Date: Fri, 3 Dec 2010 14:49:17 GMT From: Michiel Detailleur <md@scoutsengidsenvlaanderen.be> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/152807: Periodic security 900.tcpwrap does not report any refused connections Message-ID: <201012031449.oB3EnHBM047846@red.freebsd.org> Resent-Message-ID: <201012031450.oB3EoAdi001175@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152807 >Category: misc >Synopsis: Periodic security 900.tcpwrap does not report any refused connections >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 03 14:50:10 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Michiel Detailleur >Release: 8.1-RELEASE >Organization: Scouts en Gidsen Vlaanderen >Environment: FreeBSD myhost.mynet 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: The periodic script /etc/periodic/security/900.tcpwrap that is enabled by default in the periodic emails does not report any refused connections. Reason is that refused connections do not seem to be reported anymore in the /var/log/messages file. However, refused connections to SSH daemons are (still) reported in /var/log/auth.log. My /etc/syslog.conf file is (by my knowledge) the standard 8.1 syslog file: # $FreeBSD: src/etc/syslog.conf,v 1.30.2.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # # Spaces ARE valid field separators in this file. However, # other *nix-like systems still insist on using tabs as field # separators. If you are sharing this file between systems, you # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manpage. *.err;kern.warning;auth.notice;mail.crit /dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog cron.* /var/log/cron *.=debug /var/log/debug.log *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log #console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log # touch /var/log/all.log and chmod it to mode 600 before it will work #*.* /var/log/all.log # uncomment this to enable logging to a remote loghost named loghost #*.* @loghost # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice !ppp *.* /var/log/ppp.log !* I do not see any major differences in here from previous FreeBSD versions. >How-To-Repeat: Edit /etc/hosts.allow in a way that blocks an IP address controlled by you. Try to make a tcp session to the FreeBSD 8.1 installation from the blocked IP address. Observe that your connection is refused. Check the /var/log/messages file and see that there is no log record mentioning the blocking of your IP address. >Fix: An easy but incorrect fix (IMHO) would be to have the /etc/periodic/security/900.tcpwrap parse the /var/log/auth.log file. However this would then only show refused connections to daemons concerned with authentication. I suspect that the tcp-wrappers code logs to the wrong syslog facility and/or level. Or that a change has been made to this without also changing the /etc/syslog.conf file. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201012031449.oB3EnHBM047846>