Syslog daemon in Solaris by default is enabled for remote logging and will listen on UDP port 514 for syslog messages from remote systems. Unless, the server is acting as a remote logging server, this can be a Security issue as a malicious user can launch a Denial Of Service (DoS) attack on the server.
To check if your syslog service is listening for remote logs,
# netstat -aP udp | grep syslog
*.syslog Idle
This will show an output for syslog with status “idle”.
Unless a Server is as a Remote Central Logging server, it is recommended to disable Remote logging in Solaris.
Solaris 8 & Solaris 7
In Solaris 8 and Solaris 7 edit the startup scripts to start the syslogd daemon in non-remote logging mode.
This can be done as follows:
Edit the /etc/init.d/syslog file using a editor like vi:
# vi /etc/init.d/syslog
Replace the line,
/usr/sbin/syslogd >/dev/msglog 2>&1 &
with
/usr/sbin/syslogd -t >/dev/msglog 2>&1 &
NOTE: -t disables the Remote logging in syslogd
Save the file and restart the Sylogd daemon.
# /etc/init.d/syslog stop
# /etc/init.d/syslog start
To confirm, remote logging is disabled, try
# netstat -aP udp | grep syslog
This should not show a line for syslog with status as “idle”.
Solaris 9
On Solaris 9, although the above procedure can work, this can be achieved by simply editing the /etc/default/syslogd using an editor like vi
# vi /etc/default/syslogd
Change the line from
#LOG_FROM_REMOTE=YES
to
LOG_FROM_REMOTE=NO
Save the file and restart the Syslogd daemon
# /etc/init.d/syslog stop
# /etc/init.d/syslog start
Now,
#netstat -aP|grep syslog
should not show an entry for syslog with status “idle”
Solaris 10
In Solaris 10,
Repeat the above procedure to edit the /etc/default/syslogd and restart syslogd as follows:
# svcadm -v restart svc:/system/system-log
Action restart set for svc:/system/system-log:default
This should help.