNDINGLY >clear in the manual page, if you would read it: > > syslogd opens the above described socket whether or not it is running in > secure mode. If syslogd is running in secure mode, all incoming data on > this socket is discarded. The socket is required for sending forwarded > messages. > >See that? It says anything read is DISCARDED. > >This behaviour is not going to be changed. Period. Welcome Home Theo! (; JCR -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: syslogd udp port
On 8/4/05, poncenby <[EMAIL PROTECTED]> wrote: > I remember asking how to stop syslogd opening udp port 514 a while ago > and never doing anything about it, here goes again... Sure, syslogd opens UDP/514, but unless you use the '-u' flag the very next thing it does is call shutdown(), which prevents inbound traffic on the "listening" port: http://www.bsdforums.org/forums/showthread.php?t=33250 > reading the man page doesn't really answer why there is program > listening on udp 514, seeing as I haven't passed syslogd the -u switch > > -u Select the historical ``insecure'' mode, in which syslogd will > accept input from the UDP port. Some software wants this, but > you can be subjected to a variety of attacks over the network, > including attackers remotely filling logs. > > can anyone point me in the right direction so this annoying behaviour stops. I agree, it is (mildly) annoying. The syslog daemon must bind UDP/514 even without the '-u' flag because syslogd uses this socket as the source port if/when you configure a remote log destination in /etc/syslogd.conf. FreeBSD has the '-s -s' flag which prevents the daemon from binding the port at all, but this is not necessary as a security enhancement, forcing syslogd not to bind the port is purely cosmetic, makes your netstat output shorter by one line. Kevin Kadow
Re: syslogd udp port
On Thursday, August 4, poncenby wrote: > > I remember asking how to stop syslogd opening udp port 514 a while ago > and never doing anything about it, here goes again... And people asked you to search the archives. > Proto Recv-Q Send-Q Local Address Foreign Address(state) > udp0 0 *.514 *.* Yes, yes, it's got a socket open. So what? > reading the man page doesn't really answer why there is program > listening on udp 514, seeing as I haven't passed syslogd the -u switch > > -u Select the historical ``insecure'' mode, in which syslogd will > accept input from the UDP port. Some software wants this, but > you can be subjected to a variety of attacks over the network, > including attackers remotely filling logs. > > can anyone point me in the right direction so this annoying behaviour stops. > also, is there a switch for netstat which shows the pid/process for each > listening port? About 5 F*ING LINES later the man page says: >> syslogd opens an Internet domain socket as specified in /etc/services. >> Normally syslogd will only use this socket to send messages outwards, but >> in ``insecure'' mode it will also read messages from this socket. >> syslogd also opens and reads messages from the UNIX domain socket >> /dev/log, and from the special device /dev/klog (to read kernel mes- >> sages). >> >> syslogd opens the above described socket whether or not it is running in >> secure mode. If syslogd is running in secure mode, all incoming data on >> this socket is discarded. The socket is required for sending forwarded >> messages. Read, breathe, relax... Just because a program has a port open does not mean it is insecure. It could be having a port open in order to *SEND* data, and never *EVER* receive data. --Toby.
Re: syslogd udp port
The port is also used to (potentially) send data out to other syslog servers. Therefore, it is left open. This is made ASTOUNDINGLY clear in the manual page, if you would read it: syslogd opens the above described socket whether or not it is running in secure mode. If syslogd is running in secure mode, all incoming data on this socket is discarded. The socket is required for sending forwarded messages. See that? It says anything read is DISCARDED. This behaviour is not going to be changed. Period. > I remember asking how to stop syslogd opening udp port 514 a while ago > and never doing anything about it, here goes again... > > hopefully a relevant part of /etc/rc > > echo 'starting system logger' > rm -f /dev/log > if [ "X${named_flags}" != X"NO" ]; then > rm -f /var/named/dev/log > syslogd_flags="${syslogd_flags} -a /var/named/dev/log" > fi > if [ -d /var/empty ]; then > rm -f /var/empty/dev/log > mkdir -p -m 0555 /var/empty/dev > syslogd_flags="${syslogd_flags} -a /var/empty/dev/log" > fi > syslogd ${syslogd_flags} > > if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then > if ifconfig pflog0 >/dev/null 2>&1; then > ifconfig pflog0 up > pflogd ${pflogd_flags} > fi > fi > > my /etc/rc.conf > > syslogd_flags=# add more flags, ie. "-u -a /chroot/dev/log" > > output from command: netstat -p udp -an > > Proto Recv-Q Send-Q Local Address Foreign Address(state) > udp0 0 *.514 *.* > > reading the man page doesn't really answer why there is program > listening on udp 514, seeing as I haven't passed syslogd the -u switch > > -u Select the historical ``insecure'' mode, in which syslogd will > accept input from the UDP port. Some software wants this, but > you can be subjected to a variety of attacks over the network, > including attackers remotely filling logs. > > can anyone point me in the right direction so this annoying behaviour stops. > also, is there a switch for netstat which shows the pid/process for each > listening port? > > thanks in advance > > poncenby
syslogd udp port
I remember asking how to stop syslogd opening udp port 514 a while ago and never doing anything about it, here goes again... hopefully a relevant part of /etc/rc echo 'starting system logger' rm -f /dev/log if [ "X${named_flags}" != X"NO" ]; then rm -f /var/named/dev/log syslogd_flags="${syslogd_flags} -a /var/named/dev/log" fi if [ -d /var/empty ]; then rm -f /var/empty/dev/log mkdir -p -m 0555 /var/empty/dev syslogd_flags="${syslogd_flags} -a /var/empty/dev/log" fi syslogd ${syslogd_flags} if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then if ifconfig pflog0 >/dev/null 2>&1; then ifconfig pflog0 up pflogd ${pflogd_flags} fi fi my /etc/rc.conf syslogd_flags=# add more flags, ie. "-u -a /chroot/dev/log" output from command: netstat -p udp -an Proto Recv-Q Send-Q Local Address Foreign Address(state) udp0 0 *.514 *.* reading the man page doesn't really answer why there is program listening on udp 514, seeing as I haven't passed syslogd the -u switch -u Select the historical ``insecure'' mode, in which syslogd will accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs. can anyone point me in the right direction so this annoying behaviour stops. also, is there a switch for netstat which shows the pid/process for each listening port? thanks in advance poncenby