900.tcpwrap and stale log messages

Jeremy Chadwick freebsd at jdc.parodius.com
Fri Jul 23 11:12:26 UTC 2010 

On Fri, Jul 23, 2010 at 11:48:16AM +0100, Jonathan Belson wrote:
> Early this morning I read through the daily status e-mails from a
> server I administer.  I was unpleasantly surprised to see a refused
> ssh connection from an external IP address, which shouldn't be
> possible since the machine is only accessible via a VPN :-O
> 
> It wasn't until after I'd spoken to the network admin I realised
> what the problem was - /var/log/messages contained log messages that
> spanned back into 2009 (the machine is only used for SVN access so
> isn't very busy), and 900.tcpwrap had taken entries from both July
> 22 2010 (yesterday) and July 22nd 2009, when the machine was on a
> different network... :-(  How. Embarrassing.
> 
> It isn't really 900.tcpwrap's fault as the log messages only record
> the month, date and time, but is there any reason why the year isn't
> recorded in the log too?  I realise this issue isn't likely to come
> up often, but it should be fairly easy to prevent.

You've opened a big can of worms.  Congratulations.  :-)

The crux of the problem is that syslog doesn't log the year.  Thus,
/var/log/messages and /var/log/messages.*.{gz,bz2} only contain entries
that contain month and day, as I'm sure you've noticed.

/etc/periodic/security/900.tcpwrap explicitly goes looking for lines in
/var/log/messages and /var/log/messages.*.{gz,bz2} that contain a string
matching output from:

date -v-1d "+%b %e "

You can't solve this problem by rotating your /var/log/messages file,
for example, on a daily basis, because the script explicitly looks at
/var/log/messages and /var/log/messages.*.{gz,bz2}.

The only solution, as I see it, is to do all of these things:

1a) Change /etc/newsyslog.conf to rotate your /var/log/messages file
on a daily basis, rather than based on size.

1b) The rotation should happen sometime *after* 900.tcpwrap runs (it's a
daily script, so that means it runs at 03:01 every day local time).

2a) Change 900.tcpwrap to only look at /var/log/messages and not
/var/log/messages.*.{gz,bz2}.

2b) Since changing things in /etc/periodic/security won't stick during
mergemaster (unless you use IGNORE_FILES in /etc/rc/mergemaster.rc), you
should probably put your version of the script in
/usr/local/etc/periodic/security and change the names of the rc
variables to key off of something that doesn't conflict with the base
system version.

There are other solutions, of course, but they'd require touching a lot
of things and probably breaking historic naming conventions and
expectations.

-- 
| Jeremy Chadwick                                   jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list