On 3/20/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Mon, Mar 20, 2006 at 01:00:58AM -0500, Nick Guenther wrote: > > Hi list, > > > > I want to log things remotely (from a consumer-grade router running > > linux that keeps dying on me). I think the proper way to do this is to > > do "syslogd -u" but I am not sure because the manpage only vaguely > > mentions how insecure the -u option is and doesn't really explain it. > > I've found a page that describes using -u for OS X, and the linux > > manpage for sysklogd has a -r. RFC 3164 says "syslog uses the user > > datagram protocol (UDP) [1] as its underlying transport layer > > mechanism" so it seems like this is correct, but it seems odd. > > > > Syslog is nice, but the -u option has the disadvantage that effectively > everyone can syslog to you. pf(4) can solve that, but unless you > hardcode a MAC address (arp(4), arp(8)) this can be gotten around by > spoofing (since UDP does not have a 'handshake', it is possible to let > packets pretend to be from whereever you want). > > Of course, a trusted network path (ipsec(4) and friends, for instance) > is also a good way to secure this. > > There are some syslogd replacements that use TCP, or, even better, some > form of authentication. A few are in ports. >
Thanks for the good info. I acutally realized pretty quickly that all I needed was a plain old 'nc -L -u -p 514 > stupid_linux.txt' and wait for it to start dying on me again. The log is full of "<4>klogd: ip_conntrack: table full, dropping packet." messages, and since the only interface to the thing is HTTP-based I can't raise the table limit. Ah linux... It will definitely be replaced with OpenBSD on an old box as soon as I get around to getting a working 802.11g hostap setup. -Nick