Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 21 Jun 2011 13:15:43 GMT
From:      Jesper Wallin <jesper@ifconfig.se>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/158121: The "security run output" contains log entries which are a year old.
Message-ID:  <201106211315.p5LDFhq5084750@red.freebsd.org>
Resent-Message-ID: <201106211320.p5LDK9C0097420@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         158121
>Category:       misc
>Synopsis:       The "security run output" contains log entries which are a year old.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 21 13:20:08 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Jesper Wallin
>Release:        7.3-RELEASE-p2
>Organization:
>Environment:
FreeBSD ns1.nohack.se 7.3-RELEASE-p2 FreeBSD 7.3-RELEASE-p2 #0: Mon Jul 12 19:04:04 UTC 2010     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
This morning I got the regular "security run output" mails and noticed I got about 2000 invalid login attempts against my SSH daemon. I found that pretty strange as I knew my SSH server were both firewalled and listens on an internal interface with a local (192.168/8) address.

After checking my firewall rules twice, digging through my pf logs (with finding anything) and still without a single clue how the heck those bots could manage to access my SSH server, I noticed the following:

The log entries in /var/log/auth.log does not contain the year. Because of this, if you rarely logon to the machine (or for some other reason doesn't manage to reach the 100K limit before newsyslog rotate your auth.log) the "security run output" will send you a year old logs. :-)
>How-To-Repeat:
1. Start the machine.
2. Do a few invalid/incorrect login-attempts.
3. Wait a year. ;-)
4. Check the "security run output" mail.
>Fix:
Make newsyslog rotate auth.log regardless of it's size or make somehow make sshd/syslogd log the year as well.

Another solution would be to parse the logs more carefully to somehow exclude the lines before today. Not sure if this solves it completely though, considering such rare/wierd scenarios where no one tries to login at all in over a year.

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201106211315.p5LDFhq5084750>