misc/152807: Periodic security 900.tcpwrap does not report any refused connections

Michiel Detailleur md at scoutsengidsenvlaanderen.be
Fri Dec 3 14:50:12 UTC 2010

>Number:         152807
>Category:       misc
>Synopsis:       Periodic security 900.tcpwrap does not report any refused connections
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 03 14:50:10 UTC 2010
>Originator:     Michiel Detailleur
>Release:        8.1-RELEASE
Scouts en Gidsen Vlaanderen
FreeBSD myhost.mynet 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010     root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
The periodic script /etc/periodic/security/900.tcpwrap that is enabled by default in the periodic emails does not report any refused connections.

Reason is that refused connections do not seem to be reported anymore in the /var/log/messages file. However, refused connections to SSH daemons are (still) reported in /var/log/auth.log.

My /etc/syslog.conf file is (by my knowledge) the standard 8.1 syslog file:

# $FreeBSD: src/etc/syslog.conf,v 2010/06/14 02:09:06 kensmith Exp $
#   Spaces ARE valid field separators in this file. However,
#   other *nix-like systems still insist on using tabs as field
#   separators. If you are sharing this file between systems, you
#   may want to use only tabs as field separators here.
#   Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit        /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                  /var/log/security                                                                                                                                                       auth.info;authpriv.info             /var/log/auth.log
mail.info                   /var/log/maillog
lpr.info                    /var/log/lpd-errs                                                                                                                                                       ftp.info                    /var/log/xferlog
cron.*                      /var/log/cron
*.=debug                    /var/log/debug.log
*.emerg                     *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                        /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                        @loghost
# uncomment these if you're running inn
# news.crit                 /var/log/news/news.crit
# news.err                  /var/log/news/news.err
# news.notice                   /var/log/news/news.notice
*.*                     /var/log/ppp.log

I do not see any major differences in here from previous FreeBSD versions.
Edit /etc/hosts.allow in a way that blocks an IP address controlled by you.

Try to make a tcp session to the FreeBSD 8.1 installation from the blocked IP address. Observe that your connection is refused.

Check the /var/log/messages file and see that there is no log record mentioning the blocking of your IP address.
An easy but incorrect fix (IMHO) would be to have the /etc/periodic/security/900.tcpwrap parse the /var/log/auth.log file. However this would then only show refused connections to daemons concerned with authentication.

I suspect that the tcp-wrappers code logs to the wrong syslog facility and/or level. Or that a change has been made to this without also changing the /etc/syslog.conf file.


More information about the freebsd-bugs mailing list