Date: Wed, 30 Jun 2004 11:23:31 +0200 (CEST) From: guy@device.dyndns.org To: freebsd-security@freebsd.org Subject: Re: ttyv for local only? Message-ID: <XFMail.20040630112331.guy@device.dyndns.org> In-Reply-To: <20040629191556.L47985@metafocus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Your problem make me curious...
On 30-Jun-2004 Dave wrote:
>
> I didn't think syslogd was open to the world by default? Just in case, I
> now blocked off port 514 for UDP. If it was, then I was just running it
> open to the world for 2 years and finally noticed :) I guess its not
> commonly picked on.
With default settings on a freshly updated 4.10-STABLE "ps ax" says my
syslogd is running as "/usr/sbin/syslogd -s".
"man syslogd" says :
-s Operate in secure mode. Do not log messages from remote
machines. If specified twice, no network socket will be opened
at all, which also disables logging to remote machines.
So unless someone changed the way syslogd is launched, this should not be a
spurious message from a remote machine (but could be from local).
You may consider using a tool such as security/aide after a fresh
buildworld to get sure no unauthorised changes are made to your
system. Assuming your buildchain tools have not been trojaned you can do it
on the target system. If you have some suspicion, run the buildworld/kernel
from a live cd or another machine.
Sorry if all i said sounds obvious, there are some times when possibly
useless repeating seems worth :]
--
Guy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20040630112331.guy>