> I know that good IP filtering on the sysklogd box is the best fix, but > always resolving hostnames of the log messages' sender is definitely not > a good idea.. The -x switch takes care of this problem. -x Disable name lookups when receiving remote messages. This avoids deadlocks when the nameserver is run-ning on the same machine that runs the syslog daemon. This is on sysklogd-1.4.1-30. That said performing rudimentary ingress filtering at all borders of both internal IP netblocks and 514/udp will also effectively mitigate this problem, unless an internal host is compromised to the point of being able to send spoofed UDP packets. To further mitigate the problem with basic syslog security you should use a simple host-based packet filter to only accept 514/udp packets from known syslog devices. Setting the source interface for syslog messages to an internally routed private IP on a loopback interface (not using an interface's IP that could be found via a traceroute) will make this filtering more secure. Ultimately the most secure way to ensure that syslog messages are delivered is to create a GRE tunnel between each syslog device and the syslog server. None of these methods of mitigation are difficult to implement. Justin
