The port is also used to (potentially) send data out to other syslog
servers. Therefore, it is left open. This is made ASTOUNDINGLY
clear in the manual page, if you would read it:
syslogd opens the above described socket whether or not it is running in
secure mode. If syslogd is running in secure mode, all incoming data on
this socket is discarded. The socket is required for sending forwarded
messages.
See that? It says anything read is DISCARDED.
This behaviour is not going to be changed. Period.
I remember asking how to stop syslogd opening udp port 514 a while ago
and never doing anything about it, here goes again...
hopefully a relevant part of /etc/rc
echo 'starting system logger'
rm -f /dev/log
if [ "X${named_flags}" != X"NO" ]; then
rm -f /var/named/dev/log
syslogd_flags="${syslogd_flags} -a /var/named/dev/log"
fi
if [ -d /var/empty ]; then
rm -f /var/empty/dev/log
mkdir -p -m 0555 /var/empty/dev
syslogd_flags="${syslogd_flags} -a /var/empty/dev/log"
fi
syslogd ${syslogd_flags}
if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then
if ifconfig pflog0 >/dev/null 2>&1; then
ifconfig pflog0 up
pflogd ${pflogd_flags}
fi
fi
my /etc/rc.conf
syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
output from command: netstat -p udp -an
Proto Recv-Q Send-Q Local Address Foreign Address (state)
udp 0 0 *.514 *.*
reading the man page doesn't really answer why there is program
listening on udp 514, seeing as I haven't passed syslogd the -u switch
-u Select the historical ``insecure'' mode, in which syslogd will
accept input from the UDP port. Some software wants this, but
you can be subjected to a variety of attacks over the network,
including attackers remotely filling logs.
can anyone point me in the right direction so this annoying behaviour stops.
also, is there a switch for netstat which shows the pid/process for each
listening port?
thanks in advance
poncenby
--
This email has been verified as Virus free
Virus Protection and more available at http://www.plus.net