misc/152807: Periodic security 900.tcpwrap does not report any
refused connections
Michiel Detailleur
md at scoutsengidsenvlaanderen.be
Fri Dec 3 14:50:12 UTC 2010
>Number: 152807
>Category: misc
>Synopsis: Periodic security 900.tcpwrap does not report any refused connections
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Dec 03 14:50:10 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Michiel Detailleur
>Release: 8.1-RELEASE
>Organization:
Scouts en Gidsen Vlaanderen
>Environment:
FreeBSD myhost.mynet 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010 root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
The periodic script /etc/periodic/security/900.tcpwrap that is enabled by default in the periodic emails does not report any refused connections.
Reason is that refused connections do not seem to be reported anymore in the /var/log/messages file. However, refused connections to SSH daemons are (still) reported in /var/log/auth.log.
My /etc/syslog.conf file is (by my knowledge) the standard 8.1 syslog file:
# $FreeBSD: src/etc/syslog.conf,v 1.30.2.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog
cron.* /var/log/cron
*.=debug /var/log/debug.log
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!ppp
*.* /var/log/ppp.log
!*
I do not see any major differences in here from previous FreeBSD versions.
>How-To-Repeat:
Edit /etc/hosts.allow in a way that blocks an IP address controlled by you.
Try to make a tcp session to the FreeBSD 8.1 installation from the blocked IP address. Observe that your connection is refused.
Check the /var/log/messages file and see that there is no log record mentioning the blocking of your IP address.
>Fix:
An easy but incorrect fix (IMHO) would be to have the /etc/periodic/security/900.tcpwrap parse the /var/log/auth.log file. However this would then only show refused connections to daemons concerned with authentication.
I suspect that the tcp-wrappers code logs to the wrong syslog facility and/or level. Or that a change has been made to this without also changing the /etc/syslog.conf file.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list