On Fri, Sep 22, 2006 at 03:18:50PM +0100, Hari Sekhon wrote:
After all, you couldn't somebody just write a loop to send garbage to it and fill the whole machine up, not to mention drown out all other valid logs so you miss any important events (oops, I am giving away too much here?). I'm actually tempted to write an attack for this right now...
This is always a risk. It's obvious enough that it's not discussed much. syslog-ng has tcp wrappers support, and you always have packet filtering. You should certainly block unauthorized IPs, but your authorized IPs are just as scary as the others. The miscreant will either be an authorized user or have compromised an authorized account and will flood your syslog server from there. If you want to dicuss DoS, come up with a way to deal with that. -- Nate "Let us be thankful for the fools. But for them the rest of us could not succeed." - Following the Equator, Pudd'nhead Wilson's New Calendar - Samuel Clemens