4603054 1999-12-20 17:20 /65 rader/ Postmaster Mottagare: Bugtraq (import) <8957> Ärende: More on Red Hat 6.1 sysklogd ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com X-Accept-Language: en MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <385D1E3A.69C49DC9@roaringpenguin.com> Date: Sun, 19 Dec 1999 13:04:42 -0500 Reply-To: dfs@ROARINGPENGUIN.COM Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: "David F. Skoll" <dfs@ROARINGPENGUIN.COM> Organization: Roaring Penguin Software Inc. X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM Red Hat has a security advisory at http://www.redhat.com/support/errata/RHSA1999055-01.html detailing a DoS attack against syslogd. There is an even more compelling reason to upgrade: After my logs were rotated, I noticed that the background chatter of script kiddies probing my firewall ceased. It turns out that when syslogd is sent a HUP signal, it closes and recreates the /dev/log socket. If this is a stream socket, then klogd (the daemon responsible for forwaring kernel log messages) fails. Basically, after your logs are rotated, all kernel log messages are lost. Update your syslogd now. This is an strace of the problem: $ strace -p 22240 # I'm tracing the "klogd" process # A kernel log message is generated read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118 # klogd gets a time stamp time([945571294]) = 945571294 # klogd writes it to syslog write(1, "<6>Dec 18 21:41:34 kernel: Packe"..., 143) = 143 # Now send syslogd a HUP signal $ kill -1 19141 # And continue with the strace # A kernel log message is generated read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118 # klogd gets a time stamp time([945571432]) = 945571432 # But the write fails and the log message is lost! write(1, "<6>Dec 18 21:43:52 kernel: Packe"..., 143) = -1 ECONNRESET (Connection reset by peer) The new syslogd uses a datagram socket, I think, so doesn't suffer from this problem. -- David F. Skoll | Roaring Penguin Software Inc. http://www.roaringpenguin.com | Linux and UNIX Specialists (4603054) ------------------------------------------(Ombruten)