Port 514 – Syslog/RSH (System Logging Protocol / Remote Shell)

Why It’s Open

Port 514 serves two purposes: UDP 514 is used for syslog (system logging), while TCP 514 is used for the remote shell (rsh) service. Syslog allows network devices to send their logs to central logging servers, while rsh provides remote command execution similar to rexec but with even weaker security.

Network administrators use UDP 514 for centralized logging infrastructure, while TCP 514 (rsh) is a legacy remote access protocol that should be avoided in modern environments.

Common Risks

• Unauthenticated Logging
  Syslog messages can be spoofed or intercepted.
• Log Injection
  Malicious data can be inserted into system logs.
• Unauthorized Access
  RSH relies on weak host-based authentication.
• Information Disclosure
  Log messages may contain sensitive data.
• DoS Potential
  Large volume of log messages can overwhelm servers.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

Book a Demo

Enumeration & Testing

Check if it’s open:

nmap -sU -sT -p 514

Test syslog:

logger -n  "test message"

Test rsh connection:

rsh

What to Look For

Mitigation

• Secure Logging
  Use syslog-ng or rsyslog with TLS encryption.
• Disable RSH
  Remove or disable the RSH service completely.
• Access Controls
  Restrict logging to authorized source IPs.
• Log Validation
  Implement log message authentication.
• Modern Alternatives
  Use SSH for remote access, secure logging protocols.

TL;DR

• Port 514 = Syslog (UDP) and RSH (TCP)
• Legacy protocols with minimal security
• Vulnerable to spoofing and injection
• Should use secure alternatives

Known CVEs and Exploits

• CVE‑2022‑24903 – Buffer overflow in rsyslog TCP syslog ingestion
• CVE‑2003‑0448 – Format string vulnerability in BSD rshd
• CVE‑1999‑0532 – Solaris syslogd remote root exploit